MY TAKE: Epiphany strikes Amazon, Google, Microsoft about who bears burden for cloud security

Amazon and Google last week very quietly made some moves that signal they’ve been hit by the identical epiphany: they each need to do a helluva lot more to secure cloud computing.

Microsoft was hit by this lightning bolt about a year ago. The Redmond giant all through 2017 took pronounced steps to relieve users of their cloud services of at least some of the responsibility to repel malicious attacks.

Related podcast: Is ‘homomorphic encryption’ the Holy Grail of cloud security?

Current versions of  Office 365 and Windows Defender Advanced Threat Protection have been equipped with new threat intelligence and malware hunting tools, and the security features of Azure Security Center has been similarly beefed up.

Me-too bandwagon

Last week both Amazon and Google climbed on the we-need-to-bake-in-cloud-security-band-wagon.  Amazon did so, fittingly, by going shopping. Its Amazon Web Services division  acquired Sqrrl, a Cambridge, Mass.-based threat detection technology start-up, with an NSA pedigree. That acquisition pairs nicely with AWS’s earlier buyout of Harvest.ai, a security startup that uses machine learning to ferret out anomalous behavior in cloud storage databases .

Meanwhile, it was easy to miss Google’s me-too move last week. That’s because it was made by the search giant’s freshly-minted parent company, Alphabet, which very quietly launched an independent business, dubbed Chronicle. According to Chronicle CEO Stephen Gillett, the service will feature a new cybersecurity intelligence and analytics platform intended to “help enterprises better manage and understand their own security-related data.” Chronicle also leverages VirusTotal, the malware intelligence service Google acquired in 2012.

Ray

“The announcements today by Amazon Web Services and Alphabet/Google are encouraging and demonstrate that more and more, cyber security is at the forefront of corporate agendas,” observes Terry Ray, CTO at Imperva. “Both of these technologies will likely serve as analytic platforms for threat detection, which isn’t necessarily a new idea, though I’m sure they’ll have their differentiators.”

Ray believes Amazon and Google will drive towards forwarding all types of collected security logs into these new systems, “then letting them churn through the data to find the needle in the needle stack.”

New SIEM rival

Google, in fact, has publicly alluded to its intention to use Chronicle to compete directly with suppliers of SIEM (security information and event management) systems and threat intelligence platform tools. The search giant has been singing the praises of an ‘immune system’ approach – very difficult to do and not exactly original. That said, Google clearly has the computing and human resources to push the edge of the envelope.

Of course the tech titans have no one to blame but themselves for the predicament cloud computing faces. AWS has been the staunchest advocate what it calls the “shared-responsibility model,” under which its responsibility is limited to locking down the underlying infrastructure, while customers must secure everything they build on the AWS cloud. That approach has freed AWS to lead the way in developing and monetizing an expanding portfolio of cloud services, and get very rich in the process. The same holds true, in lesser degrees, for Microsoft and Google,

The market couldn’t get enough of the cloud. Enticed by the comparatively low operating costs and high reliability of cloud computing, companies now routinely tap Amazon Web Services, Google Cloud and Microsoft Azure not just for data storage, but also to run all manner of business operations.  As for security, the general rule has been that individual companies assemble and support security systems of varying efficacy.

Catastrophic failure scenarios

To put it bluntly, cloud security has been disjointed at best, chaotic at worst.  And in our interconnected world, where one company may not be as security-minded as the next, that’s led to the proliferation of ripe attack vectors and all too many successful breaches.

Underscoring this point, Lloyds of London has put out some research that demonstrates just how vulnerable cloud computing really is.  The insurance underwriting behemoth has constructed what it’s calling a “plausible scenario” of how a cyber attack could cause a catastrophic three-day cloud outage.

If just one of the major cloud players goes down for three days – think AWS, Google Cloud or Microsoft Azure – Lloyd’s has 95% confidence that something like this would happen:

•The U.S. would sustain economic losses of $11 billion to $19 billion

•Businesses outside the Fortune 1,000—relying more on the cloud—will incur 63% of losses

•Fortune 1,000 companies will incur 37% of economic losses

• Manufacturing would see direct economic losses of $8.6 billion

•Wholesale and retail trade sectors would see economic losses of $3.6 billion

•Information sectors would see economic losses of $847 million

•Finance and insurance sectors would see economic losses of $447 million

•Transportation and warehousing sectors would see economic losses of $439 million.

Essential steps

Amazon’s recent acquisitions give AWS new tools to critically analyze millions of events firing off moment-to-moment on Amazon’s cloud platform. There appeards to be great  potential for applying machine learning and artificial intelligence in new ways to parse out malicious activity.

There’s a long, long way to go. The profit imperative will probably muck things up. But all of that said, I think it’s a very good thing that these tech giants are making these moves. The long term answer to making the cloud computing specifically, and Internet commerce generally, as safe as they need to be, is designing security into the fabric of the infrastructure.

These first few baby steps are vital.



This is a Security Bloggers Network syndicated blog post authored by bacohido. Read the original post at: The Last Watchdog