March 25


Does the cloud take away the need for a security team?

By Craig Nelson

Let’s be direct:  we have a huge personal stake in the push toward cloud computing. Do companies that move to the cloud still need security professionals?

The answer is clear: yes — and even more than ever.

We are at the beginning of a huge paradigm shift in the middle of a deep recession. This perfect storm will drive the cloud to emerge as an architectural option that has clear economic and productivity impacts that will appeal to most IT shops. The decision to use “the cloud” will be one based upon two opposing forces: “do more with less” versus “risk management.”

However, this shift – whose success heavily relies upon abstracting the cost/complexity of underlying infrastructure — demands security professionals “up their game” to reflect that we are in a brave new world.

The stakes are high.

Let’s reflect on a recent headline:  a zero-day vulnerability exploited by a government to access private communications hosted by a major “cloud” provider.

This incident was front-page news – and the rationale for Google to threaten to cease business operations within the borders of China. Coverage and commentary of this incident extended beyond the usual IT publications to the US Security of State.

This is a big deal (and great movie plot).

But is it true?

Sometimes fact is stranger than fiction. In this case, it is likely some aspects are true and others false. Either way, it begs the question: what will the headlines read just a few years from now?

There are two ways security professionals must up their game:

First, security pros need to learn how to operate effectively in the context of business decisions.

Ten years ago, security focused on knocking ports, following exploits, and using flaws in network/core configurations to breach a system. Then the volume of exploits became overwelming, the OS/network became more resiliant, and the auditors moved in. This signaled a shift to checklists and conceptual assessments. The tao of scanning became commodity, and productized through services such as Qualys. IDS configuration became stale (well, also due to protocol complexity and encryption), and we all became unconvinced in the security associated with layer 3 and 4 firewall ACLs and IPS systems.

We’ve already seen a piece of this evolution as “risk management” has dominated security-focused job descriptions.

Security pros are applying “low level” security accumen to drive operational situational awareness and risk-based architectual decisions:

  • What security controls does the provider place on data storage?
  • Are they strong enough as the sole protection mechanism, or should we encrypt and build the added complexity into our application?
  • What happens if the provider reports a breach?
  • What is the impact and how will we cohesively respond?
  • What do we expect from the provider?
  • What does the provider commit to?
  • Does the cost balance the consequence and likelihood of an incident?

Second, from a technology perspective, security professionals must build acumen to topics that sit higher in the stack.

Twelve years ago, we were implementing firewalls to defend against the “ping of death” and “smurf attacks”. Since then, the focus has steadily moved away from layers 2/3/4 and into layers 5/6/7 and out of the “stack” to focus on the user and business).

Cloud-based resources further increase the emphasis on applications, users and business. More than privacy and compliance, this means security professionals will need the skills and abilities to focus on these essential aspects and specific challenges like:

  • Application Role Based Access Control (with Federation Technologies)
  • Security of API interfaces that faciliate programatic access to an instance of a cloud-based service
  • Incident Qualification/Response via “cloud” forensics
  • Logical Data Encryption within “cloud” based storage
  • Security of code that is developed and deployed to IaaS (Amazon/GoGrid) and PaaS (Microsoft Azure) providers
  • Configuration and verification of virtual machines (within the IaaS Scenario)
  • Defense against Economic Denial of Service Attacks
  • Bridging the policies and metrics that the cloud provider exposes to the requirements of the business

For many, these topics are not as easy to master as TCP/IP and SMTP. Complicating the task, many of these concepts differ between providers, mesh together complex application-drive technologies, and change quickly. It’s also unclear how far we can venture into each (since many are based on what and how the provider exposes, and the complex nature of the protocols).

To make the right decisions, businesses must rely on practiced security professionals who are qualified and capable of voicing the appropriate concerns to the business. Without question, this requires greater focus on risk management by explaining complex topics that will drive a risk-managed embrace of cloud computing.

About Craig Nelson

Craig Nelson works at Microsoft, and is the host of the Cloud404 Blog ( His expertise and education is in incident response, computer forensics, and security architecture.


You may also like

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Tired of feeling defeated on Friday?

Where the stack of work to get done is bigger than what got finished. You dread next week before the weekend even begins.

It doesn’t have to be this way.