This morning, I was delighted to finally download and read the new “Oracle and KPMG – Cloud Threat Report 2018.”  I have known this was coming for a few months, but was delighted by how it turned out.  The report contains a wealth of timely, insightful information for those who need to know how to not only cope, but excel, in the rapidly changing information systems infrastructures of modern business.

Mary Ann Davidson, CSO, Oracle Corporation, stated in the report’s Foreword:

In the age of social media, it is popular to speak of what’s “trending.” What we are seeing is not a trend, but a strategic shift: the cloud as an enabler of security.

The dazzling insights in the Oracle and KPMG Cloud Threat Report, 2018 come not from professional pundits, but from troops in the trenches: security professionals and decision makers who have dealt with the security challenges of their own organizations and who are increasingly moving critical applications to the cloud.

A few key research findings are summarized in the following list and illustrated by the numbers the “Key Research Findings” chart:

• The threat landscape is increasingly complex and varied.
• Detection and response is critical—but not always easy in the cloud.
• Customers don’t always understand their cloud security obligations.
• Security professionals worry about the impact of attacks on business operations.
• Cloud and mobile-centric employees beget the need for new identity and access management strategies.
• Technology alone isn’t enough.
• Machine learning can help.

KPMG offers this Call to Action:

C-level, finance, HR, risk, IT, and security leaders are responsible for ensuring that the organization has a cybersecurity program to address risks inherent in the cloud.

Beyond making sure that risks are mitigated and compliance requirements are addressed, leaders should accept and assert their responsibility for protecting the business. A critical first step is to understand the “shared responsibility” principles for cloud security and controls. Knowing what security controls the vendor provides allows the business to take steps to secure its own cloud environment.

To further protect an organization, it is crucial that everyone in the organization—not just its leaders—is educated about the cloud’s inherent risks and the policies designed to help guard against those risks. This requires clear communication and training to employees on cloud usage. KPMG and Oracle’s research found that there may be considerable room for improvement in this area, as individuals, departments, and lines of business within organizations are often in violation of cloud service policies.

I have really just skimmed the report.  I look forward to digesting the content more completely.  Stay tuned for more analysis and commentary from my perspective.

The State of Cloud Security 2016, published by the Cloud Security Association Global Enterprise Advisory Board, is a short, but interesting document, focused on articulating the gaps in current cloud security practices to help cloud providers better understand the needs of their customers.

Cloud computing is an incredible innovation. While at its heart a simple concept, the packaging of compute resources as an on demand service is having a fundamental impact on information technology with far reaching consequences. Cloud is disrupting most industries in a rapid fashion and is becoming the back end for all other forms of computing, such as mobile, Internet of Things and future technologies not yet conceived. As governments, businesses and consumers move to adopt cloud computing en masse, the stakes could not be higher to gain assurance that cloud is a safe, secure, transparent, and trusted platform.

With the stakes rising in cloud adoption, cloud providers need to step up with better built-in security:

Cloud computing adoption is solid and increasing. Security and compliance can be adoption barriers. Now is the time to increase the pressure on cloud providers to build security in, not try to bolt it on as an afterthought.

Cloud computing demands new approaches to security:

We need to take a hard look at many of our existing security practices and retire them in favor of new “cloud inspired” approaches that offer higher levels of security.

Finally, solving these tough problems will require cooperative effort between cloud providers and their customers:

Both enterprises and cloud providers need to work together to better align their security programs, architectures and communications.

Let’s work together to conquer these tough challenges.  

This afternoon, I read the Cloud Security – 2016 Spotlight Report, presented by CloudPassage. It was an informative report based on responses from a Linkedin security community. Aside from the insight it provided about Cloud Security, I found it intriguing that social media groups are proving to be a valuable source of market information.

The report focuses on the risk factors facing enterprises as they progressively adopt cloud computing

Security of critical data and systems in the cloud remains a key barrier to adoption of cloud services. This report, the result of comprehensive research in partnership with the 300,000+ member Information Security Community on LinkedIn, reveals the drivers and risk factors of migrating to the cloud. Learn how organizations are responding to the security threats in the cloud and what tools and best practices IT cybersecurity leaders are considering in their move to the cloud.

It is no surprise that security is a key concern.  I would expect such a response from a self proclaimed information security community.

Cloud security concerns are on the rise. An overwhelming majority of 91% of organizations are very or moderately concerned about public cloud security. Today, perceived security risks are the single biggest factor holding back faster adoption of cloud computing. And yet, adoption of cloud computing is on the rise. The overwhelming benefits of cloud computing should drive organizations and security teams to find a way to “get cloud done”. This is a prime example to where security can have a profound impact on enabling business transformation.

It was not surprising that most respondents thought that traditional security tools were inadequate.

The survey results confirm that traditional tools work somewhat or not at all for over half of cybersecurity professionals (59%). Only 14% feel that traditional security tools are sufficient to manage security across the cloud.

I am not a expert on the validity of this type of survey vs. a more traditional survey conducted outside of the social media environment, but I think it provides some valuable insight.  There is a lot of work to do, folks!

This week, I read an interesting report created by the Top Threats Working Group of the Cloud Security Alliance and sponsored by Hewlett Packard. Entitled, “The Treacherous Twelve: Cloud Computing Top Threats in 2016,” this report points out that new security vulnerabilities are emerging …

the improved value offered by cloud computing advances have also created new security vulnerabilities, including security issues whose full impacts are still emerging.

… and that security is no longer just an IT issue. 

The 2016 Top Threats release mirrors the shifting ramifications of poor cloud computing decisions up through the managerial ranks. Instead of being an IT issue, it is now a boardroom issue.

More vulnerabilities and increased business awareness/responsibility. The urgency of security is rising.

The report identifies security concerns so business leaders can make better decisions about security:

The purpose of the report is to provide organizations with an up-to-date, expert-informed understanding of cloud security concerns in order to make educated risk management decisions regarding cloud adoption strategies. The report reflects the current consensus among security experts in CSA community about the most significant security issues in the cloud.

The 12 critical issues to cloud security (ranked in order of severity per survey results):

1. Data Breaches
2. Weak Identity, Credential and Access Management
3. Insecure APIs
4. System and Application Vulnerabilities
5. Account Hijacking
6. Malicious Insiders
7. Advanced Persistent Threats (APTs)
8. Data Loss
9. Insufficient Due Diligence
10. Abuse and Nefarious Use of Cloud Services
11. Denial of Service
12. Shared Technology Issues

The report provides includes a variety of useful information about each critical issue, including:

1. Description
2. Business Impact
3. Anecdotes and Examples
4. List of applicable controls from the Cloud Control Matrix (CCM)
5. Links to further information

Some of the anecdotes are both intriguing and disturbing:

British telecom provider TalkTalk reported multiple security incidents in 2014 and 2015, which resulted in the theft of four million customers’ personal information. The breaches were followed by a rash of scam calls attempting to extract banking information from TalkTalk customers. TalkTalk was widely criticized for its failure to encrypt customer data.

Praetorian, an Austin, Texas-based provider of information security solutions, has launched a new cloud-based platform that leverages the computing power of Amazon AWS in order to crack password hashes in a simple fashion.

Heartbleed and Shellshock proved that even open source applications, which were believed more secure than their commercial counterparts … , were vulnerable to threats. They particularly affected systems running Linux, which is concerning given that 67.7% of websites use UNIX, on which the former (Linux) is based.

In June 2014, Code Spaces’ Amazon AWS account was compromised when it failed to protect the administrative console with multifactor authentication. All the company’s assets were destroyed, putting it out of business.

The threat is real, folks.  Be careful out there!

This morning, I read a recently published Oracle white paper, “Oracle Infrastructure and Platform Cloud Services Security”: 

This white paper focuses on shared and service-specific security capabilities of the following services: Oracle Compute Cloud Service, Oracle Storage Cloud Service, Oracle Network Cloud Service, Oracle Java Cloud Service, and Oracle Database Cloud Service – Enterprise Edition.

Oracle Cloud Services have been engineered from the ground up with security in mind. 

Security is a top priority for Oracle Cloud solutions. Oracle’s vision is to create the most secure and trusted public cloud infrastructure and platform services for enterprises and government organizations. Oracle’s mission is to build secure public cloud infrastructure and platform services where there is greater trust – where Oracle customers have effective and manageable security to run their workloads with more confidence, and build scalable and trusted secure cloud solutions.

Development of Oracle cloud services follows a rigorous methodology for incorporating security into all aspects of cloud services:

The Oracle Cloud Services development process follows the Oracle Software Security Assurance (OSSA) program. The OSSA is Oracle’s methodology for incorporating security into the design, building, testing, and maintenance of its services. From initial architecture considerations to service post-release, all aspects of cloud services development consider security.

However, despite this solId foundation of security in the Oracle Public Cloud, it was interesting to read about the “shared responsibility model” for information security:

Oracle Cloud infrastructure and platform services operate under a shared responsibility model, where Oracle is responsible for the security of the underlying cloud infrastructure, and you are responsible for securing your workloads as well as platform services such as Oracle Database and Oracle WebLogic Server. The following figure shows the shared security responsibilities.

The following diagram provides a good illustration of the shared security model:

This illustrates how customers can’t just “throw things into the cloud,” and hope all will be well. There are significant responsibilities associated with deploying enterprise workloads in the cloud, even when the cloud services provide a highly secure foundation.

Kuppinger Cole just released an insightful Advisory Note: “Information Security Predictions and Recommendations 2014.”  The introduction stated:

Information Security is in constant flux. With the changing threat landscape, as well as a steary stream of new innovations, demand for Information Security solutions is both growing and re-focusing.

I like both the predictions and recommendations in this report.  Here are a few excerpts from my favorite recommendations:

Cloud IAM (Identity and Access Management)

Define an IAM strategy for dealing with all types of users, devices, and deployment models that integrates new Cloud IAM solutions and existing on-premise IAM seamlessly.

API Economy

Before entering this brave, new world of the API “Economy”, define your security concept first and invest in API Security solutions. Security can’t be an afterthought in this critical area.

IoEE (Internet of Everything and Everyone)

Before starting with IoEE, start with IoEE security. IoEE requires new security concepts, beyond traditional and limited approaches.

Ubiquitous Encryption

Encryption only helps when it is done consistently, without leaving severe gaps.

The whole paper is well worth reading.  Hopefully, this post whetted your appetite a little bit.

Ironically, within minutes this evening, I followed two cloud computing links - BC Comics’ definition and a more serious, post, Top 10 List for Success in the Cloud, by Octave Orgeron.  With all due respect to Octave, I propose a Top 10 List for successful cloud computing, using Wiley’s definition (following the comic strip).

Here is my top 10 list for successful cloud computing:

10. The seat in front of you is far enough away so you can actually lower the tray and open your laptop

9.  The flight attendant doesn’t spill water on your keyboard 

8.  You remembered to charge your laptop before leaving the office

7.  You didn’t forget the new password you set this morning

6.  The inflight WiFi connection actually works

5.  Your credit card has enough headroom to actually pay for inflight WiFi

4.  The person in the seat next to you stops talking long enough for you to do some actual computing

3.  The person in the seat next to you isn’t employed by your biggest competitor

2.  You don’t get motion sick while trying to focus on your spreadsheet during turbulence

1.  You resist the urge to give up and watch a movie instead

 

Oh, the irony of our crazy industry!  Back in 2009, I blogged about a book entitled, “The Big Switch:  Re-wiring the World, from Edison to Google,” by Nicholas Carr.  This book proposed that the shift from traditional data center computing to a utility-based computing model will follow the same general trend that electricity generation followed – from a model of each individual factory maintaining its own electricity generation capability to our current utility-based electricity generation and grid delivery model. 

Today I read an intriguing article, “What’s threatening utilities: Innovation at the edge of the grid,” which proposed:

… utilities are structured to treat electricity as a commodity, produced in central power plants and delivered to consumers over long distances in a one-way transaction, with price and reliability of supply the sole concerns.  None of that is working anymore. Lots of forces are conspiring to put the current arrangement under stress, but the most important, in my mind, is a wave of innovation on the “distribution edge” of the grid.

Just think … at the same time as utility-style cloud computing is being hyped as the greatest trend in technology, the electrical utility industry is being decentralized to accommodate both generation and consumption at the edge!

One thing is certain.  Wait a few years and things will change some more!

In a recent Forbes article entitled, “The Cloud Revolution and Creative Destruction,” Oracle’s Bob Evans put cloud computing in perspective (my emphasis added):

We’ll begin to see the real the real creative-destruction power of the cloud unleashed when we begin to define the cloud in terms of what business customers want and need, and when we stop diddling around with inside-baseball constructs that mean little or nothing to the businesspeople who are ready to spend many tens of billions of dollars on cloud solutions that focus on and deliver business value. .. 

That’s the real magic of the cloud: it lets businesses rethink where and how they deploy their precious IT dollars, and allows those businesses to focus more of their IT budgets on projects that truly matter.

Business value.  Focusing here makes cloud computing worthwhile.

One of the benefits of growing old is the historical perspective offered by advancing age. I have been privileged to be an active participant as the computer industry has literally unfolded before my eyes.  

The first computer I saw demonstrated, back in 1970, was built by a hobbyist, using flip flops constructed out of discrete transistors and a numeric  Nixie tube display. The input device?  A rotary phone dial.  As an electronics hobbyist myself, I was fascinated by the blinking lights, even though the contraption really wasn’t very useful as an end user device.

Fast forward a few years … As part of my first engineering job, I built my first personal computer in 1978, predating the IBM PC by three years.  It was based on the Texas Instruments 9900 microprocessor, one of the first 16-bit microprocessors. I designed and built the color graphics display board and modified a Sony Trinitron TV to be the color monitor. I had to design and debug the circuitry, work with others to design the chassis and circuit boards and solder in all the chips.  I used an original Soroc terminal and Epson TX-80 dot matrix printer.  The computer had a rudimentary operating system and simple text editor.  I thought I was in heaven!  For a geek like me, I had both the joy of experimentation and emerging productivity for my work.

My next big step forward was getting one of the original Compaq luggable PCs – complete with two 256k 5-1/4 inch floppy drives (no hard drive). It was a great step forward in packaging, but the real benefit was the software - WordPerfect word processor and Lotus123 spreadsheet.  My productivity really accelerated.  And I didn’t have to build anything. (By the way, I still have that computer!)

Of course, the MacBook Air I use now is almost infinitely more capable than the those old relics.  We have come a long way.

What does this have to do with Personal Clouds? I somehow get the feeling we are still in the hobbyist phase.  A lot of blinking lights and personal tinkering and vision of the future, but not a lot of real utility and tangible benefits.

Don’t get me wrong – I really like the concept of personal clouds.  I like the promise of  better privacy, better personal control over my information, easier to use Identity and payments infrastructure and unifying functionality in a virtual container in the cloud. I salute those who are working to transform vision into reality.

But at this time in my life, I tend to be impatient. I want my MacBook Air when all that is available is Nixie tubes and rotary phone dials.   I’d like to see the next Apple emerge or some stodgy old IBM-like company leverage their market presence and offer Personal Cloud infrastructure that is really easy to use and really useful to old fogies like me.

Who will it be?