CPX 2018: Sizing Up Cloud Security Fallout from Spectre and Meltdown
I spent several years building network gateways and remote access products as a manager at Check Point. At the time, the name of the game was security for corporate networks. Cloud computing was in its infancy. Microsoft Azure hadn’t even been launched. Since my tenure at Check Point, the field of information security has undergone a dramatic transformation.
Today, the challenge of network security has become infinitely more complex and has moved beyond the corporate firewall that Check Point pioneered. Companies have to secure activity on mobile devices, enterprise network users are relying on cloud services, and cloud providers themselves have to worry about security on their networks.
So, it’s not a surprise that the challenges of securing the cloud figures high on the agenda of the upcoming Check Point Experience (CPX) conference Las Vegas this month.
Over the years, CPX has evolved into a major event that sets the tone in the cyber security market. I’m looking forward to attending and exhibiting at the conference as a representative of Alcide, a provider of security for hybrid clouds and data centers that I helped found. Here are some of the issues that I expect to figure prominently at the conference.
Spectre and Meltdown
The timing of CPX couldn’t come at a more sensitive moment in the world of cybersecurity.
Earlier this month, we learned about Spectre and Meltdown exploiting CPU architectures, which affect nearly every chip manufactured in recent years. The flaws enable malicious actors to gain unauthorized access to the entire memory of a computer. Mitigating the vulnerabilities has required plugs from major CPU, operating system and cloud vendors. Complicating matters, the software patches which have been rolled out have a negative impact on performance.
Wherever we look, this processor-level vulnerability has opened the possibility of security breaches. Mobile devices are affected by it, as well as laptops, cloud customers and cloud infrastructure providers.
The number one question people are asking now is how security patches for this vulnerability are affecting performance — there are numerous reports from various cloud and service providers that the performance drag from the software patches is significant.
For me, this crisis highlights the importance of having security products in place that provide detection and enforcement — not only at the perimeter but inside your cloud operations where workloads are running. I’ll be curious to hear how Check Point and the security community, in general, is responding to this new kind of security vulnerability.
Everyone will be paying attention.
Security in the Cloud
Many of the sessions at CPX will focus on the security challenges posed by companies’ growing embrace of cloud computing. The migration to the cloud forces both companies and cloud service providers to grapple with potential security vulnerabilities that can affect them both.
On the one hand, cloud service providers have to ensure that their infrastructure is sufficiently secured from attacks and that tenants are not affected or exploiting the infrastructure to attack neighboring tenants — also known as “side-channel attacks.” On the other hand, cloud customers have to patch their systems and software that runs on top of the cloud infrastructure.
Security vulnerabilities in the cloud are a concern affecting every business that is trying to modernize and keep up to date. I’m sure that a major topic of discussion at CPX will be how companies manage daily security challenges across different cloud computing environments. Security management is one of Check Point’s strong suits. So, it will be interesting to get their take on how these practices are evolving to the cloud, and how they extend them to mobile devices and users.
Other Topics on the Horizon
I anticipate that the European Union’s new General Data Protection Regulation (GDPR) — which take effect this May — will generate considerable buzz. Vendors will have to make sure that new products comply with the rules, as well as older products already out on the market. I look forward to hearing from infosec professionals on how they are getting ready for the changes and how they are planning to ensure that their clients’ needs are taken care of.
Looking back, I spent several good years at Check Point. The work there started a professional evolution from building firewalls to working with distributed systems to cloud systems. Now, CPX will be a good opportunity to reconnect with cybersecurity experts and colleagues from Check Point and to take stock of where cybersecurity has come from and how it will continue to evolve in the future.
Alcide is a sponsor of The New Stack.
Feature image via Pixabay.