Welcome!

@CloudExpo Authors: Harry Trott, Pat Romanski, William Schmarzo, Yeshim Deniz, Steve Wilson

Related Topics: @CloudExpo, Java IoT, Microservices Expo, Linux Containers, Cloud Security, @BigDataExpo

@CloudExpo: Blog Post

Are the Barbarians at the Gate? By @EFeatherston | @CloudExpo [#Cloud]

Cloud has become the ubiquitous term and so overused that whenever a breach happens, it’s assumed it is a cloud problem

The Cloud, Security and Breaches – Are the Barbarians at the Gate?

Target. Home Depot. Community Health Systems. Nieman Marcus. Their names have been all in the news over the past year, though probably not in a way they would like. All have had very public data breaches affecting anywhere from 350,000 (Nieman Marcus) to 4.5 million (Community Health Systems) customers. Add the recent high-profile celebrity nude photo hacking scandal and cloud security has become the trending topic in all the news and social media. Some of the discussions reminded me of a line from a short-lived TV show called ‘Almost Human' (yes I watched it, and since it was not renewed, apparently I was part of a small group). In the opening sequence of the show was the line ‘technology has forever altered the criminal landscape.' Is that where we are? Are the barbarians at the gate? Will this, or should this, impact decisions about migrating to the cloud?

Cloud: guilt by association
Cloud has become the ubiquitous term and so overused that whenever a breach happens, it's assumed it is a cloud problem. The reality is that out of all the breaches I mentioned earlier, only one of them - the celebrity nude photo scandal - had any connection to cloud technology.  In his recent article Celebrities get phished, cloud gets blamed, David Linthicum makes the point saying that "no matter if it's truly a cloud service or, in most cases, internal systems that are somehow compromised. Because no one in the general media really knows what a ‘cloud' is, it's all a cloud to them." The other breaches I listed were all internal system breaches, with various methods used to accomplish the breach. 11 Steps Attackers Took to Crack Target gives a great detailed description of the process the hackers used to breach Target's systems last year. While the first step sstarted with a simple email phishing campaign, it required a complex set of tasks executed over time to eventually compromise Target's Point of Sale (PoS) systems, which is where the actual breach occurred. None of that had anything to do with the cloud.

No technology negates the need for design and planning
While a majority of the highly public security breaches may not be related to the cloud, that does not mean going to the cloud has no security risks involved. Going to the cloud does not automatically give you the security you may need for your data. Like any other complex systems, the risks must be understood, analyzed and planned for. Mitigation strategies should be put in place, and test plans designed and developed to validate that the security you have put in place is working as expected. In addition, this should not be a ‘once and done' type of planning. Security risks are changing at breakneck speeds in the Social, Mobile, Analytic and Cloud (SMAC) disruptive technology landscape of today. These disruptions have altered the criminal landscape, and while the barbarians may not be literally at the gate, they will always be trying to storm the castle, testing your defenses, trying to find other ways in, and seeking the treasures behind those walls - your data.

No system is ever 100 percent safe
This is not meant to be a doom and gloom prediction, just a reality of networked systems. The only 100 percent secure system is one that has no network connects and that no one has physical access to - obviously that level of protection is not realistic or usable in any way. Going to the cloud can be just as secure (if not more so) than using internal-only systems. Whether in the cloud or not, putting security mechanisms in place is always a delicate balancing act between protection and usability of the system. Everything is a tradeoff. As technologists, it is our responsibility to identify the risks and options available with their inherent tradeoffs, and work with the business to determine the appropriate mechanisms to put in place. Ideally, the two primary goals when designing and testing your security measures should be:

  • Make it so difficult and time-consuming to break through,that those trying will just move on
  • Have mechanisms in place to detect attempts to get through those barriers so that countermeasures can be taken (up to and including taking the system offline if the protection of the data is critical enough)

These always need to be balanced and measured with the business to ensure everyone is making informed decisions based on the business benefits, usability and risk associated with those decisions.

Are the barbarians at the gate?
Yes, they always have been and they always will be. There will always be people out there trying to hack into systems, whether for criminal intent or just because. It doesn't mean we should avoid going to the cloud or avoid providing access to systems that have legitimate business value. It just means we should always do our due diligence, identify the risks, design and plan to deal with those risks, and work in concert with the business so that informed decisions get made and all stakeholders have the appropriate expectations. This process should be constantly in motion and evolving given how quickly technology is moving in the disruptive SMAC landscape we operate in today.

More Stories By Ed Featherston

Ed Featherston is VP, Principal Architect at Cloud Technology Partners. He brings 35 years of technology experience in designing, building, and implementing large complex solutions. He has significant expertise in systems integration, Internet/intranet, and cloud technologies. He has delivered projects in various industries, including financial services, pharmacy, government and retail.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@CloudExpo Stories
As many know, the first generation of Cloud Management Platform (CMP) solutions were designed for managing virtual infrastructure (IaaS) and traditional applications. But that’s no longer enough to satisfy evolving and complex business requirements. In his session at 21st Cloud Expo, Scott Davis, Embotics CTO, will explore how next-generation CMPs ensure organizations can manage cloud-native and microservice-based application architectures, while also facilitating agile DevOps methodology. He wi...
SYS-CON Events announced today that CA Technologies has been named "Platinum Sponsor" of SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CA Technologies helps customers succeed in a future where every business - from apparel to energy - is being rewritten by software. From planning to development to management to security, CA creates software that fuels transformation for companies in the applic...
From 2013, NTT Communications has been providing cPaaS service, SkyWay. Its customer’s expectations for leveraging WebRTC technology are not only typical real-time communication use cases such as Web conference, remote education, but also IoT use cases such as remote camera monitoring, smart-glass, and robotic. Because of this, NTT Communications has numerous IoT business use-cases that its customers are developing on top of PaaS. WebRTC will lead IoT businesses to be more innovative and address...
An increasing number of companies are creating products that combine data with analytical capabilities. Running interactive queries on Big Data requires complex architectures to store and query data effectively, typically involving data streams, an choosing efficient file format/database and multiple independent systems that are tied together through custom-engineered pipelines. In his session at @BigDataExpo at @ThingsExpo, Tomer Levi, a senior software engineer at Intel’s Advanced Analytics ...
Blockchain is a shared, secure record of exchange that establishes trust, accountability and transparency across business networks. Supported by the Linux Foundation's open source, open-standards based Hyperledger Project, Blockchain has the potential to improve regulatory compliance, reduce cost as well as advance trade. Are you curious about how Blockchain is built for business? In her session at 21st Cloud Expo, René Bostic, Technical VP of the IBM Cloud Unit in North America, will discuss th...
yperConvergence came to market with the objective of being simple, flexible and to help drive down operating expenses. It reduced the footprint by bundling the compute/storage/network into one box. This brought a new set of challenges as the HyperConverged vendors are very focused on their own proprietary building blocks. If you want to scale in a certain way, let’s say you identified a need for more storage and want to add a device that is not sold by the HyperConverged vendor, forget about it....
SYS-CON Events announced today that App2Cloud will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct. 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. App2Cloud is an online Platform, specializing in migrating legacy applications to any Cloud Providers (AWS, Azure, Google Cloud).
While some vendors scramble to create and sell you a fancy solution for monitoring your spanking new Amazon Lambdas, hear how you can do it on the cheap using just built-in Java APIs yourself. By exploiting a little-known fact that Lambdas aren’t exactly single-threaded, you can effectively identify hot spots in your serverless code. In his session at @DevOpsSummit at 21st Cloud Expo, Dave Martin, Product owner at CA Technologies, will give a live demonstration and code walkthrough, showing how ...
SYS-CON Events announced today that MobiDev, a client-oriented software development company, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. MobiDev is a software company that develops and delivers turn-key mobile apps, websites, web services, and complex software systems for startups and enterprises. Since 2009 it has grown from a small group of passionate engineers and business...
Internet of @ThingsExpo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The Internet of Things (IoT) is the most profound change in personal and enterprise IT since the creation of the Worldwide Web more than 20 years ago. All major researchers estimate there will be tens of billions devic...
SYS-CON Events announced today that Dasher Technologies will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Dasher Technologies, Inc. ® is a premier IT solution provider that delivers expert technical resources along with trusted account executives to architect and deliver complete IT solutions and services to help our clients execute their goals, plans and objectives. Since 1999, we'v...
SYS-CON Events announced today that Ayehu will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct. 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Ayehu provides IT Process Automation & Orchestration solutions for IT and Security professionals to identify and resolve critical incidents and enable rapid containment, eradication, and recovery from cyber security breaches. Ayehu provides customers greater control over IT infrastructure throu...
Cloud adoption is often driven by a desire to increase efficiency, boost agility and save money. All too often, however, the reality involves unpredictable cost spikes and lack of oversight due to resource limitations. In his session at 20th Cloud Expo, Joe Kinsella, CTO and Founder of CloudHealth Technologies, tackled the question: “How do you build a fully optimized cloud?” He will examine: Why TCO is critical to achieving cloud success – and why attendees should be thinking holistically ab...
As DevOps methodologies expand their reach across the enterprise, organizations face the daunting challenge of adapting related cloud strategies to ensure optimal alignment, from managing complexity to ensuring proper governance. How can culture, automation, legacy apps and even budget be reexamined to enable this ongoing shift within the modern software factory?
SYS-CON Events announced today that Elastifile will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Elastifile Cloud File System (ECFS) is software-defined data infrastructure designed for seamless and efficient management of dynamic workloads across heterogeneous environments. Elastifile provides the architecture needed to optimize your hybrid cloud environment, by facilitating efficient...
SYS-CON Events announced today that Grape Up will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct. 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Grape Up is a software company specializing in cloud native application development and professional services related to Cloud Foundry PaaS. With five expert teams that operate in various sectors of the market across the U.S. and Europe, Grape Up works with a variety of customers from emergi...
SYS-CON Events announced today that Grape Up will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct. 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Grape Up is a software company specializing in cloud native application development and professional services related to Cloud Foundry PaaS. With five expert teams that operate in various sectors of the market across the U.S. and Europe, Grape Up works with a variety of customers from emergi...
SYS-CON Events announced today that Golden Gate University will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Since 1901, non-profit Golden Gate University (GGU) has been helping adults achieve their professional goals by providing high quality, practice-based undergraduate and graduate educational programs in law, taxation, business and related professions. Many of its courses are taug...
@DevOpsSummit at Cloud Expo taking place Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center, Santa Clara, CA, is co-located with the 21st International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is ...
DevOps at Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to w...