Blog

For as long as the cloud has been discussed as a business opportunity, discussion around how to secure it has not been too far behind. Whether it’s software, infrastructure or platform, the promise of cloud computing has always been tempered by these key concerns: where is my data actually stored, and who could end up having access to it?

It was this potentially disastrous scenario which enabled those in the information security community to launch the Cloud Security Alliance as far back as November 2008. The year after, the organisation released its first Security Guidance for Critical Areas of Focus for Cloud Computing – which would prove an influential whitepaper now entering its fourth iteration.

Immediately – and somewhat inevitably, as with all new technologies – the need for caution was outweighed by the hype.

“Some evangelists of cloud computing encourage us to focus on the model as a black box, the seamless presentation of your information on demand. Pay no attention to how it works: resources are dynamically allocated, loads are balanced in real time and data is archived automatically,” the CSA wrote almost a decade ago. “Our message to the security practitioner is that in these early days of cloud computing, you must look under the hood of your cloud providers and you must do so using the broadest precepts of your profession in order to properly assure that the service engagements meet and exceed the security requirements of your organisation.”

The early days of cloud adoption are interesting looking back on them today. Software as a service (SaaS) was the most mature market by far; infrastructure was gaining ground but well behind; and platform as a service (PaaS) had barely gotten off the ground.

Take the infrastructure as a service (IaaS) market. Today, aside from significant investment by Alibaba, it’s an AWS-Microsoft-Google 1-2-3 – and has been for some time. Back in 2012, Microsoft was nowhere to be seen; neither Google; nor IBM and Oracle. AWS led the way of course, according to Gartner’s analysis. Yet the other companies at the top table were CSC – later merging with HP Enterprise Services to create DXC Technology – Dimension Data, Savvis, now part of CenturyLink, and Terremark, acquired by Verizon, sold to IBM.

With this, organisations were implored to take baby steps when it came to security adoption. At Gartner’s IT Symposium in 2011, the advice was clear: start with email, social and Web apps and test the water. Enterprise services? You’d either be brave or monumentally reckless.

It was to be another 12 months or so before Microsoft and Google’s investments began to seriously impact the market. Daniel Flaherty, editorial lead for cloud security at McAfee, put it this way earlier this year. “With the release of Microsoft Azure and Google Cloud Platform, attractive alternatives to AWS entered the market and spurred experimentation,” Flaherty wrote. “It was inevitable for competition to arise, but created a scenario where choosing just one provider wasn’t necessary, or even beneficial.”

It began to dawn on organisations that different cloud vendors had their own comparative strengths and weaknesses, and could be used for certain workloads over others. For instance, Netflix has long since been an evangelist of Amazon Web Services – yet the company uses Google’s cloud for certain areas, including disaster recovery.

As a result, cloud security has had to mature with organisations’ ambitions. The concept of the cloud access security broker (CASB) was first introduced in 2012 – “offering visibility over where cloud data was located, protection for it within services, and access controls,” according to Flaherty. In essence, CASBs sit between cloud and on-premises infrastructure, taking care of threats organisations are unable – and vendors unwilling – to deal with. Gartner’s most recent Magic Quadrant, published in November, show signs that this particular solution is ready to mature.

McAfee, of course, has plenty of skin in this game, having acquired Skyhigh Networks at the start of 2018. Yet the company warns there is plenty still to fear today. The company’s latest Cloud Adoption and Risk report, which aggregated anonymous cloud usage data for more than 30 million users, found organisations had on average 14 misconfigured instances running at any one time. More than one in 20 AWS S3 buckets analysed were set to ‘world read’ permissions, meaning anyone could have access to it.

Cloud computing has matured virtually to the point of saturation in the fields of software and infrastructure. Platform, with the rise of containers and microservices, is still seeing innovation. It’s now time to make sure the back doors are firmly locked.