Despite the accelerated pace of cloud computing adoption, concerns about security show few signs of going away. In fact, security concerns actually grew among cybersecurity professionals in 2018—reversing a multi-year downward trend. According to the 2018 Cloud Security Report, nine out of 10 cybersecurity professionals now say they are concerned about cloud security, an increase of 11% from the prior year’s survey.
If cybersecurity professionals are increasingly concerned, what does that mean for board members and other business leaders? It means it’s time to get smart about cloud cybersecurity so you know what questions to ask the pros and what issues to stay on top of. In today’s environment, what you don’t know can hurt you. Not only that, you can also get burned when you think you know something that is not necessarily accurate.
We spent time chatting with Tim Prendergast, Chief Cloud Officer, and Sean Duca, Vice President & Chief Security Officer for Asia Pacific at Palo Alto Networks. Together they helped us to identify—and expose—10 of the biggest security myths about cloud computing and security. So, without further ado:
Myth No. 1: Cloud is Less Expensive
Many business leaders are sold on the promise that cloud is less expensive than on-premises infrastructure. Theoretically, this may be true. Yet, when it comes down reality, they typically find that their organizations actually wind up spending more. “It’s not cheaper because they are not taking advantage of the cloud’s elasticity, because they don’t have the proper governance in place, and are not taking the time to work on it and make it cheaper,” Prendergast says.
Duca says organizations must develop an understanding of what the cloud can offer, and what it can’t. “Most organizations are not getting the efficiencies they need,” he says. “They are experiencing cloud sprawl and are starting to pull back.” It takes knowledge, experience and commitment, Prendergast and Duca say, to explode the myth that cloud is less expensive and, instead, turn it into a reality.
Myth No 2: Public Cloud is Not Secure
The business model of the public cloud providers is wholly dependent on security. They have invested many millions of dollars in security, have the most up-to-date technologies, most sophisticated secure operations centers, use shared threat intelligence, regional data centers—the works. “Nowadays a public cloud provider has world-leading security in every major geopolitical zone,” Prendergast says.
The problem for many organizations is they don’t understand the cloud’s shared-responsibility model. “Business and security leaders are afraid of losing control,” Duca says. “They can’t see it, touch, so they think they don’t have control. If they don’t understand the shared-responsibility model, they don’t understand what type of security is available to them.
Myth No. 3: Public Cloud Secures Everything
This is the flip side of the shared-responsibility model. “Well,” the myth goes, “if I trust the cloud to be secure, once I set up my cloud, I’m done.” The catch, of course, is that the public cloud provider is only responsible for securing their infrastructure – you are responsible for securing your data and applications stored in that infrastructure.
“They will secure what they provide,” says Duca, “but what you put in there is your responsibility. Cybercriminals are still targeting your applications and stolen credentials. You need the ability to identify those threats and control who is accessing information.”
Prendergast likens cloud security to home security. “You have a house with doors, windows, perhaps an alarm. You have the tools, but you still have to lock the doors, close the windows, set the alarm. You have to practice good cybersecurity hygiene. The cloud is no more secure than you make it.”
Myth No. 4: We Can’t Move to the Cloud for Security, Compliance, Data Sovereignty or Other Reasons
Any cybersecurity or business leader who says his or her organization can’t use public cloud because of security or data privacy risks, is probably already deeply immersed in public cloud with some of their most important data and applications, Prendergast says.
“Every time we talk to a company and they say their data is too important to put in the cloud, we ask them what they are using for HR or customer relationship management,” he says. “Invariably the answer is either Workday or Salesforce.com or both. We ask if they are using Office 365 or other software-as-a-service applications. They say, ‘Yes.’ We explain that their most critical customer and personnel is already in the public cloud.”
Myth No. 5: Once We’re Set Up in the Cloud, We’re Done
Wouldn’t it be nice, says Prendergast, to live in a world of no new vulnerabilities. “If nothing ever changes, no one new ever logs in again, yes, you’re done. In the real world, the cloud requires ongoing care and feeding just like every other IT environment.”
Duca says business and IT leaders need a “cloud security mindset.” Cloud usage does not remain static. “You need to evolve. Cloud providers are making changes, and you will be making changes to your own software, who will be accessing data, etc. The threat environment changes too. One of the most common vulnerabilities is that people get complacent. What you may think is secure today, could change the very next day.”
Myth No. 6: Compliance is More Complex in the Cloud
Actually, one of the reasons to use public cloud is because meeting compliance and data sovereignty requirements can be a lot less complex. “Cloud providers have more tools and capabilities to check and measure what is going on,” Duca says. “With data sovereignty, they let you keep data in a particular region. It is typically easier to ensure this in the cloud than with internal networks, where data and applications can be all over the place.”
Prendergast says public cloud providers have cone a really good job of meeting frameworks for underlying compliance requirements. “You can inherit a lot of those controls,” he says. “Cloud is programmatic, so if you take proper advantage of what is available, you can use scripts and software to manage compliance all year long. It’s important to understand you have to work on it continually, so that compliance is continuance.”
Myth No. 7: Cloud Security is Managed the Same as On-Premises Security
“With public cloud, you don’t have a lot of the physical infrastructure you would normally have – setting up racks of servers, running cables, power, etc.,” says Prendergast. “It’s like walking into a data center where one day you had 500 servers and the next day you have 10. It looks like you were robbed. That’s just a normal day in the cloud. If the data center is hit by a distributed denial of service (DDoS) attack, it’s hard to add 100 physical servers. In the cloud, you just click a button and scale up to 1,000 servers and make the DDoS inert and just pay for the day. You can scale up in just two minutes.”
Myth No. 8: Everything is Exposed on the Internet
Once again, we return to the reality of a shared security model, not the myth that your data and applications will automatically be exposed on the internet. “What you expose is up to you,” Duca says. “It’s your own perimeter. You can leverage the cloud to just host your apps and not put data there.”
Prendergast says this myth may come from the word “public” in public cloud. “Public means anyone can use it, not that your data is public,” he says. “The only thing exposed is what you want to have exposed. You have options to use virtual private networks, virtual private clouds, servers with no internet access. You are in full control, it’s all a matter of how you set up and manage that control.”
Myth No. 9: You Can’t Innovate Quickly Because Security Will Always Lag
This is a myth that may have been perpetrated by a dynamic in which DevOps teams turned to public cloud because they couldn’t afford to wait for legacy purchasing and deployment processes. This accelerated time to market, but it also may have introduced security gaps. It doesn’t have to be this way anymore.
“We’ve seen with DevSecOps that security should be part of teams, embedded in development approaches, whether in cloud or on-premises,” Prendergast says. “The key is to treat security as a feature. The myth is that you can’t do rapid development and security in the cloud. The reality is that cloud is actually an enabling technology for DevSecOps.”
Duca says cloud easily supports DevOps advances such as containerization and microservices. “You can decouple the development of code, push changes out, manage change processes through agile development. All of this can accelerate innovation, time-to-value and quality control.”
Myth No. 10: You Need A New Team for Cloud Security
The survey from Cybersecurity Insiders asked respondents to identify their main barriers in migrating to cloud-based security solutions. By far their main barrier was “staff expertise and training,” cited by 56% of respondents. Next were data privacy at 41% and lack of integration with on-premises security at 37%.
The myth is that the same people who have built and managed your on-premises data centers can’t adjust to the cloud era. This doesn’t give them enough credit, Prendergast says. “What we’ve always seen is that many IT people are excited and challenged by technology advancements,” he says. “Cloud is the new thing and many of your best people will make the transition naturally. You don’t have to replace them; you have to encourage and support them.”
The good news is that many organizations are already heeding that advice. Decision-makers were asked by Cybersecurity Insiders: “When moving to the cloud, how do you handle your changing security needs?” Nearly 60% responded: “Train and/or certify current IT staff.” Again, it was the Number One response to the question.
When it comes to the cloud, the opportunities for business benefits are too powerful to ignore—agility, cost savings, time-to value and digital transformation, to name few. The security issues are also too powerful to ignore, which is why your teams must be focused on the real issues, and not the myths. When it comes to cloud security, it’s time to get real.