Security Sessions: The state of cloud security

In this episode of Security Sessions, CSO Editor-in-Chief Joan Goodchild chats with Jim Reavis, CEO of the Cloud Security Alliance, about whether enterprises have finally trusted cloud services for their corporate data, and how the Internet of Things could affect cloud security in the future.

[background music]
Man: You can probably achieve better security with a mature cloud provider than you could inside of your own data center. Again, understand your responsibilities, which could be encryption or your own access control that you need to do.
[background music ends]
Joan Goodchild: Hi. I'm Joan Goodchild, Editor in Chief of CSO, and welcome to another addition of Security Sessions where we talk about trends and topics important to CISOs, CSOs, and security managers. Today I am joined by Jim Reavis. He is the CEO of the Cloud Security Alliance. Welcome, Jim.
Jim Reavis: Thanks, Joan. Pleasure to be here.
Joan: If we could just start by learning a little bit more about Cloud Security Alliance for folks who might not be familiar with it, a little bit about your mission, and the background of the organization.
Jim: Absolutely. We are a global not for profit organization, and our main goal is to build this trusted cloud ecosystem. How that manifests itself is we do a lot of research to try to build consensus best practices that make sense to secure cloud. Do a lot of education, we have a cloud provider certification program, we have a user certification program.
We try to do all this on a consensus basis and by bringing in stakeholders from basically every part of that ecosystem you can think about government, industry, technologist, legal, compliance. We've been at it for a few years now. I think we've seen a lot of progress with it, as well. There's this idea that you're never going to really solve information security, and so it's a continuous process.
Joan: That progress is also what we're going to touch upon today. We're going to talk about the state of cloud security as you see it from your perspective. We cover cloud security quite a bit on CSO, and we've certainly seen the evolution over the last several years of many enterprises moving their applications into the clouds.
Have we reached a level of trust now for enterprises that they're willing to put that data in there, and they feel as though they can trust the cloud to keep that data secure?
Jim: Cloud computing, it's a tremendously large number of players that are involved. If you look at top tiered cloud providers that really invest a lot in information security, and you look at enterprises that are also understanding their responsibilities don't go away, you would say yes.
That the answer is in fact that you could probably achieve better security with a mature cloud provider than you could inside of your own data center. Again, understand your responsibilities, which would be encryption of your own access control that you need to do.
The issue is that there are thousands and thousands of cloud services, and we've talked to a lot of large enterprises. They may be using a couple thousand cloud services. Some of them they may have planned for. Some of them may have been adopted and procured in a decentralized manner, a single person with a credit card.
That's a lot of the challenge is making this distinction between what are the really robust secure services, what are the ones that are appropriate for the risk appetite that we have for this particular business process?
Absolutely we think we've reached that point. I'll tell you, I've talked to, very recently, some large players in financial services who every year since cloud first got on the radar they've been doing this risk assessment using this consistent methodology. For years they said, "Well, we're not really sure. We're going to say it's not as secure."
We've seen over the last 12 to 18 months more of those answers have been coming back to say, "Yeah. We've seen the track record. We understand how this needs to match together the tenant and the provider." They will say that absolutely in the right configuration done in the right way it is more secure.
Joan: Obviously you say you're talking to different providers and different organizations. That means globally, you're not just based in the US. In your global work worldwide, do you see a differing attitude among enterprises in the US and those in Europe and other parts of the world in terms of their reliance or their trust of cloud?
Jim: Certainly we do. I think we need to really underscore how important it is to have that global perspective, and I'll paraphrase [inaudible 04:22] a little bit. He has said that the Internet treats any attempt to control data as a routing error. We sort of think of that in the same way that we have to understand that it needs to be secure from a global perspective.
The different attitudes really are very important to understand. Since the lead, you would argue, of the major cloud providers belong to the United States where it seems to be the market leader there, there is probably more of a comfort level from US companies in adopting cloud services because they just have that familiarity. This is an evolution of companies that they've worked with for quite a while.
When you look at it from an APAC perspective, and we have our headquarters over there in Singapore and we do a lot over there, it's really very much a competitive issue that they would like for these industries, the cloud industry, to be based in Asia, they'd like to win that fight. There's also technical issues in terms of wanting to have data centers close by, there's some physics still associated with that, where you want that optimal bandwidth and performance.
I think the most important issues that we deal with, the governance and policy issues, those arise out of Europe. The European Union, the member states, they are for historical reasons as we know very concerned with privacy. You hear a lot more issues from both the enterprises over there as well as the regulatory bodies, the data protection authorities, about the issue of data sovereignty.
We'd like for cloud to be this optimized system, and it doesn't matter where the information is, it matters how you control access to it and make it as high performing and as efficient as possible. The reality is that in Europe they're wanting to see a lot of the cloud services be delivered from Europe and have some assurance that the information is stored there.
It seems as though, maybe for us in the US, that we pay a lot of attention to the Apple FBI fight over unlocking a phone, or the Department of Justice battle with Microsoft related to getting access to information out of a data center in Ireland. The reality is in Europe they're watching that far more than we are. They're wanting to see, "Are the US based cloud providers actually going to show very strong independence from the US government?"
I'm not judging right or wrong on all of these sorts of things, but those policy issues definitely need to be resolved. We need to understand that these large cloud providers are going to need to be able to consistently provide good security, data protection on a global basis in order to have a viable business model.
Joan: Interesting. Let's talk about some other trends in terms of things that people are watching, IOT, Internet of things. That's another big buzz word. We cover quite a bit of it in the security implications on CSO. Where's IOT in relation to cloud and its connection to and impact on cloud technologies? Does it help? Does it hurt? Your thoughts.
Jim: I think about IOT. It's very vast complicated subject. Mark Andreessen, I think he said last year, that in 20 years every physical item is going to have a computer chip, which is pretty phenomenal.
I think about IOT and cloud as being children of a common father, and that's probably Gordon Moore and Moore's Law about price performance of Compute. As Compute has gotten commoditized you see cloud becomes cheaper and cheaper and cheaper, and there's more and more of it. At the same time it becomes cheaper and cheaper to deliver IOT devices.
We know that on the one hand there's going to be huge growth in both. How they are synergistic and work together, is I believe in what we're seeing is that cloud computing is the platform for IOT.
It's the data repository, it is the application environment, it's the provisioning system, and so it's ultimately going to be the security system for IOT, as well. As IOT grows it's going to need to phone home to more and more cloud systems. You're starting to see cloud providers have some more specific IOT based services to handle a lot of this provisioning.
It's almost like BYOD in that I think what's going to be the really big impact is going to be the information security industry, is going to need to make this complete transition into cloud in order to deliver the security services to secure IOT.
That's the big impact that's going to help the growth of cloud and it's going to grow IOT, but it's the information security industry that's got the hard problem to make that transition to have cloud delivered security services for it.
Joan: Interesting. Speaking of transitions, we started this segment by noting that there are so many enterprises now have moved so many applications over to the cloud. Of course there are plenty that still do not.
Are we at a place now where there's any way left to convince some of these organizations that aren't really embracing cloud to embrace cloud? Are we at a point where it's, "If you're in the cloud, fine. If you're not, it's fine"? Your thoughts on that.
Jim: I would say there's probably within every company that says it's not embracing cloud, we know they're embracing cloud to a degree, they may not know about it, but they are doing some. It's true that there are many that are trying to minimize it and have a lot of systems that they are purposefully keeping on premise.
I think that you will see the dynamics on how this is going to change, because it is going to change. Knowing that there is this legacy long tale of IT technology, we still know, and government agencies, they've got a lot of COBOL on mainframes, and there's still some of that that exists out there.
What's going to cause this transition is one it's leaders and industries. [inaudible 10:42] follow the leader. You look at the leaders in finance, in manufacturing, in retail, that the leaders tend to be more proactive in clouded option now, so the other organizations will follow them within industry.
Another interesting dynamic is you just have to understand how the software market's being impacted by SaaS. If you're an entrepreneur building a software company, you're going to build software as a service. That's the only way you're going to do it, because you're going to make more money, that's more efficient.
Last month I was at, it was an industry group for the oil energy industry, and checking with them on a lot of the vertical applications. What they had seen, which is consistent with a lot of other industries, is that there is either not a traditional commercial software on premise version of a lot of these little vertical apps or it's being end of lifed fairly soon. There will be a point where you're either going to have to move or you're going to be running on some unsupported stuff.
I know there's parts of the world, like I said, COBOL mainframes or there is NT4 embedded systems that are out there, but that's going to be more of the exception.
Joan: That's something we'll certainly be following on CSO in the future. For more on cloud security and other topics related to cloud, check out other parts of CSO online. For now, I'd like to thank Jim Reavis of Cloud Security Alliance for joining us today.
Jim: Thank you very much for having me.
Joan: Great. That will do it for us today. Have a great day.