The Cipher Brief spoke with Nils Puhlmann, a co-founder of the Cloud Security Alliance, about the security challenges he sees ahead as demand for Cloud services increases.
The Early Days of the Cloud
When the Cloud came about, it was really convenient and easy. You had your browser, you logged in somewhere, and then you did something that would have been harder to do yourself prior to that. That was cool. That was actually the promise of the Cloud. It's super easy. You logged into something and there was a database in the Cloud instead of you having to set up your own environment. And not only was it made super easy, but you only paid for what you used, instead of having expensive hardware sitting around that you had to write off over several years. That was the promise of the cloud.
But fast forward to today and that's just not where we are anymore. Now our dependency on providers, any type of Cloud provider, has grown. The average tech company connects to between 300 to 500 Cloud providers on a monthly basis. This is the number of Cloud providers that people who work in a company, will reach out to. Now, some of that could be accessing your Apple content, because you use an iPhone and it's private. Some of it is business, which actually creates another problem, and that is that business and private data increasingly are harder to differentiate because of the pervasiveness of Cloud services.
With all of this comes complexity. With this, comes the fact that you might have to rely on companies that might be small and immature. We have seen data breaches where airlines and other big companies had huge issues because they all relied on one small provider somewhere, who provided a very certain service for them, but it was actually a small company. I don't want to say that small companies brought down big companies, but errors there can really affect the larger company’s ability to serve their customers.
There was a recent article detailing how major companies had made some mistakes that basically allowed proprietary information to be displayed publicly on the internet. We have seen misconfigured S3 buckets from Amazon because people don't read instructions. If they swipe their credit card, oops, you're up and running. Awesome. Let me just dump all my data in there and that's it. Right? It's made so easy that nobody realizes how easily they can make mistakes.
In a way we are giving out licenses to drive trucks without really checking there if people actually are able to drive trucks. That's the downside of the Cloud. That's why we have seen so many misconfigurations. That's why we have seen security incidents that were purely attributed to misconfigurations.
Weathering the Storm
Cloud providers need to think about security in a different way. In a way, you have to do it like a car manufacturer. They have to factor in mistakes people will make.
If you remember when airbags came out, the airbags in the U.S. were more expensive and bigger than in Europe. The reason was because the statistics showed that nobody was wearing a seatbelt in the U.S. So, you have to build bigger airbags knowing that you have to absorb a whole body, versus in Europe where the rate of seatbelt wearers was higher and you just needed an airbag for the impact of a head, potentially.
We basically need providers to think about mistakes that users can make and to build in functions that anticipate people choosing the wrong configuration or not configuring at all. But the default configurations will have to be much stronger because nowadays, you can have a marketing person with no IT background swipe a credit card to the cloud provider and be up and running in minutes. So how do you factor that in? I think a lot more will have to happen in order to anticipate what could go wrong.
Cloud Complexity Leads to Stormy Times Ahead
Complexity is going up, and by that, I mean the complexity of everything, including the complexity actually of systems, the complexity of partners or vendors, who you rely on. The volume of data is still going up tremendously. And I don't think we have factored that into our business plans. We still don't treat data like a currency, which we actually should. The whole internet is financed through data. But we don't treat it as such. We rely on it as a tremendous resource, a source of income used throughout economies, but we don't treat it like a currency. We don't protect it enough. We don't compartmentalize it. We just want a lot of it. We don't really know where to store it and what to do with it and how to safeguard it, but we all want more of it. The users are wanting to give more.
When strong legislation comes up like GDPR did in Europe, we suddenly see the impact. I mean, some companies took it seriously, some did not. Some had a tremendous amount of work ahead of them because they didn't really have any type of data discipline. They just collected data a little bit like bottom net fishing in the ocean. They didn’t really seem to care about the damage they could do, they just wanted lots of fish.
We'll have to change the way we think and know that we are all expected to act as responsible parties. We have to think about privacy, we have to think about data collection, we have to think about how we use that data. We need to create services and a benefit to the user. There are efforts in the U.S. like the one we’ve seen in California, obviously following the intent of privacy legislation in Europe, that follow the thinking that the user actually owns their data, therefore, they can determine what should happen with it.
There will be major changes coming and we need similar major changes in security as well. It's a risk management function. There's no other risk that can bring a company down as fast as security today. And I don't think we have really understood that yet.
Use of the Cloud is Predicted to Grow, Making Conditions Ripe for a Gathering Security Storm
Use of the Cloud will grow because the model is very much comparable to the ‘just in time’ manufacturing model we saw introduced many years ago. The convenience for a user to get what they need right now and only paying for what they use, is great. I think we'll see more demand for that. It goes hand in hand with new generations growing up and no longer wanting to own anything but just knowing that everything is ‘just in time’ and available when they need it and it's everywhere. It's just a huge cultural, worldwide, global change.
The question really is how do we scale the complexity and keep it secure? Will there be more providers doing more of the same thing, or will there be a consolidation at some point? Will the companies who care win in a more competitive landscape?
Nils Puhlmann is Co-Founder of the Cloud Security Alliance
Read also A Cloud Computing Forecast in The Cipher Brief featuring four experts: President & CEO of SAP NS2 Mark Testoni, Co-chair of the Cybersecurity & Privacy Practice at Wilmer Hale, Benjamin Powell, former Deputy Director of GCHQ Conrad Prince, and Director of Cloud Security at Secureworks, Lindi Horton, for their thoughts on the future of Cloud security.
