I spent last week in San Francisco at the RSA Conference. The annual event is the biggest event for the security industry and takes over the Moscone Center and surrounding area. Throughout the week I walked the show floor, visited vendor booths, and listened to pitches from companies. This is the first in a series of articles summing up my thoughts from this year’s RSA Conference.
Let’s start with the cloud. There is certainly no shortage of vendors using the word “cloud”, as it continues to be one of the prevailing buzzwords driving IT security—and IT in general. Although cloud seems to play a starring role, though, it seems to be missing in the ways that it would provide the most value—namely the ability for companies to secure and protect assets and data in the cloud.
Tenable Network Security put together a montage of interviews of Tenable experts—myself included—sharing what they saw at RSA. If you watch the video, you’ll see that almost all of us mention the cloud in some way.
The cloud is not new, but it is still gaining steam and more of our computing is being done in the cloud. The vast majority of the booths on the floor at RSA, however, are companies pitching tools that seem ill-equipped for cloud and instead focus on the legacy desktop / server model. In general, it seems like there are more cloud-based security solutions, but few solutions for securing the cloud itself. It seems like we need more cloud-focused solutions, or—more importantly—solutions that span legacy and cloud and can protect applications and data no matter where they are.
“I noticed the same thing on the floor, and it’s a symptom of two things,” explains Grant Shirk, senior director of product marketing for Vera. “First, it’s an evolving response to threat management—a race. But, you can’t ever overtake a speeding train if you’re chasing it on the same track, no matter how fast you go. You need a different track. And second, cloud adoption is providing new fuel and new fears to more established organizations.”
Shirk adds, “The benefit here is that I’m seeing a new crop of security companies—like Vera, Illumio, Menlo Security, and Skyport Systems—that are using the flexibility and availability of the cloud to bridge the gap between legacy infrastructure and cloud. While cloud adoption is at its peak, there’s still a lengthy transition for companies to work though, and that may take more than a few years.”
Klaus Gheri, VP of network security for Barracuda, says, “We found that going cloud or in other terms becoming increasingly dispersed as an organization also adds new operational challenges. The threats don’t actually change very much but many vendors have a hard time adjusting both their products and sales or support models to cloud.”
As evidence, Gheri describes an example that providing high quality cloud service access to your workforce may conflict with the concept of backhauling traffic for centralized inspection at a single breakout point to the Internet. Doing this from almost any location will require many more security devices. This can add a policy management challenge as well as a need for an overly large infrastructure investment if the wrong products are used. “The good news is that there are proven alternatives for the hybrid world available but it may mean you have to ditch your favorite suppliers.”
One of the primary benefits of migrating to the cloud is scalability and the ability to fluidly modify the entire infrastructure to meet demand. Virtual servers can be created and destroyed at the push of a button. The entire cloud infrastructure can change from minute to minute. With DevOps and container platforms that volatility can become exponentially greater—making it that much more difficult to even know what assets and data are on your network at any given point in time—never mind trying to effectively secure and defend them.
Next year—and in the years to come—I expect to continue to hear the word “cloud” at the RSA Conference. My hope, however, is that it will be less about just moving existing security solutions to the cloud, and more about adapting and evolving security solutions to address the unique challenges of securing a cloud infrastructure.
