From the Chief Technology Officer for Imperva

Terry Ray

Subscribe to Terry Ray: eMailAlertsEmail Alerts
Get Terry Ray: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Related Topics: Security Journal, Cloud Expo on Ulitzer, Secure Cloud Computing, Security

Blog Post

Rethinking Cloud FUD | @CloudEXPO @Imperva #DDos #GDPR #DataSecurity #CloudNative #Serverless #DevOps #DigitalTransformation

Agility means screwing up your security on somebody else's computer

Somebody Else's Security: Rethinking Cloud FUD

Almost every single day-I talk to people who are planning to move their organization's data to the cloud. What's more, this cloud excitement is vertical-agnostic. It's hard to find an industry that isn't thinking about cloud migration. Cisco predicts that, by 2021, 94% of global data center traffic will be processed in the cloud.

This is dramatically different from just a few years ago. Back then, if you asked an enterprise organization if they had plans to move to the cloud, it was like flipping a coin. At the time, enterprises were worried that the cloud inherently lacked security-because of the old bromide that the cloud is "somebody else's computer."

The major cloud providers listened, upping their security and compliance game while continuing to demonstrate the business agility cloud solutions could offer. Now, enterprises, on the whole, can't seem to get enough cloud.

And, for many, their security has suffered.

But their fears were staring back at them in the mirror.

There's a Hole in My AWS Bucket, Dear Liza

Consider just one example of an archetypal cloud security disaster: An IT administrator looks around his office and data center, sees all of his on-prem security solutions-database security, intrusion prevention system, anti-malware software, firewalls, physical security measures, etc.-and from there assumes that (or, at least, acts like) his cloud environment is just as secure. Consequently, he fails to build in additional security layers into the cloud environment-probably while utterly botching his security configurations.

The problem is endemic. In Amazon Web Services alone, an estimated 7% of AWS S3 buckets are configured to allow unrestricted access (which is at least down from five years ago, when that figure was nearly 16%). The list of enterprise IT organizations who had their private data publicly exposed in 2017 because of misconfigured AWS S3 buckets (whether because they did it themselves or because one of their third-party vendors put their data at risk) is long. The list includes consulting firms like Accenture, military contractors like Booz Allen Hamilton and TigerSwan, telcos like Verizon and Orange, financial institutions like Capital One, retailers like Walmart, and entertainment companies like WWE, Viacom, and the Australian Broadcast Corporation

And that's just one common way that enterprises in the cloud shoot themselves in the foot.

M&M Security in the Cloud

Now here's Part 2 of the cloud security disaster I began to describe.

Let's say, miraculously, no ill comes out of the failings of our IT administrator from the earlier example. He may even have accidentally done something right.

But now one of our lead developers looks around, sees the same things that the IT administrator did, and comes to the same conclusions as the IT administrator did about being in a "secure environment." And so, because every keystroke he can save represents precious time, our lead developer uses his recycled, easily guessable password (assuming he bothers to change the default). From there, he proceeds to upload production data (which, in a truly secure development lifecycle (SDLC), he shouldn't have access to in the first place) to the cloud. Then-completely forgetting that his code includes sensitive API keys-the developer posts said code to his GitHub repository.

Now comes an outside hacker, running a dictionary attack to get into our lead developer's GitHub repository. When the dictionary attack succeeds in a matter of seconds, the hacker gains access to our lead developer's user credentials, uses them to breach the company's AWS buckets, and holds the company's data for ransom.

This is an example of locking the door but leaving the key under the mat and having no alarm system, guard dog, or other "inner" security once the outer security of the door is breached.

Consider the tragedy of Code Spaces-a code-escrow company that publicly lauded its "well-practiced" and "proven to work" backup-recovery plan as a selling point. Code Spaces put its entire business-right down to the backups-on AWS. Then-somehow (probably in a manner not too far off from what I just described)-someone compromised or otherwise misappropriated the Code Spaces login for its AWS control panel and used the access to hold everything there for ransom. Code Spaces did not pay the money.

If you were to Google "Code Spaces" right now, you would see headlines like "Murder in the Amazon Cloud" and "Code Spaces: A Lesson In Cloud Backup." Code Spaces is out of business.

Somebody Else's Problem

All of this is to say that the cloud is indeed somebody else's computer, in the same way that an apartment is "somebody else's property." You may be renting the resources, and your "landlord" may be liable for particularized maintenance items-but you're still on the hook for losses and damages if you share your keys, leave the windows open, or leave the door unlocked.

The cloud is secure-or, at least, it can be. But a lot of cloud implementations aren't secure-because enterprises have turned the security fears of the "somebody else's computer" philosophy into a self-fulfilling prophecy. Specifically, the perception of the cloud has evolved from that of "somebody else's computer" to one of "somebody else's problem." The breaches described above were all user caused. All the cloud vendors can do is offer decent UX and training, and then cross their fingers.

4 Cloud Security Tips You Can Use

So what can you do? Here are some places to start:

Address the fundamentals. Let's start with the basics. AWS buckets are private by default. To leave an AWS bucket completely unsecured requires that the administrator do more work-suggesting that probably you have security problems far greater than the scope of this article. Ditto for those administrators and developers who never change the default login credentials-or who leave their login information exposed (whether on a sticky note on a computer monitor, or in a GitHub repository).

Monitor Everything. Let's say you hire a new administrator who inherits an IT environment.  Configuration issues often go overlooked as the new administrator gets acquainted with his or her new world-especially if thorough activity monitoring hasn't been implemented. And headline-splashing cloud security issues will only continue until organizations are truly monitoring what's happening in their cloud environments at the network, API, user access and raw data layers. Your central IT department, therefore, needs to be empowered with greater visibility and monitoring solutions-particularly as they may not be aware as to which workloads have been migrated to the cloud. They also need to be able to keep track of what is connecting to that cloud environment-because for every new API or other connection that is talking to your cloud environment, you have a new potential attack vector to secure.

And most will admit that they should already be monitoring all of this activity for regulatory compliance and/or forensic purposes anyway, though most simply aren't.

Have a Cloud Config Expert. Still, you need to have people who know what they are doing in the first place. It's not enough to have a team of data scientists who can work more efficiently on a cloud-based data platform. At least one of those data scientists needs to also know how to configure and secure that cloud-based data platform.

Audit Your Providers. Cloud vendors, also need to meet all of these standards-beyond mere simplicity and accessibility. (It's 2018; most of them are already sufficiently simple and accessible by now. That's why you wanted to go to the cloud in the first place.) Technology in the cloud should be leveraged to provide the visibility and transparency   to inform you who in your environment-and who in their environment-is touching which data, and when. And they need to be able to prove their compliance with whatever regulations to which you and your data are subject-beyond a mere certification that may or may not be real.

But the responsibility for checking all of this-as with all cloud-security concerns-lies with you. It may be somebody else's computer, but it's your data.

Terry Ray has served as Chief Technology Officer for Imperva since July 2017. He is responsible for developing and articulating the company's technical vision and strategy. Previously, he served as Imperva's Chief Product Strategist where he consulted directly with strategic global customers on industry best practices, threat landscape, data security implementation and industry regulations. Terry is a frequent speaker for RSA, Gartner, ISSA, OWASP, ISACA, IANS, CDM, NLIT, and other organizations worldwide. He holds a B.A. in Management Information Systems from the University of North Texas.


DXWorldEXPO LLC, the producer of the world's most influential technology conferences and trade shows has announced the conference tracks for CloudEXPO |DXWorldEXPO 2018 New York.

DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City.

Digital Transformation (DX) is a major focus with the introduction of DXWorldEXPO within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive over the long term.

A total of 88% of Fortune 500 companies from a generation ago are now out of business. Only 12% still survive. Similar percentages are found throughout enterprises of all sizes.

Register for Full Conference "Gold Pass" ▸ Here (Expo Hall ▸ Here)

Show Prospectus V041818 Here

Speaking Opportunities Here

Sponsorship and Speaking Inquiries: [email protected].

2018 Conference Agenda, Keynotes and 10 Conference Tracks

DXWordEXPO New York 2018 and Cloud Expo New York 2018 agenda present 222 rockstar faculty members, 200 sessions and 22 keynotes and general sessions in 10 distinct conference tracks.

  • Cloud-Native | Serverless
  • DevOpsSummit
  • FinTechEXPO - New York Blockchain Event
  • CloudEXPO - Enterprise Cloud
  • DXWorldEXPO - Digital Transformation (DX)
  • Smart Cities | IoT | IIoT
  • AI | Machine Learning | Cognitive Computing
  • BigData | Analytics
  • The API Enterprise | Mobility | Security
  • Hot Topics | FinTech | WebRTC

Register for Full Conference "Gold Pass" ▸ Here (Expo Hall ▸ Here)

DXWorldEXPO | CloudEXPO 2018 New York cover all of these tools, with the most comprehensive program and with 222 rockstar speakers throughout our industry presenting 22 Keynotes and General Sessions, 200 Breakout Sessions along 10 Tracks, as well as our signature Power Panels. Our Expo Floor brings together the world's leading companies throughout the world of Cloud Computing, DevOps, FinTech, Digital Transformation, and all they entail.

As your enterprise creates a vision and strategy that enables you to create your own unique, long-term success, learning about all the technologies involved is essential. Companies today not only form multi-cloud and hybrid cloud architectures, but create them with built-in cognitive capabilities.

Cloud-Native thinking is now the norm in financial services, manufacturing, telco, healthcare, transportation, energy, media, entertainment, retail and other consumer industries, as well as the public sector.

CloudEXPO is the world's most influential technology event where Cloud Computing was coined over a decade ago and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals.

FinTech Is Now Part of the DXWorldEXPO | CloudEXPO Program!

Financial enterprises in New York City, London, Singapore, and other world financial capitals are embracing a new generation of smart, automated FinTech that eliminates many cumbersome, slow, and expensive intermediate processes from their businesses.

Accordingly, attendees at the upcoming 22nd CloudEXPO | DXWorldEXPO November 11-13, 2018 in New York City will find fresh new content in two new tracks called:

  • FinTechEXPO
  • New York Blockchain Event

which will incorporate FinTech and Blockchain, as well as machine learning, artificial intelligence and deep learning in these two distinct tracks.

Register for Full Conference "Gold Pass" ▸ Here (Expo Hall ▸ Here)

Show Prospectus V041818 Here

Speaking Opportunities Here

Sponsorship and Speaking Inquiries: [email protected].

FinTech brings efficiency as well as the ability to deliver new services and a much improved customer experience throughout the global financial services industry. FinTech is a natural fit with cloud computing, as new services are quickly developed, deployed, and scaled on public, private, and hybrid clouds.

More than US$20 billion in venture capital is being invested in FinTech this year. DXWorldEXPOCloudEXPO are pleased to bring you the latest FinTech developments as an integral part of our program.

DXWorldEXPO | CloudEXPO are accepting speaking submissions for this new track, so please visit Cloud Computing Expo for the latest information or contact us at [email protected]m.

Register for Full Conference "Gold Pass" ▸ Here (Expo Hall ▸ Here)

Show Prospectus V041818 Here

Speaking Opportunities Here

Sponsorship and Speaking Inquiries: [email protected].

Download Slide Deck ▸ Here

Only DXWorldEXPO | CloudEXPO bring together all this in a single location:

Attend DXWorldEXPO | CloudEXPO. Build your own custom experience. Learn about the world's latest technologies and chart your course to Digital Transformation.

22nd International DXWorldEXPO | CloudEXPO, taking place November 11-13, 2018, in New York City, will feature technical sessions from a rock star conference faculty and the leading industry players in the world.

Register for Full Conference "Gold Pass" ▸ Here (Expo Hall ▸ Here)

Show Prospectus V041818 Here

Speaking Opportunities Here

Sponsorship and Speaking Inquiries: [email protected].

Download Slide Deck: ▸ Here

Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Meanwhile, 94% of enterprises are using some form of XaaS - software, platform, and infrastructure as a service.

With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend and learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.

Every Global 2000 enterprise in the world is now integrating cloud computing in some form into its IT development and operations. Midsize and small businesses are also migrating to the cloud in increasing numbers.

Register for Full Conference "Gold Pass" ▸ Here (Expo Hall ▸ Here)

Show Prospectus V041818 Here

Speaking Opportunities Here

Sponsorship and Speaking Inquiries: [email protected].

Download Slide Deck: ▸ Here

Companies are each developing their unique mix of cloud technologies and services, forming multi-cloud and hybrid cloud architectures and deployments across all major industries. Cloud-driven thinking has become the norm in financial services, manufacturing, telco, healthcare, transportation, energy, media, entertainment, retail and other consumer industries, and the public sector.

Sponsorship Opportunities

DXWorldEXPO | CloudEXPO are the single show where technology buyers and vendors can meet to experience and discus cloud computing and all that it entails. Sponsors of DXWorldEXPO | CloudEXPO will benefit from unmatched branding, profile building and lead generation opportunities through:

  • Featured on-site presentation and ongoing on-demand webcast exposure to a captive audience of industry decision-makers.
  • Showcase exhibition during our new extended dedicated expo hours
  • Breakout Session Priority scheduling for Sponsors that have been guaranteed a 35-minute technical session
  • Online advertising on 4,5 million article pages in SYS-CON's i-Technology Publications
  • Capitalize on our Comprehensive Marketing efforts leading up to the show with print mailings, e-newsletters and extensive online media coverage.
  • Unprecedented PR Coverage: Unmatched editorial coverage on Cloud Computing Journal.
  • Tweetup to over 100,000 plus Twitter followers
  • Press releases sent on major wire services to over 500 industry analysts.

Secrets of Our Most Popular Sponsors and Exhibitors ▸ Here

For more information on sponsorship, exhibit, and keynote opportunities, contact [email protected].

Show Prospectus V041818 Here

Download Slide Deck:Here

Speaking Opportunities

The upcoming 22nd International DXWorldEXPO | CloudEXPO November 11-13, 2018 in New York City, NY announces that its Call For Papers for speaking opportunities is now open.

Secrets of Our Most Popular Faculty Members ▸ Here

Submit your speaking proposal Here or by email [email protected].

Download Slide Deck: ▸ Here

About DXWorldEXPO LLC

DXWorldEXPO LLC is a Lighthouse Point, Florida-based trade show company and the creator of DXWorldEXPODigital Transformation Conference & Expo. The company produces and presents CloudEXPO, DevOpsSummitFinTechEXPO Blockchain Event, the world's most influential conferences and trade shows.

More Stories By Terry Ray

Terry Ray has served as Chief Technology Officer for Imperva since July 2017. He is responsible for developing and articulating the company's technical vision and strategy. Previously, he served as Imperva's Chief Product Strategist where he consulted directly with strategic global customers on industry best practices, threat landscape, data security implementation and industry regulations. Terry is a frequent speaker for RSA, Gartner, ISSA, OWASP, ISACA, IANS, CDM, NLIT, and other organizations worldwide. He holds a B.A. in Management Information Systems from the University of North Texas.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.