Cloud computing is an opportunity information security professionals should not miss, according to Philippe Courtot,...
chairman and CEO of security company Qualys.
"This is a fantastic and opportunity to sit down with the CIO and the production team to help build security into the cloud," Philippe Courtot told attendees of RSA Conference Europe in London.
This is the time to embrace cloud computing, Courtot said, and join the Cloud Security Alliance, whose members are seeking to understand the challenges and build in security.
Courtot, a firm cloud advocate, said cloud computing can no longer be dismissed as a marketing gimmick, because the reality is that everyone is using it in one way or another.
Three cloud security challenges
The new architecture and technologies of cloud computing bring with them security challenges, he said. But these can be tackled by looking at how to secure each of the major components.
First, in the datacentre, it is possible to build in security through automating vulnerability management and patching and continuous, real-time analysis of logs and traffic.
"It is also easy to build a fortress around datacentres and restrict what goes in and out," Courtot said.
Next, web applications used to access datacentres are the "soft underbelly" of the internet. But according to Courtot, these should be viewed as the new network perimeter and hardened.
Organisations can improve their security by ensuring they can identify every web application in use, identify the vulnerabilities in those web applications, mitigate and remediate those vulnerabilities and conduct regular audits.
Finally, all devices used to access the datacentres should be regarded as part of the new perimeter. Consequently organisations should ensure they can identify all the devices accessing their networks, to control access, to find vulnerabilities and configuration issues and to mitigate and remediate those issues.
The problem with many existing and traditional security systems, said Courtot, is that they do not scale. Organisations need to find new, more flexible approaches.
"Scale is probably only something the cloud itself can solve," he said. Organisations should be looking to build new cloud-based security intelligence platforms to deliver real-time threat analysis, mitigation and compliance with security policies.
"Real-time big data is a key element of tomorrow's security, because once an organisation has created one platform, it can be cloned easily and used globally," said Courtot.