momius - Fotolia

Secure cloud hosting: Why taking ownership is crucial

Chase Cunningham of Armor spoke with SearchCloudSecurity at RSA Conference 2016 about the value of secure cloud hosting services, threat intelligence and more.

Cloud hosting can be a tricky proposition for enterprises, but one company is hoping new approaches to secure cloud hosting could make it more enticing for businesses.

Armor Defense Inc., formerly FireHost, is taking one such approach by owning the entire enterprise cloud stack -- from top to bottom -- while, at the same time, offering its cloud security products and services to nonhosted customers, as well. Previously, the Richardson, Texas-based cloud security startup focused primarily on hosting. But last year, the company rebranded itself as Armor and introduced a new offering, dubbed Armor Anywhere, which provides patch monitoring, vulnerability scanning, threat intelligence and other features to enterprises using third-party cloud services instead of the Armor Complete hosting service.

Chase Cunningham, director of cyberthreat research and innovation at Armor, spoke at RSA Conference 2016 last month in San Francisco about the timeline and progression of modern cyberattacks. Cunningham, who previously served in the U.S. Navy and National Security Agency in information security roles, spoke with SearchCloudSecurity about his company's approach to secure cloud hosting, the most pressing threats and obstacles facing enterprises today, and why the cloud may be a better and more secure alternative for enterprises that are running on-premises infrastructure. Here are excerpts from the conversation at RSA Conference 2016:

How does Armor handle cloud hosting security in a way that's different from other companies?

Chase Cunningham: Armor's basic proposition is to have the most secure cloud hosting possible. And we do that by actually controlling the entire cloud stack, including the hypervisor.

Why is that important?

Cunningham: When we own the entire stack, then that allows us to secure it and maintain it the way it should be. We recently migrated a customer over and discovered that they had malware in every virtual machine in their infrastructure. And they had no idea. And 99% of the time, the issue with customers like those is they have an application in their infrastructure that hasn't been patch or updated, and it was exploited. Our onboarding process is extremely thorough, so before we deploy a client, we validate all user access, and patch and update all of the software and applications and other things to make sure there are no holes.

But you don't own the applications once the client's cloud is deployed, so what do you do in those situations where an existing client isn't regularly patching their applications?

Cunningham: We'll fire a client if they don't start patching their apps. It's in our terms of service. And most of the time, probably eight or nine times out of 10, they'll say OK. But sometimes, they refuse to patch their applications, because those updates will disrupt the entire system and they'll lose money. Well, they're going to lose money, too, if they get hacked. And they're a threat to us and other customers if they don't patch and keep allowing themselves to be hacked.

How so?

Cunningham: You can't jump from one client's environment to another, so that's not the issue. But if a bad guy is able to constantly get a shell running on one client and sharpen his attack, then he's going to figure out how to do it to other clients. And we take that very seriously. So, we'll fire a client if they don't patch their software.

Since you own the hypervisor, are you concerned about potential issues there in light of the security updates for the Xen hypervisor?

Cunningham: Well, first of all, we use VMware in our environments, so Xen isn't an issue for us. There's more of price issue with VMware, because, obviously, it's proprietary software, but it's the better choice for us. Xen is OK, but you look at the issues it's had recently, and the fact that it's open source and hackers can take it and poke holes in it, and that concerns me. How secure can it be out in the open like that? I'm a little paranoid about [open source software], but maybe that's because I come from a military background and I know how bad the threats are out there. And they're really bad. And I don't think companies are doing enough to stop those threats.

Why do you think that is?

The problem with people in the enterprise is that they think technology will save them. And it won't. You can't spend your way out of the problem.
Chase Cunninghamdirector of cyberthreat research and innovation at Armor

Cunningham: The problem with people in the enterprise is that they think technology will save them. And it won't. You can't spend your way out of the problem. And you can't just buy technology hoping it will fix the problem. You need people to operate it, and who know what they're doing and can identify the threats. Companies need to understand something very simple, too: The bad guys aren't after 99% of your network. They're after 1% of it. So, figure out what that 1% is and what the assets are, and lock them down. It doesn't matter if hackers can get into your network and the entire Chinese Army is sitting on your mail server -- if you encrypt the data, tokenize it and use things like two-factor authentication and build up that protection, then you can keep data safer.

In your experience, do enterprises feel like the cloud in general offers more security than a traditional on-premises environment?

Cunningham: I think it's getting there. Certain types of companies already recognize that cloud services can give them better security than what they can do themselves. Financial services clients, like banks and credit card companies, are doing more cloud hosting, because they know the benefits of cloud security. They know companies like ours have the kinds of security measures -- things like monitoring, compliance, threat intelligence -- to help protect them in the cloud. Other industries are starting to recognize the security benefits of the cloud and are moving that way, too.

How does Armor's threat intelligence work?

Cunningham: Our threat intelligence service pulls in data from about 50 separate sources externally and combines it with what we're seeing from our customers. And it's extremely valuable data, because you can focus on the most important threats and adjust things as needed, rather than trying to prepare for everything. And we're working on a way to use machine learning, so that the [threat intelligence] system learns from the data it's receiving and understands it better. So, I can do the work of a 40-man SOC [security operations center] with six people.

Why aren't more enterprises using threat intelligence? It feels like it's a big topic in the infosec industry, yet the adoption doesn't really reflect that. Why do you think that is?

Cunningham: Because they're not doing it right. threat intelligence is something you do, not something you get. You can't just have a bunch of threat intel giving you data, and then not have ways to make sense of the data. If you don't have the right people and you don't know how to analyze the intel and make the right calls, then it doesn't work.

So, based on your experience, what are you seeing from the threat intelligence lately? Are there any trends or patterns emerging?

Cunningham: We see a lot of the same attacks over and over again. You can tell what types of attacks are being committed by which groups a lot of times, because a lot of times, the attacks are very specific. And you see a lot of the same attacks on verticals using the same, specific methods. For example, certain groups go after healthcare companies a lot, and they use pretty much same methods again and again. But now, we're starting to see groups use different methods and change things up. And that's a problem.

Next Steps

Learn more about security considerations for Docker hosting

Discover the risks for the different types of cloud services

Find out why cloud malware is a growing problem for CSPs

Dig Deeper on Cloud Computing Infrastructure as a Service (IaaS) Security