Research giant Gartner Inc. forecasts that the bulk of enterprise IT spending will be put toward cloud environments by 2016. As cloud adoption among enterprises continues to tick up steadily and different departments take advantage of cloud services without prior authorization, IT security teams can no longer ignore the risks associated with cloud environments. Just what are the most pressing cloud security risks though? According to Dave Shackleford, founder and principal consultant of Voodoo Security, data encryption and key management are at the top of the list.
"Encryption is a tough topic. But when you really look at the more mature organizations that have been doing encryption for a while that have a real business-critical need to use it," said Shackleford, "they tend to have hardware key management platforms or hardware-based key modules, and we're seeing those in the cloud now."
In this interview, recorded at the 2014 RSA Conference in San Francisco, Shackleford details how to properly implement cloud encryption and mitigate some of the other threats enterprises are likely to encounter in cloud environments. But there are also cloud security advantages, Shackleford noted, as there are many security tasks that can be automated in cloud environments, representing a huge opportunity for organizations forward-looking enough to grasp it. For instance, if an organization were to deploy one Windows server into the Amazon cloud, it could have up to 5,000 potential configuration items that could be put into practice.
"If you go read hardening guidance for that server, many of those may easily be applied, but how do you do that at scale?" said Shackleford. "Great, great use case for [cloud-based] automation right there."