Level 3's Richter Talks About Enterprise Cloud 'Gotchas'

While enterprise cloud enjoys far more adoption and suffers far less fearmongering than it did just a few years ago, security remains the top concern about enterprise cloud migration. To Level 3's Chris Richter, this concern -- while valid -- is a bit misplaced.

In Part 1 of this Telco Transformation interview, Richter, senior vice president of global security services at Level 3 Communications Inc. (NYSE: LVLT), argues that enterprise cloud is generally a more secure solution, but notes that there are still cybersecurity issues to be addressed by both enterprise cloud providers and enterprise cloud customers. In Part 2, Richter discusses the perceptions and real-world network dilemmas that impact enterprise cloud adoption.

Telco Transformation: What is the state of enterprise cloud security FUD (fear, uncertainty, doubt) today?

Chris Richter: That's a great question. I think a lot of the fear has diminished over the years, and a lot of that is due to the good work of a number of different organizations... The cloud is becoming more widely adopted. The barriers because of concerns about security are diminishing. That's what I've found.

The remaining FUD is now more focused not so much on the infrastructure security controls but what the users themselves do; the customers of the cloud. The biggest concern is: Are customers doing enough to protect themselves? It's not so much the cloud operators; it's what the customers do. Are they inviting phishing attacks into their cloud environment?…The service provider isn't really at fault for the stupid things that their clients and their end users do. If you're an IT director or manager, or CIO, you still have to provide an email account for the dumbest person in your company, and they're going to do dumb things. I think most of the fear is being pushed to user behavior as opposed to risks of cloud infrastructure.

Also, there is a little bit of fear of reliability. The three tenets of cybersecurity are confidentiality, integrity and availability. So the availability piece is a little bit of a fear because if one little thing goes wrong it can have very broad reaching effects and impact a lot of customers -- as we've seen from recent events. But still, the reliability argument for the cloud far outweighs the availability concern there.

TT: Where are you seeing the greatest opportunities and needs for both enterprise cloud providers and enterprise cloud customers to step up their cloud-security game, respectively?

CR: We'll start with the service provider. From a cloud service provider perspective, the one thing they really need to be wary of, and very cognizant of, is that most of the breaches that occurred last year -- the big, big breaches -- did not involve malware at all. They didn't involve any fancy cutting-edge brilliantly written malicious code. It was all mostly zero-day vulnerabilities that the perpetrators were able to take advantage of. In these virtualized cloud environments, that still remains a huge risk, and the cloud operators need to stay ahead. They need to stay ahead of vulnerabilities and they need to have a Plan B should a zero-day attack happen.

The big cloud operators are already doing this. They're taking a layered approach. They do micro-segmentation of the environment, so if the hypervisor is compromised, the tenants above are protected, there's another layer that the perpetrator would have to get through. So I think that's the biggest challenge, just staying ahead of these vulnerabilities.

From the end-user perspective, it's just good data hygiene and best practices. I think the challenge for IT professionals and security professionals is to train their workforce for what to watch out for. Just because you moved the workstack into the cloud doesn't necessarily protect end users from careless and reckless behavior. They as well have to practice not only good behavior but also segmentation of the data.

TT: What are the security advantages or disadvantages inherent to enterprise cloud solutions?

CR: The inherent advantages are better reliability, reduced complexity and better security. There's also the elasticity argument: You can deploy things a lot faster. I know of a chip development company that does designs for the Department of Defense (DoD), and they are able to spin up chip testing in a cloud environment much more quickly than the way they used to do it, which meant buying lots of servers at great expense and time delay. And the DoD actually signed off on this approach. Given that foreign entities would love to have DoD chip designs, that says a lot.

I think the disadvantage, in some ways, surprisingly, is cost as well. I've talked to a lot of organizations that are continuing to do IT themselves because a lot of cloud providers charge by usage, and if you run a 24x7 operation, you have to keep the machines running. It can get prohibitively expensive, so we're seeing more organizations move to virtualization and private clouds where they own the whole thing and they pay for, regardless of how much they use, they're paying one flat price, and sometimes they're managing the private clouds themselves, or sometimes they're outsourcing private cloud management. It's not always the cost saver that you think it might be because you pay by the drink.

— Joe Stanganelli, Contributing Writer