… patching, password management, changing obvious “admin-admin” username/password combinations, and so on. These activities provide a foundation for additional security practices and processes. By combining these with resiliency, redundancy and change tracking, as well as automation, security teams can also remove the bulk of the human variable from the security equation while freeing security teams to work on more proactive protections and technologies.
CP: What innovations in cloud security can we expect over the coming years?
MB: There are a number coming, both in terms of software and hardware. The one that people will notice most will probably be closer integration of threat and vulnerability analysis into the development and deployment life cycle. We’re also going to see more automation, and with automation comes the ability to measure and manage risk, as you get the opportunity to apply security policies and governance models through the entirety of the life cycle.
Combine all of these with the promises of quicker and more accurate threat analysis by AI and machine learning, and we’re in for an interesting few years.
On the hardware side, several of the chip manufacturers have started to announce the availability of Trusted Execution Environments. These allow you to create “enclaves” that can execute on cloud hosts with significantly more security than existing workloads. This change, as it gets rolled out, should allow two things: new offerings from the cloud providers themselves, and the ability for companies to make different risk evaluations about which of their sensitive processes and data they’re happy to have hosted by somebody else.
CP: What would you say to a company that is on the fence on moving their data to the cloud?
MB: The most important thing for a company considering moving data – or critical applications – to a cloud provider is to ask themselves a question: “What’s the risk/benefit balance?” It’s a question that, really, all companies should be asking themselves any time they have a technology decision in front of them: “How does this affect my risk?”
Risk could mean facing a potential breach, it could mean downtime due to a vulnerability, and so on. Regardless, companies need to weigh their perceived risks against the benefits of going to the cloud. Just like there is no surefire way to secure your software, there’s no perfect security footprint for cloud computing. But there are many, many ways to make it more secure and safer, and it all starts with the foundational elements of your IT infrastructure before you even dip a toe into the cloudy waters.