RSA Conference Asia-Pacific kicks of this week in Singapore. Last month, RSA Security’s Zulfikar Ramzan and Jim Reavis, the CEO of the Cloud Security Alliance, dug into the big questions surrounding cloud security during a TweetChat. Some of the topics discussed during the chat will also be part of the conversation at RSA Conference in Singapore.
There will be a number of sessions at RSA Conference APJ devoted to cloud and data security. Reavis will be talking about security lessons learned from implementing enterprise architectures in the cloud on Thursday, July, 23.
Things have changed in regard to cloud security. With the tremendous popularity of cloud-based services—storage, applications, and infrastructure—the big question was whether it was safe to have data on hardware you didn’t control. Most of the concerns centered around the issues of having sensitive data leaving the corporate perimeter. Nowadays, the advantages of the cloud are clear enough that the question is no longer if you should use cloud services, but rather how you should make sure the data is safe, regardless of where it is.
The issue is even more relevant now, as reports of data breaches dominate the security headlines. It’s hard to trust the data is safe in the cloud when it seems like everyday there is yet another breach to worry about. But it’s a fact that most organizations are much more secure being in the cloud than otherwise because cloud services then to give better management tools and economies of scale apply, said Ramzan. And as the Cloud Security Alliance noted, most of the recent data breaches are compromises in legacy IT systems, not in cloud services.
“Need to get over the idea that cloud is somehow inherently insecure. It may actually be more secure for your needs,” Ramzan said.
Even though it’s cheaper and more efficient for the cloud provider to secure the infrastructure for all the customers than for each individual company to handle security themselves, there are still things cloud providers need to improve. They need to provide customers visibility and control for data governance, as well as to help understand compliance risk, Ramzan said.
Peter Jones, a partner at DLA Piper, will be discussing how organizations should navigate existing security and privacy regulations in the Asian-Pacific market at RSA Conference APJ in Singapore on July 24.
Providers also need to be transparent about what security measures they’ve taken and to communicate with customers on what they are responsible for. Three elements are imperative for building trust in cloud security: understanding customer needs, transparency, and accountability.
Customers need to be vigilant about where they put their data and ask questions of their providers. “There is a huge variance in security among providers,” Ramzan said. “Cloud security, like anything else, involves aligning people, process, and technology.”
The fundamentals of cloud security remain the same as legacy IT, as organizations need to focus on incident prevention and detection, containment of breach once discovered, incident response, and recovery. The difference in understanding the form threats take for cloud environments, even though the underlying concepts are the same. For example, a network intrusion on an on-premise network would involve technical exploits, such as a privilege escalation flaw. In a cloud environment, that intrusion would almost always involve stolen user credentials, Ramzan noted.
The Cloud Security Alliance holds a CSA Summit at RSA Conference, and this year’s summit in Singapore will focus on lessons learned from securing clouds in the Asian market. David Siah, the chairman of the CSA’s Singapore chapter will be speaking at the summit, along with Aloysius Cheang, the managing director of CSA’s APAC region, and Jim Reavis. Other summit speakers include Hing Yan Lee, director at IDA; Richard Sheng, senior director of Trend Micro’s alliance and strategic channels in Asia Pacific; Kaebin Tan, security solutions manager at Quantiq International Services; Andreas Gehrmann, a senior expert at TUV Rheinland; and Edwin Seo, a solutions architect at F5 Networks.
Organizations need flexible frameworks, virtual architectures, high-level control objectives to be successful in the cloud. It’s very important to make sure traffic does not cross networks from the traditional devices to the virtualized ones. They should focus on implementing comprehensive identity management programs. “Your IoT thermostat should never be able to browse the whole cloud,” CSA’s Reavis said.
Another good step is audit current cloud usage within the organization and identify three secure alternatives for insecure services. The audit shows a clear picture of what is actually happening and being used as opposed to what IT thinks is happening. Some useful links from the chat include the CSA Cloud Controls Matrix, and the CSA STAR, a directory of cloud providers complying with CSA standards.
“Know your business, what your critical assets are and your risk appetite,” the speakers concluded.