This is the fifth post in a series on the future of information security, which will be the basis for a white paper. You can leave feedback here as a blog comment, or even submit edits directly over at GitHub, where we are running the entire editing process in public. This is the initial draft, and I expect to trim the content by about 20%. The entire outline is available. See the first post, second post, third post and fourth post.

Implications for Cloud and Infrastructure Providers

Security is (becoming) a top-three priority for cloud and infrastructure providers of all types. For providers with enterprise customers and those which handle regulated data, security is likely the first priority. As important as it is to offer compelling and innovative services to customers, a major security failure has the potential to wipe out clients’ ability to trust you – even before legal liabilities.

If you handle information with value on behalf of your customers, you are, for nearly all intents and purposes, a form of bank.

Trust Is a Feature

Enterprises can’t transition to the cloud without trust. Their stakeholders and regulators simply won’t support it. Consumers may, to a point, but only the largest and most popular properties can withstand the loss of trust induced by a major breach. There are 5 corollaries:

• Customers need a baseline of security features to migrate to the cloud. This varies by the type of service, but features such as federated identity, data security, and internal access controls are table stakes. Cloud providers need a baseline of inherent security to withstand attacks, as well as customer-accessible security features to enable clients to implement their security strategies.
• You are a far bigger target than any single customer, and will experience advanced attacks on a regular basis. Centralizing resources alters the economics of attacks, inducing bad guys to incur higher costs for the higher rewards of access to all a cloud provider’s customers at once.
• User own their data. Even if it isn’t in a contract or SLA, if you affect their data in a way they don’t expect, that breaks trust just as surely as a breach.
• Multitenancy isolation failures are a material risk for you and your customers. If a customer’s data is accidentally exposed to another customer, that is, again, a breach of security and trust. People have been hunting multitenancy breaks in online services for years, and criminals sign up for services just to hunt for more.
• Trust applies to your entire cloud supply chain. Many cloud providers also rely on other providers. If you own the customer trust relationship you are responsible for any failures in the digital supply chain.

It isn’t enough to simply be secure – you also need to build trust and enable your customers’ security strategies.

Building Security in

The following features and principles allow customers to align their security needs with cloud services, and are likely to become competitive differentiators over time:

• Support APIs for security functions. Cloud platforms and infrastructure shouldn’t merely expose APIs for cloud features; but also for security functions such as identity management, access control, network security, and whatever else falls under customer control. This enables security management and integration. Don’t require customers to log into your web portal to manage security – although you also need to expose all those functions in your user interface.
• Provide logs and activity feeds. Extensive logging and auditing are vital for security – especially for monitoring the cloud management plane. Expose as much data, as close to in real time, as possible. Transparency is a powerful security enabler provided by centralization of services and data. Feeds should be easily consumable in standard formats such as JSON.
• Simplify federated identity management. Federation allows organizations to extend their existing identity and access management to the cloud while retaining control. Supporting federation for dozens or hundreds of external providers is daunting, with entire products available to address that issue. Make it as easy as possible for your customers to use federation, and stick to popular standards that integrate with existing enterprise directories. Also support the full lifecycle of identity management, from creation and propagation to changing roles and retirement.
• Extend security to endpoints. We have focused on the cloud, but mobility is marching right alongside, and just as disruptive. Endpoint access to services and data – including apps, APIs, and web interfaces – should support all security features equally across platforms. Clearly document security differences across platforms, such as the different data exposure risks on an iOS device vs. Android device vs. laptops.
• Encrypt by default. If you hold customer data encrypt it. Even if you don’t think encryption adds much security, it empowers trust and supports compliance. Then allow customers who want, to control their own keys. This is technically and operationally complex, but becomes a competitive differentiator, and can eliminate many data security concerns and smooth cloud adoption.
• Maintain security table stakes. Different types of services handling different types of workflows and data tend to share a security baseline. Fall below it and customers will be drawn to the competition. For example IaaS providers must include basic network security on a per-server level. SaaS providers need to support different user roles for access management. These change over time so watch your competition and listen to customer requests.
• Document security. Provide extensive documentation for both your internal security controls and the security features customers can use. Have them externally audited and assessed. This allows customers to know where the security lines are drawn, where they need to implement their own security controls, and how. Pay particular attention to documenting the administrator controls that restrict your staff’s ability to see customer data and audit when they do.

These are nothing near all the security features and capabilities cloud providers should consider, but they strongly align with the way we see enterprise security evolving.

Conclusion

Once, many years ago, I had the good fortune to enjoy a few beers with futurist and science fiction author Bruce Sterling. That night he told me that his job as a futurist is to try to predict the world seven to ten years from now, which is where informed estimates become speculative fiction. As analysts we normally look out three to five years, and at seven to ten years the accuracy of our predictions declines.

Unless we cheat.

Nothing we described in this paper is science fiction. There are real-world examples of everything we have discussed in production deployments with brand names. This paper doesn’t predict a future ten years out – it merely pulls together the leading edge of what we see today, with the expectation that it typically takes seven to ten years to coalesce and trickle out to the broader world. Looking at technology adoption cycles, and the sheer amount of effort it takes to transition the majority of existing workloads to cloud computing and new security platforms, even ten years may be aggressive for many organizations.

The security future is here – it just isn’t evenly distributed. All this is happening now, but it isn’t all happening together. But if you look hard, make smart decisions, and plan for the future, you can definitely experience these benefits today.