Still remember when I was introducing cloud security to a Hong Kong journalists back in 2011 winter at WanChai (HKSAR), we were having a lunch meeting and she was researching on cloud computing.
At that time, running servers at a remote site was still a wired idea. As always, the question “Is it safe ?” was asked. This question was asked spontaneously (if not involuntarily) when I mentioned the data is processes at an outsourced data centre.
The person asking this question actually do not distinguish if they are referring to unauthorised access while transmuting, physical risk of remote data centre or availability. Like commercial airplane first appears, when only 1% of the population flew, 99% asked “Is it safe?”
Cloud Computing bring security innovations
Fast forward to 2015, TechCrunch has an article on this issues “The Cloud Could Be Your Best Security Bet” and Ron Miller explained that major data breaches are from company with on-permises  servers :” Yet if you think about every major data breach over the last two years, whether Anthem, Sony, JPMorgan or Target, all involved on-premises datacenters, not the cloud.”
Ron made it clear that knowledge is the real differentiator, when protecting data. Company like Sony Pictures are not technology firm and their investment, staff recruitment and intelligence gathering capability is not able to match with company like Salesforce, Google, AWS etc.
There is another consideration, I like to complement his argument. For non-technology enterprise or company do not offer cloud computing product/services, investment in security controls is usually regarded as a cost centre, in term means cheaper is better. For company, like Google security is a product that they can sell. When evaluating security control investments, cloud services providers are able to invest much more than a bank or an airline company.
Cloud Services Are Different
Although I agree with Ron’s observations, I have to point out that not all cloud services offering are the same. Again referring to the airline industry metaphor, running secure cloud computing platform is costly and bigger players has the economic of scales. Budget airlines usually operate flights to less visited airport and has a niche market. We are going to see similar trends in cloud computing.
When I was working at Verizon 3 years ago (after VZ acquired Terremark), we were hammering out cloud computing models in the HK and China regions for VZ cloud offerings. One key advantage of Verizon being a world leader in interconnections, is an extensive MPLS POPs.
If a customer data centre is already on Verizon MPLS network, it is both secure and cost efficient to connect their existing servers directly with Terremark cloud platforms. Thus creating a hybrid cloud without incurring lots of overheads. In 2012, when cloud computing was just started to catch attentions and the hybird concept was difficult to comprehend.
It was like selling selfie sticks to user just brought their first digital camera. Selfie stick works  but without wifi to upload photos and social media to share them, why would a user take selfies! Guess we were ahead of time.
Fast forward to 2015, hybird cloud is now ready for prime time. Both Azure and AWS provide hybird options and a group of vendors are building an ecosystem supporting hybird cloud deployments (e.g. Cloud-Connected Storage)Â
Risks of running application and services on the cloud has been an impediment  and people (journalist in particular) tends to see the cloudy side! I involved in many discussions on cloud security in my volunteer works in CSA Hong Kong & Macau Chapter. Some of the concerns are valid , in particular the lack of experienced professionals and knowledge framework.
Comparing to cloud vs not to cloud?
Cloud Security Talent Development
CCSP with the support from CSA and ISC2 is the answer to these concerns. In 2013, visionaries (like Aloysius Cheang from CSA APAC and Hord Tipton from ISC2 ) in both organisations joined together in response to market needs. In the past two years, A few other volunteers from CSA and I worked with ISC2 and their consultant Pearson VUE to develop CCSP CBK and examination questions. It was a rewarding experiences.
The process administrated is very structured and all rounded, with concept mapping, team discussions and psychometric analysis. As a security professional, I am thinking maybe system development life cycle (SDLC) should also make use of similar validation process to ensure each feature implemented is user facing and also balanced!
Developing Cloud Security certification is a challenge due to its extensive scope. The CBK covers six domains:
- Architectural Concepts & Design Requirements
- Cloud Data Security
- Cloud Platform & Infrastructure Security
- Cloud Application Security
- Operations
- Legal & Compliance
Very few people acquired working experiences in all six domains. However, learning cloud technology knowledge and applying security principles in a virtualised environment are both achievable via CCSP CBK.
Studying CCSP domains and passing the exam will help security professional to gain knowledge in a structure way, thus able to demonstrate their security skills are not outdated.
https://devcentral.f5.com/articles/the-inevitable-eventual-consistency-of-cloud-computing
https://azure.microsoft.com/en-us/documentation/articles/expressroute-introduction/
Pingback: Patreon layoff their entire security team, should you ? - A-INFOSEC