Cloudy With a Forecast of Security

I attended the Cloud Security Alliance's (CSA) Southwest Summit to learn more about what's going on to make the cloud a more secure place. CSA is a nonprofit group started by a guy named Jim Reavis in 2009 to promote best practices for secure cloud operations.

Why would a writer bother with this? Because we're all on the cloud now. I don't think there is any turning back. And luckily, the forecast going forward is cloudy with more security.

A Secure Cloud Needs Competitors to Act Together

Understand that cloud security is a competitive industry. It's well-funded and an investment of choice among the Silicon Valley crowd, which has moved on from doing business on the Internet to investing in Internet security. After all, they bank and shop online just like the rest of us.

CSA has brought together competitors and created an environment where they can share lessons learned and work together. Rather than boast about their super-secure environments, these members have agreed that the industry itself needs to be super-secure.

Toward this end, CSA offers security certification for cloud providers through its Security, Trust & Assurance Registry (STAR)program that guides members through a process of self-assessment, third-party audits, and continuous monitoring. It also launched the first-ever cloud computing security certification in 2010.

Just as important, CSA invites companies and nonprofits to participate in research and studies at no charge. It offers a ton of paywall-free resources on its site as well. Yes, it's funded by industry giants like Microsoft and Google, but it's got just one agenda: to provide security training, education, and awareness among every organization that works in the cloud.

Making the Cloud the Most Secure Home for Data

The cloud has taken a pretty intense beating in the past few years, particularly in the financial area.

Cloud providers noticed this, and certain ones have spent considerable time and money on security and stay a step or two ahead of the hackers. Amazon, Reavis said in his opening remarks, is one example of a provider with really good security measures in place.

If you're surprised to read this, I was too, although this is what I hoped to hear.

One reason why the cloud is more secure than your desktop or a local server is that the cloud is one industry that (still) wants to do things the right way for customers. At least that's the sense I had from the conference.

Here are some other encouraging bits I heard:

• A cloud provider can easily add new security measures for all its customers. Security is built into applications from the ground up as Benzi John, a security architect for Adobe, noted in a panel discussion on Enterprise Cloud Adoption and Security Lessons Learned.
• The cloud automates security, says Ken Biery, Jr., vice president for the cloud security firm Qualys. End users don't have to do anything; security is put in place for them.
• The cloud can contain the 'blast radius,' as Alert Logic's Paul Fletcher discussed. It's easier to react to a situation and make the adjustments in a cloud environment.

The biggest problem is with end users--consumers--who aren't doing their part to secure their transactions, financial and otherwise. The Internet of Things (IoT) is just the latest example of hacks and breaches that came about because manufacturers did little or nothing to educate consumers.

IoT Running Rampant in the Cloud!

I'm also interested in IoT, which lets people power gadgets like drones through wireless connections. Unfortunately, it's also exposing a lot of vulnerability that the cloud can control, if it gets cooperation from different groups.

I believe IoT leaders need to persuade developers to take the lead and insist that manufacturers put in security controls for devices that connect to the Internet like routers, printers, and cameras. These devices were targeted in September 2016 in a large, coordinated DDoS (distributed denial of service) attack that took down some pretty big websites.

Not surprisingly, the people at the CSA conference felt a little differently: the onus should be on manufacturers.

Well, of course it should! But if past observations hold, manufacturers of everything from cars to children's pajamas won't voluntarily incorporate safety measures until they are compelled to do so by the government or angry consumers. Boycotts rarely work, particularly against items that are inexpensive and/or highly desirable in the trendy sense.

CSA expects to focus more efforts on IoT. We can only hope that its success with one industry--the cloud--can be duplicated with industries and manufacturers that run the full gamut of IoT presence and possibilities:

• Toys/Drones
• Home security
• Home entertainment
• Cars
• Pretty much anywhere IoT is deployed. In other words, pretty much everywhere.

Who Can You Trust for Secure Services?

A good start to see what firms are putting their faith in cooperative efforts like CSA is their corporate membership page.

Obviously, most of these businesses are B2B but some are household names. For example, if a consumer wants to inexpensively store photos in the cloud, it's nice to know Dropbox is a member. A number of banks are members. So is PayPal.

Another bright spot is CSA's incident-sharing program partnership by TruSTAR Technology. According to Patrick Coughlin, a TruSTAR co-founder who leads the program, cyber attackers share more information with one another than legitimate companies do.

Since the partnership's inception in May 2015, it's attracted 20 companies to voluntarily report incidents and share anonymously share data to learn what happened, how, and how to prevent it.

Data-sharing to this extent is a very new phenomenon in the cloud industry. So far, it's been quite successful:

• More than 400 incident reports were submitted to the partnership for analysis from the larger cloud community over an initial three-month period.
• CSA submitted another 200 it received.
• More than 18,600 common indicators were identified such as URLs, IPs, file names, and specific named attacks.

How do these incident reports help?

• The partnership is in a stronger position to quickly and accurately identify threats and isolate trend information.
• It gets a better understanding of what to hunt for, where, and what tools are needed.
• It can use its resources more effectively by prioritizing responses, triaging actions, and determining if an attack is (or is planned) to be specific or just plain old malice.