By Meg Cater
Last week, Signiant CTO Ian Hamilton joined a panel discussion at the 5th annual Content Protection Summit in Hollywood, looking at security practices for cloud solutions within the media industry.
Erik Weaver from the Entertainment Technology Center at the University of Southern California moderated the panel. Weaver is lead of the center’s Project Cloud, a think tank on the use of cloud solutions throughout the life cycle of media and film production, which means he spends a lot of time in dialogues like this one.
Other panelists included: Matthew O’Connor, Product Manager for the Cloud Platform Team at Google; Aaron Guzman, Co-Director of Presentations at Cloud Security Alliance; Ted Harrington, Executive Partner at Independent Security Evaluators; and Janice Pearson, Content Protection Strategy & Operations at Warner Brothers Entertainment.
Here’s a recap of the questions and some responses by Hamilton and other panelists.
“In the broadest sense,” Hamilton says, “cloud is a metaphor for the Internet.” It’s also a euphemism for “someone else’s servers,” other panelists mention. For the purpose of their discussion, however, they agree to focus on cloud as Public IaaS (Infrastructure as a Service) and the software that runs on it.
Janice Pearson starts off pointing out the difference in security resources available to big vs. small vendors. “Smaller SaaS companies often patch in security rather than build it in,” she says. Starting with security at the design phase is imperative, the other panelists agree. And until the new MPAA guidelines for designing cloud solutions are in place, customers need to inquire about security practices in smaller companies.
As a relatively small company with high security standards, Signiant may be a good example of what to look for. Hamilton explains that everyone on Signiant’s engineering team regularly receives updated security training and considers security in all parts of the software lifecycle from design through implementation and deployment. In addition to training, we also engage third party security experts for consultation and evaluation/testing throughout the software lifecycle.
Matthew O’Connor mentions that Google has “200 dedicated security professionals,” many of them leaders in the field, which means that anyone building SaaS (Software as a Service) on their infrastructures can take confidence.
However, smaller companies are better off sharing the responsibility of security according to Hamilton, rather than laying it on one or two people. Everyone involved needs to have necessary training, but also be up-to-date on any security breaches of the past and the current measures in place to prevent future hacks.
“The main difference with cloud is that you introduce new parties to the trust model,” says Hamilton. Because SaaS vendors are operating the software and not just building it like on-premises providers do, they are automatically pulled into the trust model along with their IaaS vendor. This has some major benefits, if a company has good security practices in place. Because they built the software and are most familiar with its security needs, they’re automatically most qualified to operate and protect it.
Hamilton goes on to point out certain “old school” security thinking that implies the ability to “establish an impenetrable perimeter that keeps the bad guys on the outside and the good guys on the inside. If zombie shows have taught us anything valuable, it’s that when the bad guys on the outside want something on the inside badly enough, they’ll eventually get through the barrier.
“The cloud forces you to carefully consider least privilege and defense-in-depth, but these are things you should be doing with on-premises systems as well. Although having additional parties in the trust model can be cause for thought, the primary thing the IaaS and SaaS vendors do is manage their infrastructure and their software and they’re typically pretty good at it as result.”
Ted Harrington agrees, “Yes, two generations ago people thought they could totally prevent breaches through perimeter security. One generation ago people started to think more about containment and incident response ‘if’ they were hacked. The current generation assumes they’re always being attacked and tries to continuously learn from what’s going on and improve their security.”
“Cloud-based system tend to get patched much more quickly for technology vulnerabilities than on-premises systems,” says Hamilton, which can make them more secure even though people tend to focus on technology vulnerabilities. “Perhaps because they’re given scary names like Heartbleed and Shellshock.”
“Also,” Hamilton reminds the audience, “we often forget about the people factor. Companies go to lengths to validate that the users accessing servers are legitimate with multi-factor authentication and by forcing good password management practices, but users don’t apply the same due diligence when making sure the server they’re accessing is authentic. This makes them vulnerable to phishing attacks where they unknowingly give up confidential information, and why training and least privilege principles are so important regardless of whether your securing cloud or on premise systems.”
“As all the panelists have talked about, you need to start at the software design phase and follow secure design principles all the way through to deployment,” says Hamilton. “But you also need a strong incident response plan. In this regard it’s not that different from any other form of disaster recovery and business continuity planning. Your just responding to a criminal adversary that is typically much more persistent than an accident or natural disaster.”
Pearson emphasizes the need to document workflow and look at “every touch point where you have risk.” It’s important to know who has access and if they really need it.
“These are things management really needs to be watching,” says Pearson, “so you know exactly where to look if there is a security breach. This is part of doing risk assessments and knowing where vulnerabilities exist so that you can respond accordingly “if the worst does happen.”
That’s just a small sample of the very informative hour-long panel discussion on The Forecast for Securing the Cloud at the Content Protection Summit last week.