At the recent ISSA International Conference in Dallas, SearchCompliance editor Ben Cole met with conference speakers to discuss modern data threats and how they are influencing information security professionals' responsibilities. In this Q&A, vArmour senior vice president and chief cybersecurity strategist Mark Weatherford expands on his conference keynote where he discussed how companies address gaps in their cloud information security practices.
What are the biggest threats to corporate cloud information security?
Mark Weatherford: First off, understanding the technology, or not understanding the technology, is one thing we see with a lot of companies that are looking at the advantages of the cloud. Then, probably understanding where the lines of responsibility lie. A lot of companies that we talk to today seem to think that by moving their infrastructure to the cloud or to a virtualized data center environment that the responsibilities for security go along with that. In fact, there are still responsibilities for the provider, but there are also responsibilities for the owner of the data as well. The provider is responsible for the security of the cloud; the owner is responsible for the data in the cloud.
Do the resources required to offset cloud information security risks offset the cloud cost savings?
Weatherford: If you're going to utilize the technology, you have to deploy the right kind of security that goes along with that technology. As the technology changes and the cloud become more efficient, companies really have to look at new levels of security, new technologies for security. Certainly the cloud offsets the cost of infrastructure technology to begin with, which is why we do it -- the economics of it. But there are security costs that go along with it. I would say it's not really an either/or question. You have to do it; you have to deploy new levels of security technology for the cloud.
Are there any cloud information security strategies that have proven particularly effective?
Weatherford: Yes, so I think there are two things. The visibility in a cloud environment or a virtual environment is significantly different than they were in more of a physical environment. For example, in a virtual environment, where most of the traffic is east-west traffic that's inside, 80% of the traffic was what we see as really VM to VM type of traffic, which means only 20% of the traffic is traversing the perimeter -- which is where most of the security tools are today. I think there's an opportunity for companies to get new levels of visibility on the east-west traffic, that's the first one.
The second one is segmentation. We've historically used enclaves or boundaries around certain types of data, certain business units, certain functionalities within an organization to protect them and segregate them from each other, and typically we protect them with firewalls. I think there are new levels of software technology in a virtual environment today that allow us to segment and microsegment, even down to the workload level, through policy that obviates the need to buy very expensive hardware appliances.
Who should be responsible for ensuring cloud security, is it cloud providers or their customers?
Weatherford: I think it's definitely a joint effort. Companies can't outsource responsibility for security. They can outsource the infrastructure, they can outsource some of the services, but they can't outsource the security. As I said earlier, you know, the cloud service provider is responsible for the security of the cloud, but the customer is responsible for the security in the cloud. It's definitely a joint responsibility, and I think we're starting to see companies deploy new kinds of security, new kinds of technology to take advantage of that. It's what I would call a really robust environment for security today, and we can achieve much higher levels of efficiency, much higher levels of security and much lower costs purely through software. It really is kind of a game changer, I think, for those of us in the security industry.