SAN FRANCISCO -- Security experts discussed the state of cloud privacy and security at RSA Conference 2015, arguing that while major improvements have been made, serious concerns remain.
In a session Tuesday titled "Security and Privacy in the Cloud: How Far Have We Come?" panel moderator John Pescatore, director of the SANS Institute, asked representatives from Microsoft and Google how their companies have improved cloud security and privacy standards for both users and employees over the last year. Bret Arsenault, vice president and CISO at Microsoft, said Microsoft has provided more transparency and user control to those Microsoft employees using cloud services through efforts like enhanced APIs around management and visibility of the services.
Arsenault also said Microsoft uses Hewlett-Packard's ArcSight as its security information and event management (SIEM) platform, and Microsoft transfers data from both the Azure platform as a service and Office 365 apps in the SIEM. In addition, he said, Microsoft is going to greater lengths to make sure the people running cloud services on behalf of Microsoft aren't gaining access to user data on the back end.
Eran Feigenbaum, director of security for Google at Work, said Google has made inroads in three areas over the last year. The key area, he said, was improving transparency and increasing the amount of information given to users about how their data is used and who can see it. The second was Project Zero, Google's effort to identify vulnerabilities (which has been a source of controversy in recent months, in regards to responsible disclosures). The third area, which Feigenbaum said "is still a big problem," is authentication.
"As much as we hate to admit it -- and we're smart security professionals here -- a lot of this comes down to stealing the user's credentials," Feigenbaum said, adding that Google this week introduced new USB keys to provide two-factor authentication for Google at Work services.
Bruce Schneier, security researcher and CTO at Resilient Systems in Cambridge, Mass., offered the security vendor perspective and said that improved transparency is a key component for the cloud. "The question to ask," he said, "is not, 'Is the cloud service secure?' but, 'Is it more secure than what you can do yourself?' And a lot of that comes down to transparency. The more you know about the services you use and the more you understand them, the better you can make that decision."
Schneier also said the benefit of the cloud is that customers can get a level of security -- either through the cloud provider itself or via cloud-based security products -- that they probably can't otherwise afford because cloud providers can amortize the cost of providing security across the customer base.
"That really is the decision you're making as a business -- how can I get this level of security in the most cost-effective means possible?" Schneier said. "And for a lot of answers, it's going to be cloud."
Threats to cloud privacy and security
The panelists agreed that despite major improvements in the security of cloud services, as well as cloud-based security products, there are numerous threats targeting not only cloud credentials, but also private and enterprise data stored in the cloud.
Schneier said defending against threats depends on who the adversary is. For example, nation-state hackers from China will target Google because they want the company's vast user data, but cybercriminals won't bother with trying to hack Google, which is well-protected, to obtain credit cards; instead, they will just focus on easier targets with the lowest security barriers.
On the subject of threat actors, the panelists also discussed intrusions by governments, including the U.S. federal government. Schneier said that while the government can be considered as an attacker in some cases, most corporate users don't care if the government sees their data. "I worry not about illegal access but legal access," Schneier said. "I worry about the companies that have my data looking at my data. The risk is the legitimate access, whether it's government access or corporate for-profit access."
Feigenbaum said cloud providers are "pushing the envelope" about what companies like Google are divulging regarding government requests in their transparency reports. But he said cloud providers have to be mindful of potential government threats as well. "Anybody that's trying to get in unlawfully I would consider [a threat]," he said. "If we're seeing this from other governments, then I'm not surprised we're seeing this from the U.S."
Arsenault said Microsoft believes it shouldn't have to hand over data without proper legal order or user consent and referenced the case involving a U.S. Department of Justice court order to obtain a Microsoft customer's emails that were stored in a data center in Dublin, Ireland. Microsoft has argued that the request for the emails should go through the Irish government and that U.S. law enforcement should respect data sovereignty -- even in the cloud. "We're going to continue to fight that battle," Arsenault said.
To better protect cloud users, the panelists recommend several steps. First, they urge the adoption of multifactor authentication for users and especially admins. Both Feigenbaum and Arsenault encouraged the audience to explore next-generation authentication and credentials with technology and standards like the FIDO Alliance. "We've got to get rid of passwords," Arsenault said.
Second, cloud providers should raise the default security offerings for cloud services rather than making better security something customers have to opt into.
"If the cloud providers raise the defaults, we're all going to do better," Schneier said. "If they keep the defaults low because of the fear that they're going to lose customers because customers won't like [the security measures], then we won't benefit."
And finally, the panelists also recommended that enterprises explore cloud provider security and cloud-based security services, which have rarely been hacked directly. Arsenault said many of the common sources of breaches involve things like software patching issues and identity traversal, so standard protection measures such as two-factor authentication can go a long way. "If you really look at the preponderance of breaches that have happened," Arsenault said, "they still tend to be basic things."
Amazon, Google tackle cloud provider security issues at RSAC 2015