How to have your cloud and eat it
Tue 20 Mar 2018 | Paul Duckling
Paul Ducklin, senior technologist at Sophos, discusses how to ‘have your cloud and eat it.’ You might be wondering: why is a company like Sophos, which some people still think of as “the big UK anti-virus company”, interested in a cloud expo?
After all, isn’t anti-virus (even though it has been about a whole lot more than viruses for 20 years already) the sort of software that runs on every desktop, every server, every laptop – software that digs itself deeply into your operating system so it can stop malware threats before they even start?
Surely that’s the opposite of what the cloud is all about? Well, it is and it isn’t.
Keeping the bad out and the good in
Sophos’s software aims, very simply, to keep the bad stuff out and the good stuff in. To keep track of data as it moves, files as they arrive and leave, programs as they fire up, network traffic as it comes and goes, you can’t be a pure-play cloud company.
But Sophos, along with most of the rest of the world, has been able to harness the cloud for good – here are three examples of how we’ve been able to “have our cloud and eat it”:
- Our company blogs, Naked Security and Sophos News, are hosted by WordPress.com VIP. We used to host them ourselves, but we aren’t a publishing company, so it seemed smart to dedicate our own operations guys to serving up the content that our customers need to stay ahead of the latest threats.
- Our products include a Live Protection component that uses cloud lookups in real time to provide updates faster than ever. Even though we can publish full-blown threat detection updates in a matter of minutes or hours due to the modular nature of our software, the cloud has given us a way to add (and to collect) intelligence about the latest threats quite literally in seconds.
- Our products include a version known as Sophos Central in which we host all the back-end services and management tools for our security suite for you, in the cloud, so you don’t have to. For many small and medium businesses, this provides the simplicity and reliability they need to be as secure in their business workflow as a much bigger company with a large IT department.
So, right there, you can see four key reasons why most companies – you included – can benefit from the cloud:
- Simplicity. You don’t need to build IT infrastructure on a global scale in order to reach customers and prospects around the globe.
- Speed. You can disseminate updates – whether those are security patches or new price lists – quickly and efficiently.
- Security. You don’t have to sweat over every patch and every security announcement yourself.
- Scalability. You don’t have to order in a brand new server of your own and install it just to add a new feature.
It works for us and it can work for you.
But clouds don’t always bring good weather.
There are plenty of recent examples of cloud-based services where the above benefits turned into liabilities.
When cloud goes wrong
I’ll go through some examples in the talk, but think of: Yahoo, a consumer cloud mail provider that lost 3 billion user records in a data breach that went unnoticed for years; any number of security camera solutions that relied on the cloud for simplicity, but were so sloppily programmed that they *reduced* security in your company instead of improving it; Equifax, which leaked personal information of about 150,000,000 Americans that was supposed to be brokered securely to credit card and loan companies…
Clearly, not every cloud provider can be trusted, and anyway, just “putting services in the cloud” doesn’t outsource your responsibility or your accountability.
I’ll, therefore, conclude my talk with “4 Ps” – simple guidelines that cloud providers and consumers can offer and follow to close some of the most obvious holes that crooks use to take over whole networks at a time:
1. Patch early, patch often. If you’re a cloud provider, be ahead of the game and don’t wait for your customers to ask, If you’re a customer, don’t be afraid to ask. (And don’t be afraid to switch providers to one who’s more proactive if you don’t get good answers.)
2. Pick proper passwords. It’s the essence of cloud services that you often need to login “somewhere else” over the internet. Don’t make it easy for the crooks.
3. Protect your private keys. When you push services such as your web presence or your app building into the cloud, you’ll need to trust other people with your private cryptographic keys. These are the digital keys that, if stolen, could allow crooks to impersonate your website or your software. Whether you’re a provider or a customer, go out of your way to protect your digital identity – there are numerous cases of techies who should know better giving away the keys to the castle through carelessness.
4. Prefer two-factor authentication. If you’re a provider, offer 2FA and push your customers as hard as you dare to use it. You might even consider making it compulsory! If you’re a cloud customer, just do it. One-time login codes aren’t perfect but they’re a higher bar to cyber criminality.
And here’s a bonus P:
5. Prepare to ask pointed questions. As a cloud customer, you don’t have to accept “maybe”, or vagueness, when you ask your provider security questions. Have you patched? If not, why not? When will you do so? Cloud computing isn’t a religion, so you don’t have to take anything on faith. You have the right to expect clear answers quickly to any reasonable security question.
If there’s one thing I would like people to take away from my talk, it is this: “You can’t outsource your responsibility or your accountability just by adopting the cloud. So, whether you are a cloud provider or a customer, treat the cloud as a partnership, not merely as a product or a contract.”
In computer security, an injury to one really can be an injury to all…
Come and meet the Sophos team on stand S2410 at Cloud Security Expo, 21-22 March, ExCeL London. Register for your free ticket today.