Safeguarding the Cloud

By Mohit Twari, Associate Professor, The University of Texas at Austin

Mohit Twari, Associate Professor, The University of Texas at Austin

The velocity with which organizations are adopting the cloud has created an entirely new wave of security threats. Enterprise data is particularly vulnerable. Cloud storage has enabled companies and developers to push out production-grade, scalable applications at light speed. However, many organizations—from IT support all the way up to management—simply cannot keep up with the pace of change, leaving them defenseless against a barrage of new threats to data security that evolve as rapidly as they as they wreak havoc.

Currently, developers build complex database-backed applications, weaving delightful experiences out of complex open-source and third-party components. They can add tens of millions of new lines of code with just a few “import” statements. Production operation teams roll out new code multiple times a week to thousands of machines. The big draw to the cloud—efficiencies from streamlined development, scalability of microservices architectures and the ease of deploying cloud-native applications— creates evolving security threats that are impossible to completely contain without radically new approaches.

The widely reported breach of consumer credit giant, Equifax in 2017 (that exposed the personal information of 147 million people), was believed to have originated from a flaw deep inside the Apache Struts framework—in a common PDF upload library that most developers use.

"Protecting cloud-based data from attack will only be made possible if cybersecurity is woven into the very fabric of systems’ frameworks"

This vulnerability went undetected in the framework for over eight years.

Equifax is the most high profile public example of this type of data breach. But most companies—large and small— are exposed to the very same web-application vulnerabilities.

Unsung Heroes

Operations teams are the real unsung heroes who have to deal with the brunt of these issues and the fallout from attacks. They have to set up application firewalls for code they didn’t write, monitor software behaviors they didn’t define, and find needles in the proverbial haystack of high-dimensional alert-logs covering thousands of machines. With even the most advanced AI algorithms proving susceptible to adversarial inputs, these heroes now have to create robust algorithms for security logs—a notoriously difficult dataset to model accurately.

Essentially, we continue to react to attacks rather than proactively developing reliable preventative tools that might limit how much damage they cause. But when the security weaknesses in existing cloud frameworks are embedded into the very fabric of their design, this perpetual defensive loop that enterprise finds itself in isn’t going to change.

Cybersecurity is inherently asymmetric. And, cloud-based deployment models greatly amplify this asymmetry. Even a single vulnerability can lead to the next Equifax or a single configuration error to the next Capital One breach—another high profile example that impacted nearly 106 million innocent customers. In contrast, to try to combat these threats, development teams have to protect each and every application with roughly one security engineer per 100 developers in the organization—all already working under aggressive compliance deadlines mandated by GDPR, CCPA, and other data protection acts.

Developers have benefited greatly from using sophisticated tools to micro-segment application-layer networks and streamline identity across applications. The next frontier is to enable developers and privacy engineers to protect data in a consistent, scalable manner. Privacy engineers can visualize and enforce data-compliance rules while state-of-the-art research can enable data protection to fit seamlessly within developer frameworks with very little impact on performance. At cloud-scale, small mistakes are amplified into big breaches that impact customers’ privacy and companies’ brands. Cloud-native companies that build data protection into their frameworks, on the other hand, can be agile while still safeguarding their users’ trust.

Check This Out: Top Cybersecurity Companies

Weekly Brief

Top 10 Cloud Computing Companies for Education Industry 2019
Top 10 Cloud Consulting/Service Companies for Education Industry - 2019

Read Also

The Impact of AI on Education is Real and Growing

The Impact of AI on Education is Real and Growing

Lisa McClure, Associate Provost, Programs and Academic Affairs, Ultimate Medical Academy
Artificial Intelligence- The Catalyst for the Most Significant Change to Education in Generations

Artificial Intelligence- The Catalyst for the Most Significant Change to Education in Generations

Dr. Clare Sullivan, Visiting Professor, Law Center, Georgetown University; and Managing Director, Cyber SMART
Transforming the Student Experience

Transforming the Student Experience

Doug McCollum, Senior Vice President, Product Development, K12, Inc.
Keeping Parents in the School Activities Loop

Keeping Parents in the School Activities Loop

W. Wesley Watts Jr., Ed.D, Chief Information Technology Officer, Prince George's County Public Schools
The Key to a Successful Strategic Technology Plan: Relationships

The Key to a Successful Strategic Technology Plan: Relationships

Camedra Jefferson, Ed.D., Director of Instructional Technology, Yes Prep Public Schools
Protect and Serve: Balancing Student Data Privacy with the Need for Access to Student Data

Protect and Serve: Balancing Student Data Privacy with the Need for Access to Student Data

Robby Carmichael, Executive Director of Student Information Services, Cherokee County School District