By now, we are all used to hearing about the latest security breach some company has fallen victim to. Sony, Target, Anthem, all are household names who have fallen victim and had data stolen. In some cases, innocent customers of these companies have been the ones impacted, and are at higher risk for identity theft since so much of their private information has found its way onto the Internet.
Security threats have been around since the dawn of the internet, but it took years for many companies to take them seriously. They come in all different sorts of sizes and shapes, from viruses and malware to hypervisor escapes and ransomware, threats have evolved as fast as their mitigations, if not faster.
It was the early 1990s when anti virus software began to catch on. In the early days (and even today) users were notorious for complaining about it, and even turning it off. Then again, this was also the time period where it was ridiculously easy to stroll into many data centers.
Eventually, the threats were realized and organizations began to catch on. We even saw the beginnings of the rise of the CSO in the early 2000s. Steps were taken to ensure proprietary secrets and customer data were protected, even if they weren’t often enough. The data center security market was worth 4 billion dollars in 2013, but is projected to grow to over 11 billion in 2022. Just as organizations began to get things under control from a security perspective, we faced another evolution.
Cloud computing has become a hot topic in many organizations. Businesses race to see who in their competitive space can adopt the cloud first, bringing the promises of things like new development techniques to backing up whole environments to fruition. In this race, security is often overlooked.
Many business falsely assume the cloud is safer. While they feel they’ve mitigated some of the risk due to the physical environment, they’ve brought all of their existing security flaws to the cloud, and then some. Startups, like Avanan are all over the space, offering to aid cloud consumers in preventing data leaks, detecting threats, and encryption, which of course brings us to our next question. Is the public cloud secure?
The answer, of course, is the answer we must offer in almost every question of technology; it depends. In many cases the answer is a resounding yes, especially in the case of Amazon Web Services (AWS). AWS prides itself on hosting the infrastructure for many companies, including government agencies which define the regulations on data security and compliance. Similar to a physical data center, consumers must be careful when picking a cloud provider, and not just assume a cloud is secure because it is the cloud.
We’ve been working on agility and the speed of IT for quite some time. The cloud is a great enabler for that agility, but it should not be done at the expense of proper security. This is the time for us to go back to the basics and evaluate how security is being handled at every step of the systems development lifecycle. Perhaps one of the most insecure features of the cloud is the agility we’ve come to value so greatly. We’ve all heard nightmare stories about rouge employees firing up the cloud by simply entering their credit card number. With a few simple clicks, proprietary information can suddenly be exposed.
Unless you want to make the news for all the wrong reasons, it is time to start thinking of security at every step. Assume the worst, architect for it. Build security into your development process and into automated testing. There’s a massive community of security professionals and thought leaders who are here to coach us through it. Most of all, it’s good to have a healthy paranoia about it. Odds are, somewhere along the way we have been closer to being vulnerable than anyone may want to know. Don’t let it stop development, but don’t let the agility of your IT bypass security either.