After years of enterprises fearing the cloud because of security, we're now at risk for the opposite problem—companies relying too heavily on their cloud providers to look after security. A pair of professionals from the IBM Security team warned attendees against this trend at IBM InterConnect 2017 this week in Las Vegas.
IBM's Sridhar Muppidi and Dan Wolff urged IT leaders to think of cybersecurity as a shared responsibility between the business and its cloud infrastructure vendors—whether that's IBM, Microsoft, Amazon, Google, or other providers.
Muppidi and Wolff laid out six cloud security "must-haves" that every enterprise needs to cover. Here's their checklist:
1. Access management (users, privileges, clients)
- identity and access management
- identity governance
- privileged identity management
2. Network security (anomalies, threats, activities)
- monitoring events
- threat detection and prevention
- inter-workload protection
3. Data protection (databases, workloads, content)
- file and folder encryption
- key lifecycle management
- data loss prevention
- vulnerability scanning
- PII discover and monitoring
4. Application security (threat prevention)
- secure application development
- application vulnerability assessment and management
5. Visibility and intelligence (anomalies, threats, activities)
- event correlation
- monitoring and alerting
- multi-cloud and on-premise integration
6. Workload centric (security and DevOps management)
- cloud security policy management
- patch management
- auditing of controls
The two IBM Security professionals stressed that IT leaders should look at their cloud infrastructure providers and figure out which security services are offered, which ones have enhanced/upgraded services, and which ones are left to the customer to provider.
Muppidi and Wolff recommended making a chart to figure out what your cloud vendor offers by default and what advanced services (including third party integrations) are available. As an example, they charted IBM's cloud security offerings, as you can see in the chart below:
- DevSecOps teams securing cloud-based assets: Why collaboration is key
- Report: Hybrid cloud dominates in Europe, adoption driven by security concerns
- DevOps a natural fit for cloud security (ZDNet)
- Cloud security market to be worth $12 billion by 2022, here's why
- Here are the top 6 ways websites get hacked, according to Google
- How misaligned incentives give hackers an advantage over IT security pros
Jason Hiner has nothing to disclose. He doesn't hold investments in the technology companies he covers.
Jason Hiner is Global Editor in Chief of TechRepublic and Global Long Form Editor of ZDNet. He's co-author of the book, Follow the Geeks.