FortyCloud And Taking The Public Cloud Private

There’s a new wave of security vendors surfacing that are offering more innovative ways to address cloud security in light of enterprises’ increasing concerns about how to securely migrate to the cloud. One of these vendors is FortyCloud LTD, a Mansfield, Mass.-based cloud security company that provides Software-as-a-Service (SaaS)-based solutions that enable companies to secure all network and access aspects of their public cloud (Infrastructure-as-a-Service or IaaS) deployments. We recently asked FortyCloud CEO Amit Cohen to discuss a variety of cloud security-related challenges and ways to address them.

SiliconANGLE (SA): FortyCloud provides Software-as-a-Service (SaaS)-based solutions that enable companies to secure “all network and access aspects” of their public cloud (Infrastructure-as-a-Service) deployments. What are some of these network and access aspects?

Amit Cohen (AC): When your organization is using public cloud IaaS, your (usually virtual) servers are located in one or several remote public cloud data-centers. The inherent security issue with this model is that, in the same way that you can access your servers remotely, the bad guys can try to do it as well. So, the first thing you need to do is to isolate your cloud servers from the “outside world” to ensure privacy and protection of your data. This can be achieved by a set of network tools like encryption of data in transit and at rest, private IP addressing, firewalls, etc.

Amit Cohen, CEO of FortyCloud

Now that you’ve isolated your servers, you still need to allow your organization’s employees to remotely access those servers. Here comes the “access” part: You would like to identify the employees that try to access your cloud servers and, after verifying their identity, to make sure they can access only those cloud resources to which they are entitled. All those security practices were pretty straightforward when your servers were on-premise, but they become challenging when you are working in the cloud—a virtual environment where you have only limited control of the infrastructure.

SA: Let’s talk about “The Snowden Effect”, namely, the effect Edward Snowden’s actions are still having on business confidence in cloud security. How have the revelations of the National Security Agency’s exposed data-mining activities affected many organizations? (I understand that FortyCloud has partnerships with many leading IaaS providers in various regions of the globe).

AC: I would like to mention two main trends that we see with enterprises using IaaS: One, U.S. companies revisit their data-privacy policy and best practices. In the context of IaaS, organizations understand that if there is a possibility that their cloud provider will surrender their private data to the authorities, they need to protect their data in a way that will render such an act useless. Namely, they need to employ security means, strong encryption solutions that are “over-the-top” (i.e., not in control) of the cloud provider.

And two, some non-U.S. companies are now reluctant to partner with U.S. cloud providers and are looking for local alternatives. We see this trend very clearly in Europe where new cloud providers are now emerging, sometimes with support of the local governments. In Europe, we also see privacy regulations being “sharpened” to make it clear what the do’s and don’ts are with respect to private data records.

SA: Many companies are still reluctant to move some of their key business operations to the cloud out of fear of hackers. What advice would you give to these companies to reduce the risk from cyber-attacks?

AC: Today, IT managers can definitely build a secure enough solution for their organization in the cloud. The first step is to make sure you understand what the risks are associated with the migration, what the different cloud offerings available in the market are, and what security solutions they provide. Organizations like the Cloud Security Alliance can help in providing education on subjects like how to choose a cloud provider, security best practices in the cloud, etc.

After you choose your IaaS provider(s), you’ll probably have to select additional security tools to harden your cloud environment to the level you require. Many cloud providers offer a marketplace of security solution partners from which you can select the ones that provide the security tools you need, at the right price. Of course, there is sometime a trade-off between risk and cost. For example, using a pure private cloud setup would provide less exposure than in a public cloud setup but would be significantly more expensive.

SA: I understand you are a proponent of spreading the risks among different cloud IaaS providers. Can you elaborate on the pros and cons of doing so?

AC: I am a proponent of not putting all your eggs in one basket. This is, of course, not viable to a small startup with three R&D servers in the cloud, but rather advice I would give to an organization whose business success is dependent on the well-being of its cloud deployment. If this is the case with your organization, you should at least make sure you are deployed in more than a single data center (even the largest cloud providers have data center outages from time to time). If you can deploy in data centers from different cloud providers, this reduces the risk of common failures even further and can also bring some economic benefits as well.

SA: From Target to Home Depot, massive security breaches have recently compromised the personal data of millions of customers. Can you elaborate on the status quo of businesses still often making security an after-thought? What do you think is the rationale behind this practice?

AC: I don’t believe that in most established enterprises IT security is an after-thought. The problem is, however, that today the threats are so sophisticated and fast-evolving, and the hackers are so motivated (be it by economic, espionage or even terrorist motives), that it is more difficult to keep up to speed with the proper “defense line”. In a sense, the cloud revolution didn’t help to reduce risks because it caused a huge disruption to legacy IT concepts and best practices. IT managers and security officers today need to be more skilled and more educated than before. As in many other cases, continuous education (conferences, industry events, training and case studies) is a must today.

SA: Can you name the five most common misconceptions around cloud security?

AC: “Cloud is great because you can ‘outsource’ the responsibility of IT security to your cloud provider.” This is totally wrong! The responsibility for security is yours. Most cloud providers work in a shared responsibility model where security of the guest operating systems and applications is the responsibility of the cloud user (read through the EULA of your cloud provider).

“Cloud is more secure than on-premise.” There are actually people saying that. There are roughly 1,000 simple attack trials (e.g., port scanning, SSH attacks), daily, on any public IP address in a public cloud data center.

“Cloud providers are born equal with respect to IT security.” Wrong. Different cloud providers have very different security capabilities embedded in their cloud offering. This is one of the things you need to study before choosing a cloud provider.

“My cloud provider is PCI-compliant. That’s fantastic; I don’t need to worry about security of my cloud servers.” The fact that the provider is working under stringent security regulations doesn’t say much for your area of responsibility vis-a-vis IT security (see the first misconception above).

The last misconception is not about security but still worth a few words: “Migration to the cloud will reduce my IT expenditures.” This is true in many cases but definitely not in all cases. Factors that need to be considered before making a decision are the size of the IT deployment that is “moving” to the cloud, how dynamic it is, whether or not it is self-contained or if requires connectivity or support to/from legacy IT systems, etc.

SA: How can companies make their cloud security more robust?

AC: Here are a few well-known IT security best practices:

–Integrate identity with cloud access (e.g., integrate AAA technologies for remote cloud access for company employees)

–Encrypt all sensitive data going to the cloud

–Make sure firewall rules and policies are enforced also in the cloud

–Make sure your cloud deployment is not a flat network; it should be segmented to several subnets according to functionality and sensitivity

–Collect logs of events happening in your cloud network so your SIEM system can store and analyze.

.

Personal Q&A with FortyCloud’s CEO

.

SA: What time did you get up this morning?
AC: 6:45am (but I worked till 2:00am last night). I always prepare sandwiches for my kids to take to school.

SA: Everyone has habits, hobbies or interests that make them smarter. What are two things that make you a smarter individual?
AC: I really love to learn: science, business, history, geography, whatever. I love to visit new places (it’s a useful hobby when you need to travel so much….)

SA: Name two mobile apps you can’t live without?
AC: I think I can live without them, but still, the two I use very heavily are: Waze and WhatsApp.

SA: What are two of your favorite things in your office?
AC: The meeting room (working with people on something new is fun). The coffee machine (we need to buy a new one though).

SA: What are two items you always carry around with you?
AC: Well, my cell phone and a credit card (not too interesting I am afraid).

SA: What’s the last book you read?
AC: Let the Devil Sleep by John Verdon (it’s a detective thriller).

SA: Favorite food?
AC: Chocolate (Noir, 70% Cocoa)

SA: Least favorite food?
AC: Onion soup

.

Photo credit: perspec_photo88 via photopin cc

Photo of Amit Cohen courtesy of FortyCloud

Photo credit: jimflix! via photopin cc

Photo credit: Creativity+ Timothy K Hamilton via photopin cc

Photo credit: EJP Photo via photopin cc

Photo credit: http://pixabay.com/en/caf%C3%A9-java-logo-coffee-programming-151346/