Intelligent CISO Issue 07 | Page 30

editor’s question do public cloud service and cloud infrastructure truly present a higher level of security exposure compared to the evolved corporate data centres that are equally exposed to the same cyberthreats? SCOTT GORDON, (CISSP), CMO FOR PULSE SECURE S ecurity has historically been the top concern expressed by prospective cloud adopters. Although this fear is often unfounded in terms of the security of core public cloud infrastructure, protecting the servers and apps deployed within these clouds is only as good as the security that customers choose to implement on top. As the number of intrusions and larger data breaches increase across all types of infrastructure, the cloud is an ever- growing target for the cybercriminal and with the rise of multi-cloud, this issue may become more pressing. When adopting or expanding into the cloud, organisations should ask two key questions: firstly, do the cloud security risks, perceived or real, outweigh the advantages that cloud infrastructure and cloud services provide? Secondly, 30 Organisations, as a starting point, need to establish foundational secure access defences that provide visibility and data protection as they would in the on-premise world. This requires not only session-based protection but the incorporation of multi- factor authentication (MFA), single-sign- on (SSO), split tunnelling and a pre-and post-connect endpoint security checking mechanism to fortify compliant access to cloud resources. Each organisation will have a different risk profile, corporate culture and workflow, meaning the answers need to be looked at based on the individual use case. However, broadly speaking the underlying cloud security delivered by cloud infrastructure providers will often be better than that which a smaller or mid-sized enterprise could do for themselves. The hundreds of millions of dollars that Amazon, Microsoft and Google alone spend on securing their respective clouds is hard to replicate in-house. The cloud is an ever- growing target for the cybercriminal and with the rise of multi-cloud, this issue may become more pressing. At the technical level, cloud security has strengthened considerably over the last few years and the cloud infrastructure providers excel in offering more advanced security features that are either built-in as standard or are turned on for an additional fee to provide a deeper level of protection. An example of a more powerful cloud security capability is micro-segmentation that enables granular access management as well as limits exposure in so-called east-west traffic. Most cloud providers now provide integrated hardware key management solutions with back-end integration to their persistence services for data encryption in motion and at rest. This not only secures the production copies of the data, but all versions, analytics or back-up replicas as well. However, the cloud providers are still impacted by the technology rate of change and the complexity of different cloud technologies that create inconsistency and gaps in security posture. This increases the probability for exposing (known) vulnerabilities and human errors that by themselves, or together, increase the likelihood of intrusion and compromised information. The main difference is that when these issues arise, the providers can and will dedicate a lot more expertise and resource to fixing the problems quickly. For many organisations that have weighed up the pros and cons, cloud services’ agility, flexibility and OpEx cost model may outweigh potential risks, especially when it comes to mainstream cloud service providers (CSP) or hosting providers offering commoditised services such as email, collaboration and content management. In addition, emerging Secure Access Orchestration solutions offer the means for IT to holistically manage access visibility, policy and enforcement consistently across data centre and multi-cloud environments. u Issue 07 | www.intelligentciso.com