The director of solutions architecture for White Hat Security – the web application assessment specialist – said, first and foremost, “don’t fight the cloud. You can try to...but [users] will do everything in their power to get around” your controls, he added.
Gone are the days where a piece of hardware was required to host a web application, Schilbe noted, and anyone looking to subvert their security department can do so with the simple swipe of a credit card. “You can go to Amazon or Rackspace, provide your credit card, a get your application hosted on a very powerful web server”, he said. “It’s easy to set-up” and get around your organization’s IT professionals, he warned.
Then came his second piece of advice for securing the cloud: “If you want to control your cloud services within your business, then set it free. Do not be the guy who says ‘no’ to the cloud; you want to embrace it.”
The reasoning behind this was simple, if not repetitive, Schilbe said. If you are the ‘no guy’ in your organization, then your employees will find a way around your policy. This leads to a somewhat embarrassing game of hide-and-seek, he advised, that can tie up the security professional’s valuable time. Instead the solution, he continued, is to embrace cloud services where appropriate and work with the interested stakeholders to both enable their business objectives while at the same time establishing a security process.
With the majority of data breaches occurring via web applications according to the latest Verizon Data Breach Investigations Report, Schilbe imparted just how important it is for security departments to work with the business teams looking to leverage these services.
“If you move to the cloud”, he added, “shift your hardware budget toward security”.
Planning to Fail
Security, availability, and reliability – they are the triumvirate of cloud adoption resistance. But for the brave organizations that cannot ignore the benefits of the cloud Sirens’ cry, Schilbe advised to “prepare for the call” that will eventually come when your services grind to a halt – for example, when your company’s website gets hacked.
Have a disaster recovery plan in place for this eventuality, he said, lamenting that most organizations have no such process in place “and they go into panic mode”. Know who to contact, who is responsible, and what the initial response steps should be, Schilbe continued.
Even when your code is hosted in the cloud, your organization is still responsible for it he reminded the audience. Part of your security planning process, therefore, should include evaluating your web applications to ensure they are not employed to function in a way they were not intended. Schilbe said that your applications need to be assessed on an ongoing basis, and not simply once a year, such as a yearly PCI audit.
You’re Never Too Old to Make New Friends
Aligning security objectives with business objectives in the cloud was the point of Schilbe’s discussion, and he mused that marketing personnel are often the biggest offenders of security policy. “Get social with your friends in marketing”, he recommended. “They are notorious for leveraging cloud services, creating cloud applications on the fly, and they most commonly try to [avoid] IT because they are afraid” of how long the process will take.
“Make good friends with marketing. Make sure you work with them and ask them what services they are using”, but also be sure not to use the normal IT buzzwords. This will just cause unnecessary confusion, Schilbe related.
Don’t cause a panic by telling your marketing people that they can’t use certain services, he said. “Don’t be the bad guy. You want to be the enabler and not the disabler in this situation, and incorporate cloud into your business.”
It is imperative to avoid a situation where you are at odds with your business colleagues. This will allow you to educate your users on how to take advantage of cloud services “while also having some security around it”, Schilbe concluded.