Turning Trust Upside Down: How to Reduce Security Risks in a Cloud-based Economy

Featured article by Rob Quiros, Vice President of Marketing and Products at Soha

As the move to hybrid cloud infrastructure causes the Internet and corporate network to meld, enterprises need a new approach to ensure all of their applications and network resources remain secure. But that is easier said than done, since traditional network perimeters and VPNs simply don’t work in this new cloud-based environment. Instead of opening the network to anyone who may know a username and password, enterprises must take an opposite tack and trust no one from the start.

Problems with security in the cloud-based economy are evident in the constant stream of headlines about breaches impacting businesses and government agencies, which have exposed the personal data of hundreds of millions of individuals to hackers. These breaches happen, for the most part, because, organizations can’t monitor all the holes they’ve opened in their firewalls for inbound access, and then with typical access methods like VPNs, once someone gets through they are not typically restricted in terms of the resources they are allowed to access.

Consider how these traditional secure access solutions work. Because VPNs were designed to connect outside users to the corporate network, they require organizations to essentially open their entire network(s), or large portions of it, to each individual, even if that person only needs access to a single file or application. This breadth of access is problematic when businesses need to provide access to mobile employees, partners, contractors and vendors via the Internet. More critically, perhaps, is that this approach flies in the face of a critical security tenet of “least privilege,” which calls for users to be able to access only the information and/or resources they legitimately need to do their jobs.

Secure access becomes even more important with increasing use of the cloud. Companies need to bring in more users from the outside, via the Internet, into the clouds they use to host applications. Because all users are relying on the Internet to gain access, the security risk increases and conventional security methods are rendered ineffective.

But securing initial access is only the first step. After access is granted, monitoring of the user’s activity is needed to ensure seemingly good users have not been compromised. The recent Stagefright Android vulnerability showed how any user’s device can be silently taken over increasing the risk that malicious activity could ride on an authorized connection.

Here are the key steps organizations can take to ensure a high level of security:

– View Each Individual as Untrusted from the Start: Today’s sharing economy has created the need for organizations to provide a host of individuals – from their own employees to contractors, vendors and other partners – with access to corporate applications and network resources regardless of where they are physically located. While it may seem counterintuitive to think you can’t trust those you hire or work with, it’s important to remember that one lost password or stolen device can open your network to someone who you never intended to provide access. It’s safer to assume anyone accessing a network cannot be trusted, and proceed with caution in what they are allowed to see. In practice this means not trying to establish a-priori trust by installing clients or certificates on devices. Trust is transient and needs to be re-established on each access attempt via access policies and multifactor authentication.

– Limit Access Using Selective Criteria: To prevent users from accessing more than they need, organizations must maintain granular control over their resources. The scalability of the cloud makes it easy to deliver application-level security as a service. Operating independently and outside of an organization’s network resources, a cloud-based application security solution can effectively create an air gap between corporate infrastructure and the Internet. This approach also enables organizations to integrate data path protection, identity access, application security and management visibility, allowing only authenticated users to be granted access to the resources they need. By doing this, access is secured using identity-based management and fortified controls, and can be applied in the same manner across all network resources – whether they’re in a variety of private and/or public clouds, or on the customer premises.

– Adopt a Deperimeterization Model: With changes to the IT environment and greater use of the cloud, organizations are losing visibility into network activity and control over how users are accessing network resources because conventional access control solutions do not seamlessly extend into the cloud. Not only must the initial access be locked down, but the activity of the user after access is granted needs to be monitored and secured. Organizations must adopt new deperimeterization approaches to protect their systems and data on multiple levels. These approaches mix the capabilities of the old network perimeter – encryption, secure transmission protocols, application-level access, and securing the data path between the user and the resources they are accessing – to create separation and isolation between the Internet and corporate resources, and protect in case a seemingly good user acts in a bad manner.

Trusting no one and moving to limit access are becoming de facto practices used by major organizations as they move some or all of their IT resources to the cloud. Google outlined its approach, referred to as BeyondCorp, in a December 2014 white paper entitled “BeyondCorp: A New Approach to Enterprise Security,” which noted that “[w]hile most enterprises assume that the internal network is a safe environment in which to expose corporate applications, Google’s experience has proven that this faith is misplaced. Rather, one should assume that an internal network is as fraught with danger as the public Internet and build enterprise applications based upon this assumption.”

In a similar effort, earlier this year, Coca-Cola Co. joined forces with Verizon Communications Inc., Mazda Motor Corp. and other members of the Cloud Security Alliance (CSA) to develop specifications for a solution that uses virtualization for a software defined perimeter (SDP). In a blog, “Coca-Cola Looks to Secure Edge for Age of Cloud, Mobility,” the CSA project participants told the Wall Street Journal that “[t]his structure prevents the theft of passwords and tokens, and helps protect against distributed denial of service attacks or complex hacks in which cybercriminals move laterally through corporate networks to breach systems that harbor intellectual property or credit card numbers.”

BeyondCorp and the CSA’s efforts are just the start of addressing this critical security issue. These two initial efforts to adopt a new model for user trust and secure access are huge steps in the right direction, but more developments are needed to provide a complete model for securing the interaction between user and applications once access is granted.

The bottom line as you approach security in the cloud-based environment: No user should be given more access than they realistically need, so organizations must turn their traditional thoughts about trust upside down to ensure that their networks remain secure.

About the Author

Rob Quiros is vice president of Marketing and Products at Soha. As an industry veteran, Quiros is no stranger to driving transformational innovation. Most recently he was vice president of Product Management at Riverbed Technology, where he led the company’s flagship Steelhead Product line from shortly after initial release to more than $750 million in annual revenue. Earlier in his career, Quiros headed up Cisco’s 7500 Router product line for ISPs and grew the business to $1 billion in annual revenue. Quiros earned an M.B.A. from University of California, Berkeley’s Haas School of Business and Master’s and Bachelor’s degrees in Electrical Engineering from the University of California, Berkeley.