Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Cloud Security IT

Only Cloud Providers Get Security Right. Can IT Vendors Catch Up? (esecurityplanet.com) 136

Slashdot reader storagedude writes: If cloud service providers are the only ones who can get security right, will everyone eventually move to the cloud?

That's one of the questions longtime IT systems architect Henry Newman asks in a new article on eSecurity Planet.

"The concept of zero trust has been around since 2010, when Forrester Research analyst John Kindervag created the zero trust security model. Yet two years after the devastating Colonial Pipeline attack and strong advocacy from the U.S. government and others, we are still no closer to seeing zero trust architecture widely adopted," Newman writes. "The only exception, it seems, has been cloud service providers, who boast an enviable record when it comes to cybersecurity, thanks to rigorous security practices like Google's continuous patching."

"As security breaches continue to happen hourly, sooner or later zero trust requirements are going to be forced upon all organizations, given the impact and cost to society. The Biden Administration is already pushing ambitious cybersecurity legislation, but it's unlikely to get very far in the current Congress. I am very surprised that the cyber insurance industry has not required zero trust architecture already, but perhaps the $1.4 billion Merck judgment that went against the industry last week will begin to change that.

"The central question is, can any organization implement a full zero trust stack, buy hardware and software from various vendors and put it together, or will we all have to move to cloud service providers (CSPs) to get zero trust security?

"Old arguments that cloud profit margins will eventually make on-premises IT infrastructure seem like the cheaper alternative failed to anticipate an era when security became so difficult that only cloud service providers could get it right."

Cloud service providers have one key advantage when it comes to security, Newman notes: They control, write and build much of their software and hardware stacks.

Newman concludes: "I am somewhat surprised that cloud service providers don't tout their security advantages more than they do, and I am equally surprised that the commercial off-the-shelf vendors do not band together faster than they have been to work on zero trust. But what surprises me the most is the lack of pressure on everyone to move to zero trust and get a leg or two up on the current attack techniques and make the attack plane much smaller than it is."

This discussion has been archived. No new comments can be posted.

Only Cloud Providers Get Security Right. Can IT Vendors Catch Up?

Comments Filter:
  • by oldgraybeard ( 2939809 ) on Saturday May 13, 2023 @05:35PM (#63519401)
    "If cloud service providers are the only ones who can get security right, will everyone eventually move to the cloud?"
  • Ice Road Trucker (Score:5, Insightful)

    by cj* ( 149112 ) on Saturday May 13, 2023 @05:45PM (#63519413)

    There are two kinds of Ice Road drivers. "Those who have been in the ditch and those who will be in the ditch".

    Cloud security people are hesitant to brag to much about how much safer they are because they know how risky things are.

    Nothing looks sillier than "XYZZY Cloud Co is so secure" followed be a headline a short time after "Major Data Breach at XYZZY Cloud Co".

    Also, most of the cloud security people who would be credible enough to matter on the record have insider knowledge of exploits that are actively being addressed. There is a permanent sword of Damocles in this industry.

    Any CIO that tells their Board that the company data is 100% secure should be fired or demoted to a place where they cannot do any damage.

    • This is the same reason that airlines do not tout their accident free safety record. These days accidents (and security breaches) usually happen due to not a single thing going wrong (or being done wrong), but an entire series of things going wrong (or being done wrong) at just the wrong time.
      • by Skapare ( 16644 )

        When everything works safe, too many people and systems slack off and get lazy because "it's all safe and secure". Then one day everyone does it. We are trending to that because we have cloud providers, now.

        • by Mal-2 ( 675116 )

          In aviation this is called "normalization of deviancy". Basically, once you cut corners and appear to get away with it, you're a lot more likely to keep cutting them. Remember the fertilizer plant in Iowa that went boom? Similar idea.

          • by gweihir ( 88907 )

            Yep, and at the end you save a penny somewhere and that finally topples everything over and you lose a billion or everything. That is why all technical systems must expect to fail catastrophically, because eventually it happens. You can delay things by staying vigilant and threatening the bean-counters with death whenever they try to save one more penny, but eventually they win and a while later things come crashing down. Ultimately, bean-counters always try to do things cheaper than possible and they are i

    • by Skapare ( 16644 )

      Stats about which cloud provider is most secure will just end up making your own service less secure.

    • by bhcompy ( 1877290 ) on Saturday May 13, 2023 @11:42PM (#63519787)
      In the end, it's all about resources.

      Google/Amazon/MS spend a lot more money on data center security than most can afford, and they generally have first pick of the engineers and security experts over almost every other company, including the fairly large company I work at that recently had a serious cybersecurity incident in a data center. We've decided that offloading that liability to someone who's better equipped to deal with things like nascent attacks was the prudent thing to do, and, honestly, I think it's the prudent thing for almost anyone that can't airgap their network. Our incident had nothing to do with unpatched software, social engineering, or any other dumbass easily preventable vector out there. It was very likely a state actor looking for specific things.

      It's not a matter of if, it's when, and probably the best thing you can do to delay when is to put your data somewhere that has more money invested in better people and better infrastructure than you can realistically field. Even then, it's still a gamble. You're just betting with hopefully better odds.
    • by gweihir ( 88907 )

      Indeed. Also a major cloud provider having a large breach will probably put them out of business and may well put others out of business as well. As soon as that is in the press, a lot of companies will adjust their risk analyses and the cloud will look even more expensive than it already is compared to running your own.

      So they are scared as hell and do the max they can afford to do. Or they would, because the bean-counters are always present and always erode quality over time. Because of the bean-counters

      • The direct and reputation costs for cloud providers is well understood and accounted for in the business model. "Accounted" in this case mean literal dollars and staying in business.

        For damn near every other kind of IT organization. the cost of security is treated as a waste of time and money, so it is always underfunded. For example, that's why Verizon has a major data breach every three or four years. The downside for them in a data breach is small enough in both direct costs and reputation that there is

        • by gweihir ( 88907 )

          Indeed. My suggestion would be $500 for every customer that has their data compromised, no questions asked, unless they can prove more damage was done. That would change things pretty fast.

      • Also a major cloud provider having a large breach will probably put them out of business....

        You would think so, but it hasn't happened yet. And this is despite cloud security breaches happening all the time. It appears that cloud providers have taken the approach of, "make breaches of all cloud providers so common that people learn to accept it as normal."

        • by Bongo ( 13261 )

          Also a major cloud provider having a large breach will probably put them out of business....

          You would think so, but it hasn't happened yet. And this is despite cloud security breaches happening all the time. It appears that cloud providers have taken the approach of, "make breaches of all cloud providers so common that people learn to accept it as normal."

          Exactly.

          Just to name a few simple examples, Okta and LastPass, not as cloud providers, but as companies who survive despite security being their core reputation.

          And it's worse with the cloud providers, because if a Google has a bad breach, what exactly are you going to do about it as a customer???

          In fact, people have passed the responsibility to an external entity, and that entity is too big to be simply switched away from, and everyone else is in the same boat.

          And maybe that's the appeal. It becomes "the g

        • by gweihir ( 88907 )

          Sure, cloud security breaches are common, but how common are cloud provider security breaches? And that is the kicker. As long as they can blame it on the cloud customer, they can, with some justification, claim it was not their fault. That ends if, for example, somebody breaks into the management layer of Google or Microsoft, steals 100'000 cloud images and uses the cloud for some really nasty DDoS afterwards.

    • by AmiMoJo ( 196126 )

      To be fair, Google has never suffered a major breech of its cloud infrastructure. All leaks have been due to attacks on individual accounts, rather than getting into the infrastructure itself.

      Well, unless you count the NSA's access.

      Never had a ransomware attack encrypt large numbers of cloud servers either. Clearly they are doing something right that many orgs are doing wrong with their local IT infrastructure.

  • by capt_peachfuzz ( 1013865 ) on Saturday May 13, 2023 @06:03PM (#63519431)

    I've worked on various SAAS platforms and the security is laughable. So many work-arounds get put in place _because_ of the (frequently ridiculous) security measures that it ends up compromising the system. I have one that I'm working on right now that has a one-hour token expiration time, which forces a re-authentication. Somehow I have one tab of my browser that's been working for a week without re-authenticating (and no, it isn't because I've re-authenticated on on another tab, oddly those ask me to re-auth and I just ignore it and go back to my "magic" tab - also, no I didn't "save" a password, I never do).

    Granted, in-house security can also be bad, but at least you have to make the effort to get into the internal network before you can mess with that. Maybe other people's experience has been different than mine, but I sure as hell would not say that the cloud gets security "right". Not even close.

    • by micheas ( 231635 )
      I think by cloud they mean AWS, Azure, and GCP. Those three entities seem to have security that is a cut above.
  • by polotheclown ( 1306759 ) on Saturday May 13, 2023 @07:01PM (#63519495)
    I've just had a different experience In my 20 or so years of in the technology industry, recent incidents have challenged the prevailing belief that cloud providers offer superior security. Microsoft Defender has been mistakenly misclassifying real alerts as false positives and vice versa, eroding trust in the system's effectiveness. There have been significant mishaps, such as Azure Gov accidentally transferring our data to a commercial test tenant and zScaler inadvertently leaking our databases between customers. These have left my leadership team to cast doubt on the notion that cloud services consistently deliver better security compared to on-premises solutions, especially when considering the associated costs.
  • by PPH ( 736903 ) on Saturday May 13, 2023 @07:20PM (#63519511)

    ... provide resources in "the cloud" so that I might host my data and/or application without having to rack up my own servers. Fine. But who gets dinged when I get phished for my data password? Or the app that I moved onto their virtual hosts has major security holes in it?

    I do. So yeah: Cloud providers can claim an excellent security record. Because it's their customers' stuff that gets swiped.

  • by Skapare ( 16644 ) on Saturday May 13, 2023 @07:22PM (#63519515) Homepage

    Even on the most secure cloud provider, any IaaS customer can easily setup a very insecure virtual infrastructure. IT providers need to have a lot more education of all aspects of their work. They also need to learn that throwing lots of commercial security products or services at the problem does not work. Security is a whole attitude thing. I saw this problem back when i worked as an operations director at an ISP. The IT service providers that were our customers frequently had security issues of their own making or their own lack of knowledge; we just provided access to their insecure networks.

    • any IaaS customer can easily setup a very insecure virtual infrastructure

      This. While cloud services generally have a great track record of managing their security they give their customers plenty of rope with which to hang themselves. For a while it seems like we heard a story every other week of some major sensitive data leak by someone leaving default passwords set on an EC2 instance or uploading their private keys to a public repo somewhere on the cloud.

      Companies may see benefit in outsourcing the hosting of the application but they will end up in the shit if they fire people

  • You use it either because you're a small business who might need to suddenly scale up to large amounts of volume and you have a bunch of investor cash to spend anyway so the excess cost is okay, or you use it because you are a large business that wants to outsource their it so you don't have to pay benefits or good salaries or can take advantage of cheap overseas at least cheap work visa labor.

    Those are the things that motivate people to use cloud services, not security.
  • Take that NSA... looks like you'll be moving over to cloud vendors.

  • Are not done of the most serious breaches perpetrated on cloud systems? Facebook and Alibaba and LinkedIn from memory.
    • by micheas ( 231635 )

      Facebook runs their own hardware (custom hardware at that). I don't know how they get lumped into cloud computing.

      LinkedIn was on prem with their own data centers. before being bought by Microsoft and moved to Azure in 2019,

      As for Alibaba Cloud, that is by definition a data breach. The CCP, and anyone they wish to share the data with, has access to everything on Alibaba Cloud.

  • I don't understand (Score:4, Interesting)

    by inglorion_on_the_net ( 1965514 ) on Saturday May 13, 2023 @08:55PM (#63519639) Homepage

    > If cloud service providers are the only ones who can get security right

    I don't understand. First of all, it seems to me that if you're using cloud services, you have already taken some steps away from security. For one thing, you have your service and/or data on a system that is accessible remotely...over the public Internet. For another, the service/data is on machines controlled by some other organization. I'm not saying this isn't acceptable ever, but I am saying that this isn't obviously getting security right.

    But maybe it's not really "getting security right", but only "getting zero trust right". That leads me to my second point: If the cloud providers can do it, why couldn't it be done by others?

    The article makes the point that it's all very complex and everything needs to be tracked and authenticated. I'm sure this isn't already universally done, but is it really that hard? Every organization I've ever worked at already authenticated users. Only authenticated users have access to most resources. Source code, documentation, and, in many cases, configuration parameters can only be altered by authenticated users, and a log is kept of what was changed when and by whom. A lot of what I understand the article to be asking for seems to already be in place.

    Then we get to:

    > The hardware stack is controlled by the cloud service providers. For the most part the CSPs build their own hardware and theyâ(TM)ve even been building their own CPUs. They build their own network devices, NVMe SSDs and motherboards.

    I don't think this is quite true. As far as I know, cloud providers generally use commercially available CPUs (with some widely publicized security vulnerabilities, no less) and use commercially available SSDs.

    > There is a single software stack that they control and, for the most part, they write themselves

    I would be shocked if this were true. As far as I know, these software stacks are largely built from open source software (hi, Linux!). To the extent that the stack is open source, nothing prevents a not-cloud-provider from using the very same software. To the extent that the stack is not open source, I'm not sure that should inspire more confidence in its security. Besides, "software stack that they control" sounds nice, but I guarantee you that the software stack is too complex for anyone to really vouch for its security.

    > They do not have to have network monitoring, multi-factor monitoring, OS monitoring, etc.

    I am not sure why the author thinks this is true.

    All in all, I understand the idea that not every organization has the budget and competence to make sure everything they do is subject to all the authentication, audits, updates, monitoring, and logging you might wish for. But the problem with using a cloud service provider to handle this for you is that they really can't; you need to access the cloud somehow, which means you will have some hardware that runs software, and users that need to be authenticated, have their authorization revoked when appropriate, etc. At best, you can outsource part of it all to the cloud service provider...but it does require that you trust the cloud service provider to do their part of the job. At that point, is it really zero trust anymore?

    • by micheas ( 231635 )

      You are assuming that things running on the cloud provider are accessible over the internet.

      That are times that is only indirectly true with a public API gateway hitting a controller that hits a private api gateway that then triggers jobs that modify the cloud infrastructure. With four layers of indirection between the internet and reaching the infrastructure.

      While generally most things are desirable to be reachable via the internet these days on AWS and GCP it is entirely optional

      Additionally, the network

  • by thecombatwombat ( 571826 ) on Saturday May 13, 2023 @10:28PM (#63519725)

    Just from the last two years, just microsoft, just databases, just off the top of my head:

    https://arstechnica.com/inform... [arstechnica.com]

    https://www.techradar.com/news... [techradar.com]

    The basic claim of this piece requires way, way, way more justification than this guy gives.

  • Why learn anything about security when you can just offload your responsibility to some cloud provider, who may not actually know anything about security.
  • basic logic (Score:2, Insightful)

    by Tom ( 822 )

    If cloud service providers are the only ones who can get security right

    First, you need to prove your basic assumption. Until you've done that, everything based on it isn't even false, it's worse than false.

    Who says cloud service providers get security right? Just because we haven't yet had a total compromise of the major players doesn't mean that a) all OTHER cloud service providers get it right and b) there wasn't one that we just don't know about.

    That we hear many more incidents in standalone IT systems is simply a scale factor. There's a few hundred cloud service providers

    • by gweihir ( 88907 )

      There is also another thing: If a cloud system gets hacked (which happens all the time), it is on the owner of that system and not on the cloud provider. If your on-prem system gets hacked, it is always on you, regardless of whether it was the virtualization and management layer that got hacked or not (if virtualized). So, for example, the last of my customers that got hacked had their exchange server hacked, the attackers never got into the private cloud management and virtualization layer. In a public clo

  • .. of being breached. That is the mein reason the get this mostly right. What they do not even touch is end-system security, just virtualization and management interfaces. (Yes, this is simplified.) As a consequence, you are about as secure with non-virtualized or carefully virtualized on-prem infrastructure as you are with cloud systems. On-prem is often cheaper although the TCO calculation is not simple.

    One day, we will hear about a major cloud provider getting hacked. The hack may already have happened,

    • Did you know your cloud data is backed up - there may be 2-3 copies floating around. Did they secure overwrite those backups - probably not. There is no evidence cloud data is more secure - just the opposite. You pick the wrong defaults, or loose the keys to the kingdom - it is all over rover. Just as muppets go to the big outsourced storage names, not the boutique ones that are cheaper and better and more secure.
      • by gweihir ( 88907 )

        Indeed. The cloud does not make you more secure. It does make everything more complicated for an illusion of simplicity and security though. If you screw up anything of that added complexity, you can even more easily get attacked. Of course that will not count as a hack of the cloud provider.

  • As the Spartans said (https://en.wikipedia.org/wiki/Laconic_phrase)

  • From the ACM Queue Magazine [acm.org]:

    It seems zero trust might be best described as a strategy or approach, which is to say it's somewhat nebulous and hard to pin down. That, of course, makes it an absolute gift to those who market cybersecurity products and services.

    Indeed, zero trust has been promoted with real gusto. The trade press commonly uses the word "hype" in reporting about zero trust and the efforts made to market it. Yet there are aspects of the approach that even critics readily agree are entirely sensi

  • I saw a malware incident. It was caused by a bad configuration change. It was cloud-hosted but managed by local staff. Another part of the network was again cloud hosted, but managed by a different group. It escaped untouched. Any security configuration changes should require review by some kind of committee. There is no magic bullet. Cloud-hosted solutions can get blown away too.

An authority is a person who can tell you more about something than you really care to know.

Working...