Guest blog by David Spark, Spark Media Solutions
“Hardening the cloud is a really difficult conversation for someone to have that doesn’t own the infrastructure,” said John Pironti (@jpironti), president, IP Architects, in our conversation at the Black Hat USA 2016 conference in Las Vegas. “The whole point of the cloud is you don’t really have control of the infrastructure layers. You have governing control.”
Given that you can’t control the infrastructure, you have to follow the data, said Pironti. But that becomes even more complicated in the cloud where visibility has been and continues to be somewhat elusive.
“When [data] goes to the cloud, you have less and less visibility especially as cloud providers are moving data around in such a way to make it more efficient for themselves,” said Pironti.
When a cloud provider is manipulating your data in a way that suits them, Pironti said customers have to ask if they’re adhering to all the policies you set out for them, and what kind of assurance can they provide?
Responsibility to protect your data is laid out in contracts with the cloud provider, which pretty much indemnifies them of any responsibility of your data on a legal level. But, Pironti said, most are willing to help and guide their customers.
“[If] they don’t necessarily meet your needs, you have to balance out” Advised Pironti. “Can I just use my cloud provider or do I need to use some other tools, capabilities, third-party vendor solutions to compliment what the cloud provider can do to get the same level of expectation and control requirements that I’ve got in my premise environments?”
Cloud Security: Don’t Harden Infrastructure, Follow Data – Black Hat 2016 from CloudPassage on Vimeo.