Defending enterprise cloud : many security breaches are internal | #AWSSummit

mark-nunnikhovenThis week, theCUBE broadcasted live from the AWS Summit in San Francisco, streaming the event and granting plenty of air-time for some of the brightest minds in the business.

Mark Nunnikhoven, VP of Cloud & Emerging Technologies with security specialist Trend Micro, joined Jeff Frick, General Manager of theCUBE, to talk about the security issues posed by the cloud when it comes to enterprise adoption.

“Of course, the big knock-down on cloud – and AWS specifically – tends to be the assumption that it is not secure enough, and that enterprises are not comfortable and ready for it,” noted Jeff Frick.

“A lot of what you’ve said it’s just a myth; it’s lack of understanding,” replied Nunnikhoven. “People do not understand that, when you are moving to the AWS cloud, security works in a shared responsibility model. Now you partner with AWS to provide overall security; they take some of the heavy lifting, and then you still have work to do. People expect a hands-off experience and that’s when they get bit. You need to know what your responsibilities are, and work with Amazon AWS, to make sure you meet that and have a complete model.”

Frick asked Nunnikhoven to detail some of the specifics that people miss, citing Trend Micro’s guide in helping them solving the security issues.

“We take over where the customers hear it’s their responsibility; the shared-responsibility model means that you, as a user of AWS, need to secure the operating system, your applications and your data,” explained Mark Nunnikhoven. “Everything underneath that is taken care of by AWS. Trend Micro provides products and guidance and professional services help. We help people secure their operating systems with advance controls like Anti-Malware, Integrity Modeling and Intrusion prevention as well as encryption for their data at rest, and then we have a product called Deep Security for Web Apps that helps validate all those controls as a security scanner.”

Nunnikhoven was also happy to announce that Trend Micro received pre-approved status for AWS. “You can scan all your applications and data in AWS, without getting permission ahead of time; that’s not something that every scanner has, you normally have to ask AWS for permission, otherwise their security guys get a little angry,” joked Nunnikhoven.

“Basically people want to run security scans on what they have,” observed Frick, asking Nunnikhoven if Trend Micro was the only provider with pre-approved scanning capabilities from AWS.

“There are others, but we offer a complete solution of packages.Our defensive controls also ‘talk’ to our scanner – you get an additional layer of intelligence there and it’s all backed by our global intelligence network we call the ‘smart protection network’, which has over 1000 researchers contributing new information every day. It’s a huge pool of data that can leverage to protect your applications,” added Nunnikhoven.

Protecting cloud-defining trends


Frick then invited Nunnikhoven to talk about two things that define cloud: the infrastructure impacting security and the remote devices.

“At a strategic level, we had to shift away from protecting stuff to focusing on protecting your information. The idea of one giant wall to protect everything no longer holds water because you have so many different areas,” said Nunnikhoven. “A good example is the AWS Workspaces which launched with public availability this morning. Your data now lives in the AWS cloud, and they let you access it from any of those devices, but the data only stays into that one place,” clarified Nunnikhoven. “They tried to solve that problem of having your data everywhere, by giving you access everywhere but keeping the data safe in one location.”

“Your access is distributed, but the actual application isn’t,” summarized Frick.

“There’s two ways to approach it and it really depends on what the specific app is, but distributing access, if you are not going to give your users access, where and when they want it, they are going to route around you and figure a way,” explained Nunnikhoven. “As a security provider, we want to make sure that we provide tools that enable people to have that access. You can let security drag you down. That goes back to the original question of security as a blocker in the cloud: when you address security in the right way, with the right tools, it’s really an enabler for all these types of solutions that we’ve been talking about.”

Frick had another interesting remark regarding security: “A lot of times security breaches are from internal people.“

“Guys inside the firewall are obviously still a concern, because at the end of the day you are enabling your employees to work with your data. If you don’t give them that access, they can’t do their work. I think what are you referring to more is if somebody got inside your data center and tapped domain network switch they get to see everything, because it’s common that you don’t run encryption within your own data center. AWS is taking care of that infrastructure for you now. It’s a combination of people and process controls, giving you the least amount of privilege you need to do your job. The idea is, if you don’t need admin rights, you shouldn’t have them. Because mistakes happen,” warned Mark Nunnikhoven.