Charney: Cloud computing transparency, control key to better security

At RSA Conference 2015, Microsoft's Scott Charney said cloud security products are the future, but to gain the trust of enterprise customers, they need to offer better cloud computing transparency and control.

SAN FRANCISCO -- At the 2015 RSA Conference, a top Microsoft security executive touted the bright future of cloud security products, but acknowledged that in order to gain the trust of enterprises, Microsoft and other cloud providers must offer them more cloud computing transparency and control.

Scott Charney, Microsoft's corporate vice president for Trustworthy Computing, addressed the RSAC today and said the oft-cited infosec pain point of limited resources and staff, especially for small and medium-sized businesses, could be reduced by the move to the cloud, and this could ultimately lead to better security overall.

'We haven't been able to scale security to the entire world; we don't have the people to do it.'
Scott Charney

"One of the best things about the cloud is that security staff gets consolidated," Charney said. "We haven't been able to scale security to the entire world; we don't have the people to do it."

Michael Versace, research director for global risk and security strategy at IDC, based in Framingham, Mass., agreed with this thesis, but said that the benefits could be more far-reaching than that.

"We absolutely need to see cloud as a security solution for many business, not just medium-sized firms or small businesses," Versace said, "but in many ways the largest institutions that can't scale their own security infrastructures really need to scale out the risk, scale it up, and the cloud is part of that solution."

One of the troubles from a security standpoint, according to Charney, is that attacks have moved from opportunistic to more advanced persistent threats, and have become more destructive as well.

"Breaches can have a huge impact, but it may not be an immediate impact," Charney said. "Attackers can steal customer data and slowly siphon them off over years. Destructive attacks change the conversation. Destructive attacks stop you from doing your daily business."

Cloud slide from Charney keynote at RSA 2015
Charney said the move to the cloud has begun in earnest, but security controls and transparency are needed to improve customer trust and ease the transition.

Charney said that the relationship between vendors and customers has been changing, with customers and users contributing more data back to vendors, and the overall aim moving from risk elimination to risk mitigation.

He also noted that customers feel happier when they have more control and transparency, and that customers are asking for cloud services to mimic security products found on-premises, which often amounts to giving more control over services in the cloud environment.

Charney said that one possible way to offer control is to give customers control over revoking keys, and therefore limiting access to cloud services, or to employ just-in-time administration, where customers can give out tokens to escalate a user to admin access for a limited time, or just-enough admin controls, to limit access levels of users.  

Transparency is the other key, according to Charney, because this helps ensure cloud provider accountability. Offering the customer control over giving a vendor access to a cloud environment is one thing, Charney said, but it is far better when that same customer has logs detailing who requested access, when it was given and what actions were taken.

Ultimately, Charney said, security will only advance as far as the market demands it to.

"The market has woken up -- markets create demand, and those who build technology rise up to meet demand," Charney said. "The markets will create security that the market demands, and vendors will do a bit more. The cloud will be key, but we need trust boundaries to give users faith."

Next Steps

Learn more about how to address the biggest cloud security issues

What's ahead in the cloud computing market?

Dig Deeper on Public Cloud Computing Security