Using Legacy Security For Cloud-Transformation Is Not Working
Who’s in your wallet?
This month’s epic security failure at Capital One tells a story about how two of the arguably most technically literate and digitally advanced U.S. corporations failed to secure customer’s data. This story will certainly repeat for the less technically advanced.
The lesson is clear: you cannot digitally transform apps using legacy technology tools and legacy security models of the data center.
Traditional security products were built to protect Fortune 1,000 firms from intrusion. In many ways, they were like a wall around the castle. They prevented penetration and kept bad actors “outside”.
Then came the web.
In the web application world, in which we all live, bad actors come in via web-based, customer-facing applications. Thus, the stories about Equifax, TJ Max and Target. These were career ending experiences for those involved.
Then came cloud hosting.
Cloud hosting brought the promise that applications could be transformed to run in the cloud and that security issues would be someone else’s problem.
The word “transformed” should mean that something has fundamentally changed. However, applications in the cloud are often the same old application running in someone else’s data center without anything being fundamentally different.
Moving apps to someone else’s data center, running them on proprietary value-added services from a cloud provider, while using the same security technologies one used in a protected, owned, secure data center has failed and will continue to fail.
You cannot be more secure than your underlying infrastructure. Legacy security infrastructure was built for data center-centric applications, not for the deployment and operational realities of the cloud.
As long as a legacy security approach is used, security failures will continue and more CIOs and CISOs will have their careers ended and lives upended as USA Today reports their breaches to their unsuspecting customers.
Security models that worked in the data center are now, quite inarguably, obsolete in the cloud. Just ask the former security team at Capital One.
What are the characteristics of the new security model that works in the cloud environment?
The first absolute necessity is that they assume there will be network penetration. There always is. There are no castle walls anymore. The new security model has to assume that “normal” network operation includes a compromised network.
Another assumption is that the apps will always be exposed to the web where bad actors are looking to cause harm.
Exposed applications and compromised networks mean it is essential that security infrastructure and transformed applications eliminate the ability for bad actors to do an “east-west” sweep. That means seeing all the data for all the customers. That’s what gets the headline in the national papers.
Transformed applications have certain required characteristics. Among them is the use of micro services.
Transformed apps using micro services must take advantage of their inherent distributed characteristics and apply data micro segmentation at every level in the system. That means the node level, the process level, and the actual data level.
Micro segmentation of data, tied to multiple levels of encryption, and distributed data storage ensures that when there is a system penetration, the bad guy gets a record or a few records, not the entire database.
Moving to the cloud means all one’s security assumptions must change. There may be criminal employees at the cloud vendor. Vendor employees may want to sell data to bad actors. Firewalls or other legacy security systems may be improperly updated and thus left open.
A security architecture, tied to these realities and to the strengths of the cloud – distributed architecture, micro services, is the only way to assure a good night’s sleep for a corporate CISO who has chosen a cloud solution.
By Jay Valentine www.Cloud-Sliver.com
Reprinted from Software Executive Magazine OnLine