Guest blog by David Spark, Spark Media Solutions
Companies have to stop treating the cloud as the data center. It’s no longer your domain, it’s a shared domain.
“When you go into a public cloud you have to relinquish a perceived level of control,” said Stan Black, CSO for Citrix in our conversation at the Black Hat USA 2016 conference in Las Vegas.
That lack of control can still be instrumented, said Black. When a user pushes a piece of code into the cloud, what technical instrumentation do we use to manage the security of that code? Is it adhering to my policies and procedures?
“You have to put the controls through the structure of a release as well as the revocation of a release,” said Black.
Quoting President Ronald Reagan, Black said when moving your activity into the cloud, you have to “trust and verify.”
That involves making sure your cloud provider does what they say they’re going to do. Enterprise security is highly dependent on cloud provider contracts. Don’t just sign the contract and assume all will be done. You must see proof and it can’t just be “as good as the datacenter,” it has to be better, said Black.
If it isn’t, it may negate the benefits of the cloud you originally sought.
Instrument Control Systems When Moving to the Cloud – Black Hat 2016 from CloudPassage.