These days, hackers hide behind every corner and wait for an open door. Employ continuous security monitoring and testing for all cloud models, including serverless computing.
With high-profile data breaches often in headlines, cloud security threats are a top concern for enterprises. And, given the fast-paced and self-service nature of cloud computing, IT teams need to adopt a more proactive and continuous security approach.
Cloud security constantly evolves, and enterprises need to stay up to date. Information security spending, in general, is expected to reach $90 billion in 2017, an increase of 7.6% over last year, and will top $113 billion by 2020, according to Gartner.
"Security is kind of like whack-a-mole," says David Linthicum, senior vice president of Cloud Technology Partners, a cloud consulting firm based in Boston. "You're always patching vulnerabilities, and it's ongoing."
In a recent podcast, Linthicum and Zohar Alon, CEO and co-founder of Dome9 Security Ltd., a provider of cloud security management as a service, based in Mountain View, Calif., discuss recent cloud security topics ranging from data breaches and continuous monitoring to serverless computing.
What lessons can cloud admins learn from recent data breaches?
Enterprises produce vast amounts of data and, through the deployment of cloud services, new vulnerabilities and attack surfaces can arise. With data breaches constantly in the news, such as those at Home Depot, Target and the Democratic National Committee, enterprises should strive to provide the best protection from cloud security threats.
"Hacking is a business now," Alon says. "When the other side can benefit from it financially, [and] quite easily now with Bitcoin, it's not surprising to see those [hacking businesses] emerge [and see] ransomware all over the place."
Cybersecurity Ventures, a research firm based in Menlo Park, Calif., predicted cybercrime will continue to rise and cost businesses more than $6 trillion annually by 2021. While some hacked systems are "cloud-related," Alon says they aren't necessarily in an Amazon Web Services (AWS) or Azure environment. Often, data breaches on hosted IT systems come from poor networking practices or human error.
For those who do experience cloud security threats or attacks, it's important to be open with customers and stakeholders, and to take responsibility for the incident immediately, Alon says. [11:50 -- 15:49]
What can enterprises do to protect against cloud security threats?
Zohar AlonCEO and co-founder, Dome9 Security
The internet of things, big data and other emerging technologies continue to drive data growth. And, with a lot of that data now hosted in the cloud, top public cloud vendors, as well as third-party companies, offer new security services to meet enterprises' needs. But cloud security shouldn't be a set-it-and-forget-it approach; security teams need to monitor the cloud constantly.
"[The bad guys] knock on every door and window that you have every couple of seconds," Alon says.
"The minute there is a slight crack and an opening there, you'll be compromised."
Cloud is a continuous security game, Linthicum notes. "You can't set up certain mechanisms and expect them to protect you all the time," he says. "They have to be monitored and updated."
To prevent cloud security threats, organizations not only need to continuously monitor their deployments, but test them, as well, Alon continues.
"In an environment that changes so rapidly, with the flick of an API or one mistake on the console or one bad line of code in a script, you have to … test it continuously," he says. [15:49 -- 16:02]
What are the top security issues with serverless computing?
Cloud providers have tapped into the serverless computing market, providing services such as AWS Lambda, Azure Functions and Google Functions. And while serverless models can provide cost benefits to the enterprise, they also introduce new cloud security threats.
"Security was not part of the design processes when [serverless computing] was introduced to the world," Alon says.
A serverless function is invoked spontaneously by a trigger or event. This means enterprises can't protect serverless applications with the same identity and access management, encryption and other systems they use to protect virtual servers in the cloud. Enterprises could also misjudge the amount of permissions they should give to a function so that it can act on its own; if a function has more permissions than it needs, it creates the first weak link in a chain of events that could lead to a disaster, Alon says.
"[Security] should be something that is systemic to how we deal with serverless computing," Linthicum adds. [17:08 -- 23:50]
Get the right set of skills for serverless applications
Find the right cloud security tools and strategies
Serverless computing provides flexibility and lower costs