Yo, about that security! We're good, right?
In case you haven't heard of Yo, it's the latest breakout mobile app to go viral. Despite its single-feature capability, or perhaps because of it, the app struck a chord and rocketed to the top of Apple's App Store. Even Yo's own developers describe the app as "a fine line between stupid and genius".
While Yo was basking in the unexpected spotlight at the top of the apps chart, the next thing that happened was also unexpected. Yo got hacked. Three college students exploited a way into the app, snagged 300,000 Yo users and engaged in message spoofing. Yet Yo is hardly the first app, nor will it be the last, to get hacked.
In the torrid race to get to market before others, mobile app developers and cloud-based startups alike are often faced with a myriad of things they must do to get their idea from napkin to an actual product (or app). Their focus is largely on user acquisition -- not security. As more companies migrate some or all of their data to the cloud, they too are often guilty of this oversight.
Why does security often get short shrift? Because knowing how to implement robust security at the onset is a non-trivial endeavor. Most developers, programmers, IT staff, and startup entrepreneurs simply are not security experts. It's typically only after a really bad thing happens (i.e. hack attack) that companies fully address security vulnerabilities.
Without question, mobile and cloud technologies have significantly shortened time to market. One common misconception many businesses make as they rush to leverage the cloud, however, is that because they're using an industry-leading public cloud provider, they presume that surely the security around their data is bulletproof, right? Well -- partially right.
Public cloud providers are well aware of existing data security threats, and can protect business customers against some of them, but they also make it abundantly clear that security is "a shared responsibility". They state that it's the responsibility of both the cloud provider and business customer, with a clearly defined demarcation, to ensure that your cloud deployment is properly secured. While some cloud infrastructure providers have tightened up security, hackers still have open opportunities.
If a business hasn't established proper security infrastructure safeguards, their cloud deployment is susceptible to any number of threats. Security provisions offered by cloud providers are rarely enough to protect your organization. On average over 1,000 attacks happen daily on a server in a public cloud data center.
While public cloud vendors help reduce a company's CAPEX, cloud computing also presents a number of challenges. A company's cloud resources are located in shared public data centers and are accessed remotely over unsecured networks. So, if you can access these servers, then so can anyone else. Unfortunately, having data compromised seems to be the lone trigger to address security vulnerabilities.
While mitigating these risks requires some traditional security thinking (controlling access on identity level, segregating resources, strongly encrypting traffic, and so on), the approach must be adapted to today's new cloud pace and rhythm. In traditional enterprises, the network and resources were considered to be somewhat static in the cloud environment network, and resources can be created and removed in minutes -- and in significant volumes. This requires an approach in which a policy can be created and quickly adapted with each change.
Still, based on traditional security best practices, enterprises should:
- build secure perimeters around cloud deployments,
- guard all outgoing traffic (or service incoming traffic) via a firewall
- centralize strict identity-based VPN gates.
Lastly, these components should be integrated with an enterprise's own identity and security infrastructure.
But these security components must also behave differently, since adding new network and/or resources is done constantly, so security policies must be allowed to quickly and automatically adapt to new resources and networks. The security components must be both cloud environment-aware and enterprise environment-integrated, so they can discover new resources and networks using cloud providers interfaces but still integrate with a company's own infrastructure.
Imagine a SaaS provider that creates an AWS VPC (virtual private cloud) per customer. Security policies must address:
- who can access the service and from where,
- who can administrate the resources,
- which network interfaces are allowed for administration,
- and, how resources are allowed to interface, etc.
On average, a SaaS-based company obtains a new customer every hour. While a policy is similar to all customers, it has to be deployed, activated and tested before a customer starts using the service. It's highly unlikely that a manual security process can be used in this scenario. Only an orchestrated, integrated and automated process can support the business case without compromising the business needs.
So how does one move ahead in spite of ongoing security threats? The rapid pace of the business world isn't going to pause. Thankfully, new cloud-based security solutions are emerging that absorb this complexity, enabling companies to automate and scale security threats, without requiring in-house security expertise or costly consultants. No longer should companies make security an after-thought in their business and the good news is that they don't have to.
Amit Cohen is the Co-founder & CEO of FortyCloud, a vendor of network Security-as-a-Service for the cloud. Amit is an accomplished executive with 15 years experience leading networking infrastructure development for the international telecom market.