Cloud-Delivered Security

January 1, 2020 | 5 min read

Milan Patel

Global Head of MDR

Milan Circle Calcite Duotone

Reality has set in for organizations of all sizes - relevance and future revenues will require digital transformation and adoption of cloud services. Gartner predicts the public cloud services market to grow to $331.2 billion in revenue by 2022. A multitude of “as-a-service” solutions, on-demand scalable information technology, and the acceleration of DevOps, machine learning, and artificial intelligence are some of the major drivers.

While buzzwords like “cloud workloads” and “cloud computing” dominate the headlines, organizations are still struggling to understand the benefits and challenges of cloud security. How is my data protected in the cloud? Can the cloud provider do it better and cheaper than I can? Will their approach impact the security of my business? Will it impact my business operations?

When examining the security implications of the cloud, companies often struggle to weigh the risks vs benefits of “cloud-delivered” (also known as “cloud-enabled” or “cloud-native”) security products and services. This is due in large part to the historical concerns of “losing control” over data protection and access controls as companies migrate sensitive data and applications to the cloud. They have worried they can no longer maintain control of the physical infrastructure, specifically, the server room “down the hall.” Because the physical infrastructure is abstracted by the Cloud provider, cloud security must focus on protecting data in an infrastructure and environment-agnostic way.

Companies must shift their security mindset away from perimeter controls to data-centric controls by asking key questions:

  • What data does a cloud-enabled service actually collect and ingest into the cloud? What data remains on-premises?
  • How do I find and catalog sensitive data when it moves and resides on servers I can’t physically access?
  • What controls are in place to restrict access to data from individuals who do have physical access?
  • How long does data get stored in the cloud? And how is it protected in storage from access or modification?
  • How does the data get securely deleted from the cloud?
  • How do I “get my data back” from the cloud?

By contrast, cloud-based security solutions are purpose-built to utilize the cloud to provide easy answers to the security questions above and go far beyond the traditional, perimeter-based approach of on-premise security solutions. These solutions are commonly called security-as-a-service (SECaaS). SECaaS solutions leverage the cloud, big data technologies, machine learning, and continuous streaming analytics to build real-time identification of indicators of compromise (IOCs) and malicious behaviors of compromise (BOCs) that better detect and stop the latest threats. This results in better, more accurate, more actionable, threat prevention. In addition to leveraging cloud computing, SECaaS solutions can help unify environment visibility, regardless of whether the protected assets reside in the cloud or on-prem.

While there are clear advantages to SECaaS security capabilities it’s important to ensure that customers understand how these solutions satisfy key business requirements for the data. One of the most common misunderstandings is knowing which data is collected and sent to cloud environments vs which data always remains on-premise. Many companies mistakenly believe that the sensitive data and files, which often reside on endpoints or applications, are transmitted to the cloud and become accessible to security solutions. This is not true, SECaaS providers purpose-build to only collect security-relevant metadata, vs corporate data, to feed their analytical process.

An easy way to understand the difference is SECaaS solutions are not interested in the actual content of the excel file. They are interested in the machine data that the excel file generates when being opened or used. To that end, major privacy regulations, including GDPR, make specific exclusions for cybersecurity-driven data collection. For example, GDPR contains a specific provision (known as Recital 49) which specifically includes “providers of security technologies and services” as an example of parties whose use of data does not constitute a digital privacy concern.

There are many SECaaS solutions available in the market today, from endpoint defense through DDoS mitigation. Let's examine endpoint defense, specifically next-generation anti-virus solutions (NGAV). These solutions and services play a critical role in protecting both on-prem and cloud-based endpoints. We’ll avoid describing NGAV or the differences between it and traditional AV as there is plenty of readily-accessible information that already does that. However, it is important to discuss how privacy and data security relate to cloud-based NGAV solutions.

  • Privacy: As is the case with any security product, compliance accreditations vary by provider, but for the most part vendors strive to comply with all major compliance standards (PCI-DSS to GDPR). In addition to maintaining attestations of compliance with auditable frameworks, many vendors also are publicly tested by organizations like MITRE and/or validated by Coalfire for additional layers of technical scrutiny.
  • Security: NGAV solutions are not designed to read user-generated content, as discussed above (i.e. content in emails or PDF documents or transmit PII or PCI data). Instead, they are designed to read and collect the metadata that describes the file or operating system activity, process execution, application activity, and other events that occur on the endpoint. This is commonly referred to as “telemetry”. Moreover, these solutions build-in strict and detailed user activity logging and role-based access control, meaning that every click associated with the management of the NGAV solution is recorded while analysts review and investigate alerts on the endpoints.

Here’s a sample of a real-world alert from a NGAV solution. This alert was created based on potentially malicious indicators and behavior. While the solution does capture endpoint IP address and username, you will notice there is no sensitive information collected by the console relative to the alert generated from the activity on the endpoint. The content below is what will be stored in the cloud by the SECaaS solution and viewed by the analyst who has access to the console to investigate the threat. As discussed above, the analysts’ activities are always logged and can be reviewed in response to audit and privacy reporting requirements.

In conclusion:

  • Security alerts and machine telemetry are not the same as the actual content of the files or applications within the computer.
  • SECaaS solutions are designed to be operated from the cloud, not move your corporate data to the cloud.