Best Practices For Public Cloud Security Part Three Of A Three-Part Series On Public Cloud Security



Similar documents
The Cloud Manager s Balancing Act Balancing Security And Cost Without Sacrificing Time-To-Value

The State Of Public Cloud Security Part One Of A Three-Part Series On Public Cloud Security

Leverage Micro- Segmentation To Build A Zero Trust Network

Cloud Without Limits: How To Deliver Hybrid Cloud With Agility, Governance, And Choice

Enterprises Seek The Benefits Of Hybrid Cloud, And Work To Overcome The Challenges

Capacity Management Benefits For The Cloud

The Power Of Real-Time Insight How Better Visibility, Data Analytics, And Reporting Can Optimize Your T&E Spend

A Forrester Consulting Thought Leadership Paper Commissioned By Zebra Technologies. November 2014

Hybrid Cloud Adoption Gains Momentum

Connect and Protect: The Importance Of Security And Identity Access Management For Connected Devices

Governance Takes A Central Role As Enterprises Shift To Mobile

Managed Mobility Cloud Services Gain Momentum With European Midmarket Organizations

Firms Turn To Next- Generation Firewalls To Tackle Evolving IT Threats

Private Or Public Cloud Isn t The Right Question It s Going To Be A Hybrid World

The Move Is On To Open Source Integration Software

Simplify And Innovate The Way You Consume Cloud

Are SMBs Taking Disaster Recovery Seriously Enough?

Single-Vendor Security Ecosystems Offer Concrete Benefits Over Point Solutions

Top Unified Communications Trends For Midsize Businesses

The Move Toward Modern Application Platforms

Records Management And Hybrid Cloud Computing: Transforming Information Governance

Key Strategies To Capture And Measure The Value Of Consumerization Of IT

The Key To Cloud And Virtual Computing

Application Delivery Controllers For Virtual Applications

Delivering New Levels Of Personalization In Consumer Engagement

A Forrester Consulting Thought Leadership Paper Commissioned By HP IT Operations Managers Must Rethink Their Approach To Private Cloud

What are your firm s plans to adopt x86 server virtualization? Not interested

Future IT Capacity Planning Depends On Flexibility

Top 10 Managed Hosting And Hosted Cloud Best Practices

How To Adopt Cloud Based Disaster Recovery

Protecting Customer Experience Against Distributed Denial Of Service (DDoS)

Continuous Third-Party Security Monitoring Powers Business Objectives And Vendor Accountability

Managed Hosting And Private Hosted Cloud Both Are Viable Alternatives To Public And Virtual Private Cloud Models

Converged Infrastructure: Ready For The Next Phase

Strategically Source Your Next Data Centre Data Centre Purchasing Drivers, Priorities, and Barriers for Asia-Pacific Firms

SMBs File Storage Needs Are Growing, But 57% Underestimate File Server Costs 45% Are Interested In Cloud Options

Which Managed Hosting And Private Hosted Cloud Option Is Right For You?

Digital Business Requires Application Performance Management

Why Endpoint Backup Is More Critical Than Ever

A Custom Technology Adoption Profile Commissioned By Aerohive Networks. January Cloud Networking

Intent Data Can Sharpen Your Competitive Edge

Executive Summary Sales Reps And Operations Professionals Need Rich Customer Data To Meet Revenue Targets... 3

Zero Trust Requires Effective Business-Centric Application Segmentation

A Forrester Consulting Thought Leadership Paper Commissioned By Brother. December 2014

The Unified Communications Journey

Is It Time To Refresh Your Wireless Infrastructure?

Hybrid Cloud Places New Demands On The Network

Leverage A Third-Party Data Center To Deliver Increased Business Value

How To Get Cloud Erp For A Small Business

A Key to Cloud Efficiency: Aggregation

Cloud Backup And Disaster Recovery Meets Next-Generation Database Demands Public Cloud Can Lower Cost, Improve SLAs And Deliver On- Demand Scale

Enterprises Shift To Smart Process Apps To Engage Customers

UC And Collaboration Adoption By Business Leads To Real Benefits

Cloud Change Agents Drive Business Transformation

The Total Economic Impact Of SAS Customer Intelligence Solutions Intelligent Advertising For Publishers

A Faster Pace For Retail Paid Search Real-Time Insights Are Critical To Competitive Advantage

For Infrastructure & Operations Professionals

Database-As-A-Service Saves Money, Improves IT Productivity, And Speeds Application Development

The Necessity Of Cloud- Delivered Integrated Security Platforms

Improving The Retail Experience Through Fast Data

Enable Mobility With Application Visibility At The Edge Of The Network

How To Get Started With Customer Success Management

Accelerate BI Initiatives With Self-Service Data Discovery And Integration

Private Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

Application Performance Management Is Critical To Business Success

IT Security s Responsibility: Protecting Mobile Certificates

The Risks Of Do It Yourself Disaster Recovery

Benefits Of Leveraging The Cloud Extend To Master Data Management

The Road To CrossChannel Maturity

Voice Transformation Enables Many Business Benefits

Are SMBs Taking Disaster Recovery Seriously Enough?

Customer Cloud Adoption: From Development To The Data Center

Building Value from Visibility

How To Protect Your Cloud From Attack

Is Your Big Data Solution Production-Ready?

Leverage Cloud-Based Contact Center Technologies To Provide Differentiated Customer Experiences

Online And Mobile Are Transforming B2B Commerce Firms That Act Now Will Gain Appreciably, Companies That Don t Will Fall Farther Behind

Consumer Web Portals: Platforms At Significant Security Risk

An Executive Primer To Customer Success Management

A Forrester Consulting Thought Leadership Paper Commissioned By BMC Software Industrializing IT Workload Automation

Drive Innovation Using The Right Skills: The Value Of Custom Software Development

Netzwerkvirtualisierung? Aber mit Sicherheit!

The Expanding Role Of Mobility In The Workplace

How Server And Network Virtualization Make Data Centers More Dynamic

The New Calculus Of Marketing How Marketing Leaders Must Re- Engineer For The Internet Of Customers

DAM 2020: Expectations From Digital Asset Management Of The Future

Refresh Your Approach To 1:1 Marketing How Real-Time Automation Elevates Personalization

Mobile Device Management Underpins A Bring-Your-Own- Device (BYOD) Strategy

Security: The Vital Element Of The Internet Of Things

Endpoint Security Takes Center Stage Real-Time Prevention Is A Must-Have Capability

Infrastructure As Code: Fueling The Fire For Faster Application Delivery

Real-Time Data Analytics Empowering Publishers To Make Better, Faster Decisions

A Tidal Wave of Dynamic Web Content Is Coming How Will You Respond?

Close The Gaps Left By Traditional Vulnerability Management Through Continuous Monitoring Organizations Find Real Value With Continuous Monitoring

Latest IT Trends For Secure Mobile Collaboration

Software Integrity Risk Report

The Total Economic Impact Of SAS Customer Intelligence Solutions Real-Time Decision Manager

Big Data Ups The Customer Analytics Game

Not All Cloud Solutions Are Created Equal: Extracting Value From Wireless Cloud Management

Ubiquitous Connectivity Is Changing Business And Technology Planning

Transcription:

A Forrester Consulting Thought Leadership Paper Commissioned By Trend Micro February 2015 Best Practices For Public Cloud Security Part Three Of A Three-Part Series On Public Cloud Security

Table Of Contents Executive Summary... 1 Security Remains A Top Concern About Public Cloud... 2 Best Practices For Public Cloud Security... 2 Appendix A: Methodology... 5 Appendix B: Demographics/Data... 5 Appendix C: Endnotes... 6 ABOUT FORRESTER CONSULTING Forrester Consulting provides independent and objective research-based consulting to help leaders succeed in their organizations. Ranging in scope from a short strategy session to custom projects, Forrester s Consulting services connect you directly with research analysts who apply expert insight to your specific business challenges. For more information, visit forrester.com/consulting. 2015, Forrester Research, Inc. All rights reserved. Unauthorized reproduction is strictly prohibited. Information is based on best available resources. Opinions reflect judgment at the time and are subject to change. Forrester, Technographics, Forrester Wave, RoleView, TechRadar, and Total Economic Impact are trademarks of Forrester Research, Inc. All other trademarks are the property of their respective companies. For additional information, go to www.forrester.com. [1-PVTJUJ]

1 Executive Summary Security is, justifiably, a top concern about public cloud environments. Application developers are migrating to the cloud for the agility and speed that the cloud can provide. One thing that developers often do not account for in their cloud usage is the security of that cloud. It is up to cloud managers, with support from IT security, to ensure that their public cloud deployments are secure and that the data and workloads in that cloud are protected. At the heart of public cloud security is a shared responsibility between the cloud vendor and the organization. Forrester calls this the uneven handshake, where the cloud service provider is only responsible for securing the data center, infrastructure, and hypervisor, while the end user organization is responsible for the operating system, applications, users, and data. Unlike in many hosting models, the cloud vendor isn t responsible for solving all security requirements. Expecting security for the entire stack isn t an option nor is it wise. Our survey of 321 IT professionals involved in public cloud security found that only 18% of respondents believe the native security capabilities of cloud providers are sufficient for their implementation. Forrester believes that to ensure the data and assets in their public cloud environments are secure, cloud managers need to work with their security teams to adopt a Zero Trust security approach. A Zero Trust Model means the organization must: 1) verify and secure all resources; 2) limit and strictly enforce access control; and 3) log and inspect all traffic. However, in the public cloud, time-to-value for developers is the No. 1 priority, so risk must be balanced with agility when it comes to securing your public cloud. This requires special consideration on the part of cloud managers to preserve the tenants of Zero Trust without sacrificing the time-to-value of your public cloud. This paper is the third in a series of three on public cloud security practices. This paper follows The Cloud Manager s Balancing Act, which describes the need for cloud managers to balance developer time-to-value with security risk and costs. Please see the methodology section of this paper for more details.

2 Security Remains A Top Concern About Public Cloud In the public cloud model, responsibility for the security of the cloud is split between the cloud provider and the organization. The provider is responsible for securing the data center, infrastructure, and hypervisor, while the end user organization is responsible for the operating system, applications, users, and data. Forrester calls this the uneven handshake. The security of data and other assets in the public cloud is a serious concern of cloud managers and IT security alike. Developers are concerned with their time-to-value, not cloud security. The responsibility for securing the cloud falls to cloud managers and IT security. Our custom survey shows that 40% of IT professionals involved in their organization s public cloud security policies and tasks are very concerned, and an additional 36% are concerned, with the security of the applications and data in their public cloud environment (see Figure 1). This is a real and valid concern, and one that can keep companies from getting the most out of their public cloud environments. FIGURE 1 Public Cloud Security Is A Concern Of Cloud Managers And IT Security Alike How concerned are you with the security of the applications and data in your public cloud environment? Very concerned 40% Concerned 36% Neutral 14% Not concerned 9% Not at all concerned 2% Base: 321 IT professionals involved in their organization s public cloud security policies and tasks Note: Percentages may not total 100 because of rounding. Source: A commissioned study conducted by Forrester Consulting on behalf of Trend Micro, May 2014 Best Practices For Public Cloud Security Cloud managers need to work with IT security to secure the users, data, and applications in their public cloud environments. To do so, Forrester recommends that they adopt a Zero Trust security model. There are three concepts that are the foundation of the Zero Trust security model that need to be incorporated into how cloud managers secure their public cloud environments today. 1 These are: Verify and secure all resources. Limit and strictly enforce access control. Log and inspect all traffic. One issue in implementing Zero Trust practices in a public cloud setting is that the controls needed can be timeconsuming a nonstarter for savvy cloud managers. Therefore, cloud managers need to apply the tenants of Forrester s Zero Trust security model without sacrificing the time-to-value of their developers. To do this, cloud managers should work with their security teams to leverage the following best practices (see Figure 2): VERIFY AND SECURE ALL RESOURCES To ensure public cloud resources are secure, be sure to: Encrypt data intelligently. Part of the uneven handshake of public cloud security is that the customer is responsible for the security of their data in the cloud. However, encrypting all of the data in your public cloud can be costly in terms of both time and money. To ensure your data is secure, you must, at a minimum, encrypt sensitive or toxic data before it enters the cloud. Our survey data shows that just over half of organizations (54%) using public cloud are encrypting sensitive data in the cloud today. 2 You should also control the encryption keys so you are not reliant on the cloud provider. Forrester terms this bring your own encryption. Consider the sensitivity and toxicity of your workloads before they enter the cloud, and encrypt intelligently using data protection technology. Train developers to consider security. While you do not want to burden your developers with time-consuming public cloud security processes, education and training can help ensure developer compliance with your cloud policies. Implement a secure development life cycle, and

3 use application scanning solutions that can be fully automated in the public cloud to detect known vulnerabilities. Our survey shows that 45% of organizations using public cloud are providing education to end users on public cloud safety, and 44% have made security training mandatory to accessing their public cloud. LIMIT AND STRICTLY ENFORCE ACCESS CONTROL To ensure only trusted users are accessing your public cloud data, be sure to: Get visibility into your public cloud. To ensure safety, you need to know who is accessing your cloud, how they are accessing the cloud, and what resources are going into the cloud. Our survey shows that just over half (51%) of organizations using public cloud are actively tracking data packets in the cloud today. The goal is to identify threats and neutralize them with cloud-enabled versions of antimalware or host intrusion detection and/or intrusion prevention (IDS/IPS) solutions. In addition to monitoring the cloud, having limited access points to your public cloud allows you to control access using identity and access management technologies. However, you must be sure not to impede on your developers as they try to access the cloud. LOG AND INSPECT ALL TRAFFIC To secure your public cloud without impeding on your developers, be sure to: Use tools that can automate security provisioning and track and monitor workloads. To maintain your developers time-to-value, use a tool that automates security provisioning for workloads. These tools should tag workloads before they enter the cloud, automatically assigning security policies across multiple controls based on predefined criteria. The goal is whenever you spin up a workload, it inherits the security policies automatically without creating a manual change management workflow, which slows provisioning. Once the data is in the cloud, continue to monitor workloads for unplanned or malicious changes using cloud-friendly log inspection and integrity monitoring solutions, and review the applied policy to ensure the proper level of security is in place. Our survey data shows that 43% of organizations are reviewing already deployed workloads to ensure the correct level of security is applied. FIGURE 2 Operations Best Practices For Public Cloud Security Whatoperations best practices do you follow to ensure the right level of security is applied? (Select all that apply) Actively track data packets in the cloud to detect breaches and data location Engage security professionals to evaluate the sensitivity of the workloads to determine suitability for the cloud and the ideal data security protocol Provide education to end users such that they can better understand how to use public cloud safely Mandate cloud security training and liability waivers before granting access to the public cloud Review workloads that are already deployed to ensure that the correct level of security is applied Require developers to request via a ticket-based system, and rely on cloud administrators to provision the correct resources Completely automate security policies 34% 35% 43% 46% 45% 44% 51% Rely on a third-party cloud security specialist to ensure security requirements are met We don t; operations focuses on cost optimization not security 14% 28% Base: 321 IT professionals involved in their organization s public cloud security policies and tasks Source: A commissioned study conducted by Forrester Consulting on behalf of Trend Micro, May 2014

4 MAKE SURE YOUR SECURITY TEAM UNDERSTANDS THE CLOUD Your IT security team will be your key partner in protecting the cloud, provided they understand the importance of your developers time-to-value. Work with your security team to understand the unique challenges of cloud security, especially in the context of the shared security responsibility model, and how these challenges require different solutions. A good partnership between cloud managers and security will help to implement Zero Trust best practices for your cloud. Our survey shows that 46% of organizations are engaging their security team to evaluate workload sensitivity to determine cloud suitability and ideal protocols. However, if your security team does not understand the differences in securing the cloud, you risk the benefits of your investment.

5 Appendix A: Methodology In this study, Forrester conducted an online survey of 321 organizations of 100 or more employees spending more than an average of $5,000 per month on public cloud in Australia, Brazil, France, Germany, Japan, the UK, and the US to evaluate current and best practices in public cloud security. Survey participants included IT professionals involved in their organization s public cloud security policies and tasks. The study began in April 2014 and was completed in May 2014. Appendix B: Demographics/Data FIGURE 3 Survey Demographics DE: 10% Company size UK: 16% 20,000 or more employees 20% US: 16% FR: 11% JAP: 16% 5,000 to 19,999 employees 25% 1,000 to 4,999 employees 36% 500 to 999 employees 13% BRA: 16% AUS: 17% 100 to 499 employees 6% IT role (Select all that apply) Which title best describes your position at your organization? Infrastructure 73% Operations 71% Cloud infrastructure/ operations/architect Solution/application architecture Security 59% IKM 46% SVM 31% 41% 51% C-level executive 25% Vice president 11% Director 25% Manager 30% Project manager 3% Full-time practitioner 5% ADD 31% Software testing and QA 25% Business analyst 21% Base: 321 IT professionals involved in their organization s public cloud security policies and tasks Note: Percentages may not total 100 because of rounding. Source: A commissioned study conducted by Forrester Consulting on behalf of Trend Micro, May 2014

6 Appendix C: Endnotes 1 Source: No More Chewy Centers: The Zero Trust Model Of Information Security, Forrester Research, Inc., October 7, 2014. 2 A commissioned study conducted by Forrester Consulting on behalf of Trend Micro, May 2014.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information