- Companies are not asking cloud providers the right security as a service questions, according to Frank Konieczny, CTO of the U.S. Air Force, speaking at Security Through Innovation Summit in Arlington, Virginia Thursday.
- Many cloud providers just provide a firewall and "then you're on your own," said Konieczny, so companies have to figure out how to virtually replicate the same tools used on-premise. The degrees of security also differ depending on the provider. That adds more complexity for companies that want to enable cloud-to-cloud communication.
- Questions to ask cloud providers: Which services they provide, how often they deploy patches, vulnerability analysis, and finally, how much those services cost.
As the cloud becomes the new norm, the definition of security as a service is more widely interpreted. The gaps in interpretation leave room for misunderstanding.
Konieczny defines security as a service as either receiving data that serves as information for decision-making or a service provider that makes the decisions for the customer as a subscription.
Everyone is "trying to do everything as a service anyway," he said, but because the services are expected, asking the right questions doesn't always come naturally. Cloud customers assume that once they migrate to the cloud, the provider takes the security reins. But accountability remains on the customers.
Companies need to clearly understand where the cloud provider's security stops and theirs begins. While the cloud's infrastructure is more resilient than a private data center, it doesn't ensure bulletproof security.
Cloud environments are scarier because it means companies relinquish control and visibility to a provider. "Everyone is paranoid now because you're not controlling the server farm" of the cloud, said Konieczny.
On-premise environments felt safer, said Konieczny. Now, the cloud begs the question, "I'm sharing a platform with everybody else, what does that really mean?"
There are inevitable nuances in cloud-based security that are often overlooked, he said. Companies need to ask themselves what exactly they are trying to secure, data or applications because that will dictate the cloud-based tools that need adopting.