SAN FRANCISCO - Several of the leading cloud service providers in the industry, including Amazon Web Services, Google and Microsoft, discussed key security issues from the provider perspective at RSA Conference 2015.
A panel discussion, held during the Cloud Security Alliance's Summit at RSA, featured security heads of several top cloud service providers, or CSPs, including Jerry Cochran, principal security engineering manager for Microsoft Office 365; Eran Feigenbaum, director of security for Google at Work; Patrick Heim, head of trust and security at Dropbox; Brian Kelly, chief security officer at Rackspace; and Chad Woolf, global risk and compliance leader for AWS.
The panelists were asked by moderator Jim Reavis, co-founder and CEO of the CSA, about enterprise security lessons and trends from the CSP perspective. Cochran said when he took on his current role two years ago, many customers would make a major change -- such as installing Office 365 -- and only ask him questions afterwards, when a security incident or compliance issue arose.
"The trend I'm seeing that's different now is our tenants and our customers coming to us before they onboard," he said. "They're asking, 'How are we going to deal with compliance? How are we going to deal with incident response? Where do I get the logging data that you have and I don't?' They're starting to ask those questions earlier, and that's a great thing."
Feigenbaum said enterprises have moved past deciding whether or not they want to use cloud to deciding which types of cloud services and specific cloud provider they should use. Now customers are becoming familiar with issues around data residency and regulations, he said. Heim agreed and said that "customers are getting more sophisticated" about cloud services and related security concerns.
Woolf said more enterprises are using the cloud for security purposes today. "We see a lot of customers getting a big bump in the security realm from using a cloud provider," he said, "and that's because we're building in more of the security into the services themselves."
Kelly said the good news is there are a lot of choices for consumers of cloud services, and cloud providers are acting more like advisors to help guide enterprises through the adoption process. But the challenge, Kelly said, is finding better ways to provide cloud security. "I still believe that we apply a lot of yesterday's security technologies to tomorrow's challenges," he said, "and we've got to break that mold."
Cloud security: Whose responsibility is it anyway?
One of the major topics for CSPs and their clients is the difficulty in figuring out who is accountable for what security measures and controls. Heim said that platform and infrastructure providers take on a lot more collective security accountability for everything above the virtual machine layer. But with software as a service (SaaS) and cloud apps, the customer becomes more responsible for things like access control and monitoring.
"The nature of the demarcation points [for responsibility] is different depending on the cloud service," Heim said, adding that risk assessments for cloud providers should identify those specific points for all the cloud services an enterprise consumes.
Responsibility becomes a hot topic, Feigenbaum said, when a security incident occurs; too often, it's unclear what the response process is. "When something happens, whose responsibility is it, and how do you know?" he said. "We haven't, as an industry, gotten really good at practicing incident response."
As an example, Cochran said that when many customers move their Microsoft Exchange email to the cloud, the enterprise incident response teams no longer have access to Exchange logs. Therefore, enterprises and the cloud providers themselves need to review those kinds of scenarios to develop a proper incident response plan.
Cloud security threats and protection
The discussion turned to current cloud security threats and how best to mitigate them. The panelists largely agreed that the theft of cloud account credentials is a major problem for enterprises.
"In the SaaS space, the vast majority of incidents are around credential theft," Heim said. "It's not super-sophisticated threats against the cloud providers themselves. It's that [attackers] are trolling for credentials."
Heim encouraged the audience to turn on multifactor authentication for everything within their control to better protect credentials. In that vein, Woolf encouraged the audience to also turn on logging services. "We're producing -- us as providers -- more and more capabilities to log things," he said, "but I'm finding a lot of times customers aren't even turning them on."
Cochran said it should be incumbent upon the CSP to inform customers about new security tools and services and encourage adoption. "It's also about holding us as cloud service providers accountable," he said. "As we come out with new features, we have the responsibility to make you aware of them, tell you how to use them, and document them. We also need to hear about what's missing."
Feigenbaum argued that CSPs should turn optional security services on by default rather than expect clients to do it themselves. "I think it's actually our responsibility as cloud providers to, by default, turn on [these services] and give you most secure environment and give you as much detail as we think you need," he said.
Kelly said it's vital that CSPs be more collaborative with clients about their cloud security programs and understand each individual business so they can better understand usage patterns and identify potential anomalies and threats. In some cases, he admitted, Rackspace has had to "take action" against clients engaging in bad security behavior that was putting other Rackspace clients at risk, though he didn't specify what the behavior was.
"As cloud providers … there are opportunities for us to go deeper [with customers]," Kelly said. "It's no longer do-it-yourself. It's really a do-it-together."
Challenges aside, Woolf said the recent cloud security improvements from CSPs have helped make the cloud a more secure and manageable option for enterprise data. "Eventually, people will believe that the cloud will be a better place for regulated and sensitive data."
Magi Diego, senior solutions marketing manager at Intel Security, attended the panel discussion and said she was impressed by the willingness of the cloud providers to set aside competitive differences and tackle some of the security problems they face.
"I thought it was great that the CSA had all of these competitors in one place to talk about the issues," Diego said. "I thought the comments about incident response and how it's lacking at the provider [level] was very interesting, and I liked how they acknowledged areas that need to be improved."
Major cloud providers forced to reboot public cloud instances following Xen hypervisor security updated.