Last week, I attended the New York State Cyber Security Conference in Albany, NY. Themed “Helping Navigate Stormy Seas,” the event offered great, practical advice on a wide range of interesting security topics. Three of my personal favorites were Gerry Grealish's talk on how to secure the cloud without compromise, Kurt Hagerman’s discussion of changes in PCI compliance and the implications in the cloud, and John Petrequin’s presentation on the seven traits possessed by companies that have survived APT attacks and thrived. All three presenters provided truly thought-provoking content.
In my presentation, “Cloud Security: Focusing on Automation and Thwarting APTs,” I outlined the big industry threat trends that we (and others like Mandiant, Verizon, Ponemon and Symantec) are seeing in the industry, and discussed best practices organizations can apply to reduce their business risk. When we hit the Q&A portion of my session, most of the questions centered on emerging threat trends, practical advice on how to reduce both business risk and costs by embracing automation, and what constitutes best practices in cloud security these days.
Concern about privileged users in the cloud — including admins at cloud service providers — is definitely top of mind. One of the very first questions I got was, “What if an admin from a cloud provider steals a large amount of multi-tenant information from storage?” My response was that best practices for securing sensitive information in the cloud (or anywhere, really) include encryption because once data is encrypted, it is useless to anyone who steals it. Then came the natural follow-up question, “But how do you protect against that admin obtaining the keys to unlock the encrypted data?” The answer to that, in a word (well, two words), is key management. In addition to taking a data-centric security posture, best practices call for protecting those keys with the strongest level of access controls (hardware, hardened, FIPS certified, etc.) and making sure you rekey annually (or whenever a breach occurs). You should back up older keys to an even more secure location (physical access only) or — better yet — delete them to ensure that data is truly destroyed.
For those who weren’t able to attend the NYS Cyber Security Conference, let me summarize the key takeaways of my session for you. To fully realize the cost savings and business agility benefits promised by the cloud, your cloud security strategy must: 1) be data-centric (i.e., put the controls as close to your sensitive data as possible); 2) limit even privileged users such as root from seeing your sensitive data through fine-grained access controls and root level separation of duties; and 3) leverage automation to help save money, adapt policy based on real-time events in your environment, and — most importantly — reduce your overall business risk.
If your organization is embracing the cloud, I’d love to know exactly what data security steps you are taking to protect what matters.