Secure cloud doesn’t always mean your stuff in it is secure too
Warning from AWS and Unisys folk
IPExpo “Picking a secure cloud partner is not as trivial as it may seem. Don't assume that because the cloud is secure, your business within the cloud is secure,” Unisys’ chief trust officer Tom Patterson said today.
Alongside Patterson and giving a joint keynote speech about lowering costs and risks in the cloud this morning was AWS’s Wayne Phillips, the firm’s head of public cloud in EMEA.
“The advantages of public cloud,” said Phillips, “are that it gives you better security monitoring and analysis than your own data centre, as well as DDoS management, redundancy and resilience.”
Workloads moving into the cloud are now a fact of life, and security technology has stepped up to the plate to help build customer confidence, the duo said. It’s not as easy as just picking a secure cloud platform, however, as Patterson warned: “You have to secure your workload.”
When malware enters your network - and, as he told El Reg earlier today, it’s almost always a “when” rather than an “if” - the first thing it does is “map out your network, using tools such as Nmap.”
“Someone, somewhere, is going to click on that [bad] thing,” he said, referring to the average user’s enthusiastic glee for opening the sort of attachments that would have a clued-up sysadmin reaching for the flamethrower.
Microsegmentation - segmentation, but right down to the device level - is the way around this, he said, highlighting Unisys and AWS’ tie-up around the former company’s Stealth product.
Phillips added: “What we’ve seen with the first generation utilisation of the Amazon cloud is people lifting and shifting; people who want to see some improvement in operational efficiency. What Tom is talking about here is transformation, complete with the compliance and agility benefits that the cloud has.”
He made the point that AWS now features 54 services, “having started life with just compute and storage” and how that makes it “compatible with what developers want” including tools such as Puppet and Chef.
“If you encrypt in motion,” said Patterson, “you don’t need to audit. Microsegmentation supports that,” he continued.
By way of example, Patterson spoke about how Stealth was used for a US defence-focused community website. Instead of giving it root access to a local server, they moved it to AWS and used microsegmentation to separate control and database workloads. This also let them add encryption-in-motion for all traffic on the site.
“2016 is the right time to be looking to do it. We’ve integrated our controls so you only have to do it once,” urged Patterson. ®