Cloud Security: Getting it RightGartner's Chuvakin on Cloud, Big Data and Fraud Trends
Organizations first moving to the cloud have the opportunity to test and identify security issues. Unfortunately, many neglect to do so, says Gartner's Anton Chuvakin.
"The original intention was to learn to do security on less critical data, and then eventually when you move more critical data to the cloud, you already have your lessons learned and you have prepared controls and tested monitoring approaches," says Chuvakin, who joined Gartner in 2011.
But that's not always the case, he says in an interview with Information Security Media Group's Tracy Kitten [transcript below].
When people move less important data onto the cloud, "it doesn't become the test bed," Chuvakin says. "It becomes the motto for moving even more critical stuff later, and that really kind of freaks me out."
If organizations move less sensitive information that isn't heavily protected, a potential disaster occurs when critical information is also hosted using the same technology. "When you move the less critical, less regulated data, it's to actually test what doesn't work," he says. "What we want to do is to test the way we're going to do security on critical data in the cloud and critical resources in the cloud today."
Another area of concern is the growing force of mobility paired with cloud, which leads to "diffusion of data and also loss of visibility about what's going on with the data," he says.
The hard part will be getting that visibility back, he says, "so we know what's going on with our data, with our computing resources and with our data storage."
During this interview, Chuvakin discusses:
- How some organizations may get too comfortable with public cloud environments;
- Why organizations must pay more attention to denial of service attacks;
- Four steps that financial institutions especially should take to ensure better security.
Before Chuvakin joined Gartner, his job responsibilities included security product management, evangelist, research, competitive analysis, PCI-DSS compliance, and SIEM development and implementation. He is the author of "Security Warrior" and "PCI Compliance," and was a contributor to "Know Your Enemy II," "Information Security Management Handbook" and others. He has published dozens of papers on log management, SIEM, correlation, security data analysis, PCI-DSS, and security management. His blog, "Security Warrior," has grown to become one of the most popular in the industry. Chuvakin also has taught classes and presented at security conferences across the world; he recently addressed audiences in the U.S., the U.K., Singapore, Spain, Russia and other countries. He has worked on emerging security standards and served on advisory boards of several security startup companies.
TRACY KITTEN: You joined Gartner in August of last year as a director in the GTP Security and Risk Management Group. For the last 15 years, you focused on security. Now at Gartner, you're broadening your security and fraud coverage to include the cloud, big data and denial-of-service attacks. I'd like to start with some discussion about cloud security and how you see the cloud impacting management and security specific to certain banking channels such as mobile.
ANTON CHUVAKIN: I wanted to highlight the fact that I've been focusing on ID theft, security information management, log management, as well as vulnerability management, and a few other areas. Lately, I also picked up denial-of-service coverage in our team, so it's a good, interesting package of security technologies and security issues to focus on. I do think that I would want to preserve some depth in many of those areas, because there are plenty of people who cover breadth but not depth.
In any case, going back to the cloud, I really see cloud and mobile as being two forces that affect the technology industry and obviously affect the way we do security. They tend to be treated separately as mobile devices, bring your own device, this clutter of challenges, as well as the mobile e-commerce as well as challenges which are kind of joined within cloud and mobile because when you use a mobile device, in most cases we're accessing something located online, if not in the cloud. So in many cases, the data loss challenges and the sort of loss of control, loss of visibility, challenges which I like to focus on very often, are kind of joined or shared challenges between cloud and mobile.
What I think is that if you have a sensitive data repository that used to be housed somewhere deep inside the data center, and the only way to access it was to walk over or maybe connect remotely but only on the LAN, local area network, today in many cases the same information is available from a mobile device to multiple partners, and maybe its even stored in a shared service provider, like a cloud service provider. What they have is kind of a combination of two forces: diffusion of data and also loss of visibility about what's going on with our data. As I pointed out a few seconds ago, my focus for the year has been on monitoring and visibility, log-in security monitoring, and so I see these as thriving in importance because of cloud and mobile. If we don't have full control over IT resources, technologies, data storage, we have to compensate loss of control with more visibility, but some of the cloud initiates it and actually leads to both loss of control and loss of visibility. To me, that means security will in fact suffer. We have to get in gear and figure out how we can get the visibility back so we know what's going on with our data, with our computing resources, with our data storage, and honestly I don't think we can ever bring the control back because today it's already out there. Information is already everywhere so it's kind of too late to say, "Can I put it back in the data center?" Control is lost but visibility is not lost and we can get it back through different technologies.
Cloud Computing Trends
KITTEN: What other trends do you see in cloud computing, beyond mobile and some of the other financial services channels?
CHUVAKIN: In a recent report on security monitoring for public cloud assets, what I noticed while doing the research - and I spent about a few months doing the research for that report - is that some of the companies mostly move less critical and less important - and certainly not regulated - stuff to the public cloud. By the way, in this conversation, when I say cloud, I really do mean public cloud. If you're using some fancy virtualization technologies, you're using the private cloud, you have challenges, but these are not the same challenges. Here we just do the shorthand of cloud computing to mean public cloud.
Some of the trends I see is that when people move unimportant stuff to the cloud, this generates less requirements for security monitoring, for encryption, for data protection, for control assessments, and you move stuff you can lose, or it can be lost, corrupted; it can be viewed by others. But the thing is, the original intention presumably was to learn to do security on less critical data, and then eventually when you move more critical data and more critical resources to the cloud, you already have your lessons learned and you have prepared controls and you have tested your monitoring approaches. You've tested your security architectures and you can do stuff securely.
However, I'm afraid that when people move less important stuff on the cloud, it doesn't become the test bed. It becomes the motto for moving even more critical stuff later, and that really kind of freaks me out, because if I move stuff that's essentially public and I don't protect it - which is the right decision - and then I use the same technology and the same provider to host critical stuff because I already have experience with them, to me that's a potential disaster. When you move the less critical, less regulated data, it's to actually test what doesn't work, and then when you move the critical data, you can use the lessons learned.
Essentially, cloud computing is not all new or not all old. I just hate those debates I sometimes see in the blogs. "All cloud computing is just like a mainframe. All cloud computing is a completely new paradigm." It's really neither. It's kind of an interesting mix, or blend, of new and old. There are some things clearly from outsourcing; there are some things which are clearly from remote data center management. There are other things which are clearly from other technical domains, so cloud computing today, public cloud computing, is kind of a blend of challenges from different old fields and some of the new ones. What we want to do is to test the way we're going to do security on critical data in the cloud and critical resources in the cloud today. When we actually do that, we already have our intellectual capital on how to do that.
KITTEN: What about big data? What about big data security and management? How is so-called big data impacting financial services?
CHUVAKIN: Big data - the two words combined together - is kind of a buzz word in many cases, and when I hear people ask questions, "Are you doing something about big data?" What does it mean really? What's in this conversation? There's no specific meaning attached to the word "big data" and I really don't want people starting projects or exploring technologies or deploying something without knowing what they actually do.
Let me try to psychoanalyze our current obsession with big data. In many cases, when people say "big data," they really mean analytics. They don't mean big data storage. You can store a lot of data in a fairly effective manner. What would happen is that you wouldn't be able to use the data. You can take the data. You can put it on massive hard disk arrays in file format and it would be pretty big, but it wouldn't be big data because you can not make use of it. Even people who are standing up their hadoop clusters and they're using other technologies to store massive amounts of data - and by massive here we're talking about high terabytes, low petabytes, or potentially even more data - these people are not doing it just to waste the disk space. They want to learn something from the data. They want some value. They want some insights. So to me, when I hear big data, I really don't want people to obsess about big data storage. I want people to understand big data analysis, getting the insight from data.
To be honest, people who cannot do analysis on small data shouldn't even attempt to do big data, because if today you don't know how to analyze a bunch of Excel spreadsheets for your small relational database, if the limit of your analytics is summarizing a column in Excel, then you really shouldn't go into a big data project. Big data to me is big data analysis, and big data analysis requires you to have big data and analysis skills. To me, many companies can get the former, but not that many can get the latter, and looking at using big data for security, I see exactly the same conundrum. We can put together multiple terabytes of logs, configuration information, log-in abilities and pile it in one big massive store - whether sequel or no sequel is a separate story. But what are they going to do with that? Using big data for security is really about analytics and learning how to analyze the data, your journey towards security data analysis from small data and then eventually migrate to big data.
Now there's a flip side of this - those using big data approaches, big data analytics, for security, but there's also securing of big data. You have people who sort of know their way around a commercial RDBMS system. They know how to secure it, how to configure it. But have you met somebody who knows how to secure a massive hadoop cluster that's being used by multiple people for multiple purposes? This is a tricky challenge. Just as cloud and security there's security for the cloud and there's security in the cloud. big data has the same exact relationship. There's usually big data for security and there's securing big data, and we [are] very early in both of our journeys.
KITTEN: The next area that I wanted to talk about relates to denial-of-service attacks, or DDoS attacks, and hacktivism. How concerned should banking institutions be about some of these socially motivated attacks?
CHUVAKIN: I was given this as a new area of coverage, so I'm trying quickly to get up to speed in terms of the denial-of-service attacks in 2012, the defenses, defense strategies, defense architecture approaches, when they work, which attacks are blocked, which attacks are not blocked. Essentially, I'm exploring all of this and building massive mind maps of information and talking with different people from the DDoS victims to providers. Denial of service was to some extent a forgotten area of security. Denial of service got a lot of attention in 2001, essentially 11 years ago, and denial of service is getting a lot of attention now in 2011 and 2012. What happened in all those years? Was there no denial of service at all? Or was it not just a fun subject to talk about? In any case, now denial of service is back on the radar. I'm still surprised that a bit of time that has been wasted since the first high-profile denial-of-service attacks in 2000 and the late 90's to today. We could have done more things to prepare for the current on-slot of denial of service.
Another lesson I've learned so far is, despite denial-of-service attacks being really, really old in security years, they're still kind of underappreciated. Almost all entities, and by entities I mean organizations and companies, might have somebody on this whole planet who hates them, justifiably or not is a separate story. Now some organizations have way more bandwidth than others. We all know some of the attacks on major social networks didn't really work. On the other hand, most organizations do not command multi-gigabyte pipes to the Internet. If you use Internet for anything business critical - website, voice over IP - you probably have to have denial-of-service protection, and I'm not trying to say you have to buy dedicated products. You have to think about this; you have to plan. You have to analyze what would happen if you lose this capability for an hour, a day, a week or more. There are some attacks that your Internet service provider would deal with, but there are many other ways to degrade or destroy your online presence that aren't easily motivated by your ISPs. Attackers are figuring out more ways to make money off denial of service and, yes, we all know that it's easier to make money by stealing credit cards. Yes, we all know that. However, denial of service isn't that far behind in terms of a money maker. You can blackmail people; you can do other things. I was even reading some of the analysts' research this and I've seen it written in black and white. Some of the analyst firms just suggested that certain companies allocate budgets to paying off attackers, and that to me - when I read this - I had to pinch myself because I wasn't sure I was really seeing this.
Fraud, Security Trends
KITTEN: What fraud trends and security technology trends are you seeing that are having the greatest impacts on financial services now and in the coming months?
CHUVAKIN: Visible technologies that give more visibility, and by visibility I don't just mean collect the logs and store them somewhere. I really mean the comprehensive set of technologies that gives us awareness about what's going on. From log-in to control assessment to vulnerability assessment to network anomaly detection, all these technologies give us a view about what's going on. I often like to quote the Verizon Breach Report from last year and from this year and my favorite number in the whole report is that in like 90 percent of some of the cases, evidence of the intrusion was in fact either in the logs or in other monitoring technologies, but nobody looked at that. And only when the incident respondents came on site they saw this data. We're not doing enough to get the visibility, both in a technical sense, collecting data, as well as in the process analytics and skill sense while nobody is looking at the data. I like people to focus on both components, gaining visibility of having data flow into those technologists and having people who are smart enough to understand what's going on.
4 Security Priorities
KITTEN: Before we close, what advice can you offer to banking institutions where technology investments and some of these fraud or security trends are concerned?
CHUVAKIN: I do have four lessons. They're not really listed in priority order; they're all important. First is if you're doing manual security processes and technologies for compliance, it doesn't mean you're doing it wrong. It just means that you're not exploiting them to the fullest potential. Compliance is meant to drive security, not to be a replacement for it. Compliance is a motivator, not an end goal. If you're deploying a central security information and event management tool for compliance, make sure it's used or at least enabling the investigations.
The next point I wanted to make is really focus on technologies that give you more visibility: security monitoring, log-in, control assessment. You want to actually know what's going on. And you want to know it from the technical sense, not from what should be going on because there are plenty of policies written about what should be going on. I can assure you, this is not what's going on. To really know what's going on, you have to have census, data collection, data analysis, as well as skilled people looking at all this stuff. This was lesson number two.
Lesson number three, sort of adjacent to number two, is that the real information, the facts, really come from systems, not always from asking people questions and looking at policies. You want to have the data collected by the actual technologies.
And the fourth advice I wanted to give people is to really focus more on learning from others. If you're being attacked by a specific threat vector, there's a high chance that somebody else on this planet has already dealt with it. This applies even to unique threats. Maybe the specific binary, the specific executables are different, but their approaches and the take and the tactics that the attacker followed might have been seen somewhere else. Please try to get involved with people who can share such information with you. This is one of the great things financial institutions, as well as others, can be doing to bulk up their defenses and to really know what's going on, because if somebody has seen it and spent time analyzing the threat, why wouldn't you learn from their experience?