Clouds on the Horizon

I had the pleasure of attending the Secure Cloud 2014 conference this week. The presentations and discussions were quite interesting, and I was eager to hear and understand the perspectives of the other conference attendees. As we are all aware, the move to the cloud is already underway. With the move comes various consequences and challenges relating to security operations and incident response. I wanted to share a few thoughts and observations from this week's conference in this post.

• As one might expect, cloud providers focus first and foremost on business operations. Meeting the demands and requirements of SLAs weighs heavily on the minds of cloud providers. I did hear some encouraging dialogue around the idea that good security is good business. In other words, if customers are worried that their data will be stolen because of the risk of a breach at a given provider, they are more likely to change providers. This was encouraging to hear.
• Current security efforts appear to be heavily focused on regulatory requirements, compliance, privacy, encryption, and protection of customer data from nation-state spying. I was surprised at the percentage of dialogue during the conference centered on Edward Snowden, the NSA, and nation-state spying in general. Granted, this focus likely comes from the customers of the cloud providers, who are undoubtedly concerned about these issues. Nonetheless, there are many other topics that are important to the security discussion that deserve equal attention. If the cloud community becomes overly focused on nation-state spying, it risks succumbing to tunnel vision. This tunnel vision risks preventing the cloud community from progressing to a holistic approach to security that includes a robust security operations program.
• Continuous security monitoring, security operations, incident response, and forensics remain a challenge for the cloud community. Awareness of these challenges is growing within the community, and I believe that the community will gradually move towards maturity in these areas. I must admit that I was quite surprised when the CSO of a cloud provider told me that after a breach, "what happened", "how it happened", and "what was taken" were not important questions to him. I am hopeful that this is the exception, rather than the rule, and that as awareness grows, this type of attitude and approach will change.

Cloud providers appear to be heading in the correct direction, and I applaud them for this. Those providers that understand the need to perform security operations and institute security operations programs proactively will fare better than those that only become concerned about security operations after a large breach or intrusion has occurred. In my estimation, it is only a matter of time before customers begin closely examining the security operations programs of cloud providers for maturity.

The good news, from my perspective, is that security operations is now something on the radar of cloud providers. It is also something that businesses will weigh as part of their decision regarding whether to move to the cloud, what to move to the cloud, when to move it, how to move it, and to which provider or providers to move it. It is most definitely encouraging and exciting to see the practices and wisdom of security operations moving into the cloud.