Cloud services can be as secure as a bank
Google’s security chief, Eran Feigenbaum, says the cloud can protect data better than many in-house systems, which he likens to a modern-day version of putting ‘cash under the mattress’...
PwC: What are some of the key security issues with cloud services?
When moving to the cloud, enterprises need to understand where their data is. It’s a little bit of a misnomer that the data is in the cloud. Data is not typically floating randomly through the Internet. Rather, it’s in the cloud service provider’s data centre and under that provider’s watch. It’s critical that a company understands the controls its cloud provider has in place.
It’s still the enterprise’s data, and if something bad happens to that data, the enterprise is still going to have to answer to its customers.
PwC: What benefits do cloud services provide from a security perspective?
One of the things I spent a lot of time and effort on as a chief security officer was patch management, making sure that all applications and operating systems were patched and up-to-date.
Software vendors release security patches on a regular basis. It was my responsibility to understand what those patches were and whether they were applicable to our environment, make sure they didn’t break anything, and then deploy them on all relevant systems more quickly than the bad guys trying to reverse-engineer the patches. Once there’s a patch, everybody knows there’s a vulnerability in those systems. It becomes an arms race. What’s faster? Can I as a company deploy the appropriate patches, or do the bad guys figure out what the vulnerability is and break into the system?
Now, with Google Apps specifically, we have a very homogeneous or standardised environment.
All of our servers look alike, and we control the entire stack. The operating system, the applications, and the user repository are all written by Google for Google. It’s very homogeneous. So, when it is time to patch, I can do so in a uniform manner across all of the servers—unlike in the traditional environment where I’m trying to understand whether the patch is relevant to me and whether it works on this or that server. That’s a tremendous advantage.
PwC: Cloud architecture aggregates users and data, and therefore any security mishaps have the potential to affect a large number of users and their data. How are such risks being mitigated?
We maintain multiple copies of your data—multiple copies within a single data centre and multiple copies within a secondary data centre—to help prevent a problem like that. We fully expect a drive to fail, or to not be recoverable, but we account for that possibility from the software level on up by having the multiple copies and no single point of failure.
The other part is the unique way in which we’ve used cloud technology. Other people may use it the same way as well. In the traditional environment, you would have a mail server that would be dedicated to you. That would always be the server that you spoke to, and that server housed all your mail. We’ve taken a different approach. We’ve fragmented all of your data, and we’ve spread it across our infrastructure in a system designed such that your data cannot become compromised by gaining access to a single location. The data is spread across our many servers. It’s like a needle that’s been chopped up into small pieces and put in a haystack, impossible to find.
PwC: What can enterprises and government organisations that have the scale to build a private cloud learn from the experience of Google in offering and securing cloud services?
First, there are many lessons that we all learned from the years of computing that existed before us.
Lessons from all the security drawbacks that exist in the client-server model—the patching process being just one.
|
Eran Feigenbaum is director of security for Google Apps at Google. In this role, he defines and implements security strategy for Google’s enterprise products. He was formerly the chief security officer for PricewaterhouseCoopers. |
The next lesson is around the use of standardized or homogeneous infrastructure, and the ease of maintenance and support that follows. A lesson can also be drawn from some high profile losses of data on portable devices, USB sticks, laptops, CDs, and DVDs. Users are working from home on weekends and so on. To do that, what are they doing? They’re putting data on USB sticks. They’re mailing it to their personal Hotmail, Yahoo, or Gmail accounts.
As soon as they do that, they’ve completely broken their company’s security model and taken the data out of that company’s control. Putting it in the cloud and making it available anytime, anywhere, while it’s still maintained in the security of the cloud, presents a tremendous advantage.
PwC: What can the information security officers at an enterprise get from the cloud today that they are not getting in their own environments?
Let me give you an example. Depending on which statistic you believe, 70 to 95 percent of e-mail is spam, right? With spam comes viruses.
A cloud provider like Google processes billions of SMTP [Simple Mail Transfer Protocol] transactions every day, bringing a tremendous amount of knowledge— knowledge that a single CISO [chief information security officer] of a single company can’t get. So, with this knowledge, the cloud has visibility. We can block spam, botnet attacks, and viruses in the cloud.
Because of all the traffic that we’re processing, we can block our customers from viruses a couple of hours before the antivirus vendors have even seen those viruses.
PwC: Surveys have shown that security remains a primary concern with cloud services. What message would you like to send to the CISOs who might be exploring private or public cloud solutions?
The message to them is don’t dismiss the cloud because of the hype. The fact that the FUD [fear, uncertainty, and doubt] factor is security, is mainly FUD. Do your research and understand the security model of your cloud provider. Not all clouds are created equal. From a security perspective, look and weigh the advantages and disadvantages of a cloud provider against those of in-house solutions today.
I speak every day to CIOs and CISOs of Fortune 1000 organisations, and I think many of them come to the conclusion that the cloud often can be more secure than their existing operations.
It’s very much the paradigm. Imagine if we were in the banking industry 100 years ago, where you had to decide to take the money from underneath your mattress and put it in the bank. If you chose the mattress, you could go home and look at it every day and know that it was still there and still safe.
But the bank really had the economies of scale and could afford the armed guards and the big industrial safes that each individual user couldn’t. That’s the same kind of world we’re in now.
PwC: Looking forward five to ten years, as the cloud unfolds, public or private, how different do you think the conversation around security will be?
I hope that a lot more CISOs and CIOs use these new concepts of the cloud that take care of a lot of the security issues that we spend so much time and money on and still do wrong today — such as passwords and portable media. There are a lot of basic applications that we don’t do very differently.
The way you do e-mail and the way I do e-mail are pretty similar, so let’s enjoy those economies in scale.
In the next five years, I’d also like to see CIOs and CISOs figuring out what services they can move to the cloud or to other service providers, and focus their efforts on things that are unique to their businesses that can really drive a competitive advantage.
Copyright © PricewaterhouseCoopers LLP. Not for further use without the permission of PricewaterhouseCoopers LLP. Interview reproduced with the permission of PricewaterhouseCoopers.
9/11/18_ex_m_h_nl
