Redundant cloud security controls creating headaches

Trend Micro's Mark Nunnikhoven said enterprises are often forced to deploy distinct cloud security controls for each type of service they deploy, making security unmanageable.

SAN FRANCISCO -- It's not often that an information security expert will complain that there are too many cloud security controls within enterprises, but that's exactly what Trend Micro's Mark Nunnikhoven did during a presentation at RSA Conference 2016.

Nunnikhoven, vice president of cloud research at Trend Micro, discussed the challenges of defending cloud services Monday during the Cloud Security Alliance Summit at RSA Conference. The biggest problem for security administrators, he said, is being forced to deal with layers of redundant cloud security controls devoted to each specific IaaS, PaaS and SaaS offering.

"Ideally, you would have security controls for each of these. Unfortunately, they tend to be unique security controls, so it's not like you have one security control platform or product that you're using to protect all of these," Nunnikhoven said. "And unfortunately it's rare that you have one per delivery. So you tend to end up with almost a one-to-one ratio for cloud services and security tools to defend that cloud service. This is the reality of what we have built."

Why the woes?

Part of the problem, according to Nunnikhoven, is that cloud security controls are often designed and marketed for very specific needs. "So when you talk to a particular vendor -- and I work for a vendor, so we're guilty of this as well -- they will frame the problem very narrowly around what they have designed the solution to solve," he said, citing examples of branded cloud security controls for specific SaaS offerings like Office 365 or Salesforce.

But Nunnikhoven said this creates a problem for enterprises, which have to spin up individual cloud security controls for each cloud service they use. "That is not a good thing. It's not sustainable," he said.

If you have one thing you can buy or spend your money on this year in cybersecurity, invest in centralized monitoring.

And the problem isn't easily fixable, according to Nunnikhoven. While various vendors and industry groups are working on open APIs to make disparate cloud services and various cloud security controls more mutually compatible, he said the results are a long way off.

In addition, Nunnikhoven said enterprises can't rely on the customized dashboards for each individual SaaS, because although those dashboards look great, it's not feasible to manage different versions for each cloud application in the enterprise. "When you have 50 of those [dashboards] to manage, they're not so hot anymore," he said.

Headache relief: Centralized monitoring

But there are some ways to alleviate the headaches caused by repetitive cloud security controls, starting with deploying some kind of centralized management system that can present a view of all cloud services in use. "If you have one thing you can buy or spend your money on this year in cybersecurity, invest in centralized monitoring," Nunnikhoven said. "Invest in your team so they can understand the data they are seeing."

Nunnikhoven also offered other steps to shore up SaaS security. He suggested starting with developing strong security policies for vetting and adopting new cloud services. Providing education and awareness training around proper usage of cloud applications is also key. Finally, Nunnikhoven recommended increasing the responsiveness of IT departments for approval of cloud apps to reduce the number of employees using shadow cloud apps.

Next Steps

Cloud providers and users are responsible for data security in the cloud, but who's accountable for what?

Cloud computing service providers are bulking up their offerings to protect customer data.

Learn more about the CSA's security guidelines for government agencies deploying cloud services.

Dig Deeper on Cloud Security Services: Cloud-Based Vulnerability Scanning and Antivirus