Embracing the Cloud's Potential for Security

Rick Dakin, CEO, Co-founder and Chief Security Strategist

I spoke recently at TIA’s Network of the Future conference. At the session, which was heavier on vendors than operators, the discussion was very focused on the cloud. Everyone wants to know what’s coming next and if they’re ready for it.

The accelerating cloud transition is both good and bad for data security teams. It’s good, because it’s an opportunity to prepare and defend a dynamic platform that can be far more secure than the static legacy platforms that many organizations are defending today. It’s bad because if we mess up in the cloud, it’s potentially a huge number of organizations and individuals who could be at risk.

There’s a lot of concern over what the cloud means, but this should not be a scary time. We can capitalize on this opportunity to deploy a hardened cloud that will comply with new standards like FedRAMP and PCI mobile services. This will take careful risk assessment, more secure application development and integration of more nimble monitoring and active security response.

All sustainable security programs are based on “defense in depth,” with static border protection and access control supplemented by dynamic monitoring programs that constantly analyze new threats and suggest the appropriate responses.

The same principle applies to organizations that are serious about protecting customer information. Many recent breaches have been executed with sophisticated, zero-day malware exploits that were undetectable by antivirus solutions. If the cloud is breached, we need active monitoring to make sure the bad guys aren’t running wild undetected.

The biggest remaining obstacle to creating a secure cloud is our inability to conduct risk assessments of integrated third parties. We’ve seen with multiple recent breaches – again this month with AT&T – that the easiest way into a company’s system can be through its connected vendors. The entire ecosystem has to be secured. 

At its simplest, cloud security begins with a clear allocation of responsibilities between the customer and a cloud service provider (CSP):

  • Identify where your data will be stored. Compliance laws and regulatory standards may require information to be stored only within the United States.

  • Ensure adequate physical security. The “cloud” is simply a bank of servers stored somewhere else. Verify they are safe.

  • Enforce access controls. The cloud user should know who has access to stored data, how they are screened, and the training programs that are in place.

  • Verify CSPs are monitoring the flow of data and using alerts to identify breaches, track user activity, and enforce accountability for user actions.

Coalfire has conducted thousands of assessments of virtualization architecture for clients in a wide range of industries. Contact us today if you’re serious about protecting your data and thinking through your own cloud migration plans.

Rick Dakin


Rick Dakin — CEO, Co-founder and Chief Security Strategist

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS