Most of you might know it in the meantime: I am back at Microsoft working as an Executive Security Advisor in the Western European region. One of the reasons why I re-joined was that I want to be able to have a real impact with one of the leading providers of technology, especially in the Cloud.
Just before I left Accenture, I had quite some discussions within Switzerland about basic regulations, which will be needed within a country to help to keep the Internet safe. It is obvious that we are heading with this discussion in the direction of the classical security hygiene like risk management, identity management, patch management etc. to the extend needed by the customer, which is basically risk management. This needs to be done in every infrastructure and it needs to be done professionally.
However, as most companies do not have IT as their core competence, they are trying to run security with a 0.5 FTE who then has to cover all the tasks needed – and who will be on a mission impossible. And even with the big and global companies, they are having difficulties with their inventory, with patch management (as a consequence), with their identities etc. I am deeply convinced that the cloud can help there! But before we need to understand the different responsibilities, knowing that this discussion is not new by far.
- IaaS. If you are doing infrastructure as a service, the provider will protect the infrastructure and make sure this is as secure as possible and needed. However, if you lift and shift your old workloads in the same setup you have on prem you will get only slight improvements. You can benefit from a well-maintained infrastructure and you know what you deployed (i.e. the inventory) but everything else will stay as is.
- PaaS. With platform as a service, the things change slightly. So, we secure your infrastructure, your machine, your basic database setup but the rest is again up to you. You need to make sure you maintain the application on top.
- SaaS. Obviously with SaaS you gain most when it comes to security. If you are on Office365, we manage the whole stack for you. IAM etc. will still be with you as is risk management and policy compliance.
In all these cases you need the right level of transparency to make sure you can prove to your customers, the management, the regulator that you did the right things. You might even need access to the policy framework of the provider and to evidence that the controls are followed and audited. You need access to the relevant logs to do monitoring and incident response and you need know-how about how to do this in your hybrid environment.
The trigger point for me to write this post was a blog I read in the aftermath of the Meltdown security updates. We posted an update called Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems answering customer questions on performance. There was one relevant statement in there for this discussion:
If you are running on Azure, you do not need to take any steps to achieve virtualized isolation as we have already applied infrastructure updates to all servers in Azure that ensure your workloads are isolated from other customers running in our cloud. This means that other customers running on Azure cannot attack your VMs or applications using these vulnerabilities.
We did the work for you to protect you. For a lot of customers, it will take weeks if not months until they patched all their hypervisors – with Azure – in the cloud – it comes for free.
What you will gain is the ability to focus on your business, on the risk management for your environment. Let the cloud provider, let us take care of the infrastructure problems; let us take care of the of a major part of security by moving to the Cloud.