Wow -- what a busy (and awesome) time at RSA this year! I missed the conference last year and was surprised (but impressed) to see the event grow as much as it has in such a short period of time; they literally doubled the exhibitor space, filling both the North and South Halls. While on one hand surprising, the growth makes complete sense -- not just because security is a hot space, but because of the massive increase in the attack surface area.
Mobility and the multi-device user, along with the rapid adoption of all things cloud -- from SaaS applications to IaaS and PaaS -- has a multiplicative effect of increasing both the vectors and targets for attacks.
Let’s review two recent compromises to highlight the changing attack surface that RSA proved true:
MongoHQ, the database-as-a-service company, was recently compromised. As a result, this jeopardized customer data. SaaS companies have a growing challenge because they are the single attack surface to not just one company but every company that leverages their offering.
This is the Holy Grail to most attackers because the cost involved to infiltrate is overwhelming justified by payout.
Next up is Github, a very popular source code hosting company that recently started a public security bug bounty program. One of the recent submissions demonstrated how an attacker could achieve remote code execution by leveraging a configuration issue with how code is pushed to their backend.
It is completely unknown if this was actively used in the wild before it was reported. Additionally, it’s impossible to know or prove this -- unless companies established a way to gain visibility into their infrastructure and view historical data. Much like MongoHQ, this was not only a security concern for Github's infrastructure, but a concern for the data of all their customers.
All that said, and as proven at RSA, the cloud is not inherently more secure but it’s not less secure either. The truth of the matter is it’s exactly the same as any other type of infrastructure -- and the security challenges are the same. SaaS, however, does make you more of a target because of the amount data diversity an attacker will gain from compromising assets. This was a massive takeaway both for our team and the general audience at RSA -- and one that is sure to cause waves of change in 2014.
The current status of the cloud security industry, which was made abundantly clear at RSA, just sets us even more vigorously on our mission to protect cloud-based workloads and explain why having a cloud-ready by design implementation is the right way to gain the visibility and control that companies actually need.
Looking forward, we will be leading many exciting discussions in the market around what it means to protect elastic infrastructure with an elastic solution and how DevOps can proactively take command of their part of the shared responsibility security model that comes with leveraging the tremendous benefits of the cloud.
(And stay tuned -- we also have several exciting announcements for you very soon!)