Cloud Security - What You Need to Know to Protect Your Company

    By Raphael Reich, Vice President Product Marketing | September 15, 2020
    Share:
    Digital Risk Management Cloud Security

    “The Cloud” offers organizations powerful options for efficiency, innovation, growth, and collaboration. As a result, virtually every organization has assets in the cloud somewhere, even if they don’t think they do. Just consider that any service your organization uses that is delivered over a publicly accessible network is a cloud service. And because these resources touch the public internet, they can introduce significant risk to an organization via common misconfigurations and vulnerabilities in virtual machines, workloads, servers, networking, APIs, storage, applications, and many other services. So, as is often the case, with great power comes great responsibility.

    Who is responsible for ensuring your security in the cloud?

    It’s all “you” if you host and operate your own infrastructure, be it a full private cloud data center or a few private servers and apps. But who actually hosts all their services on private infrastructure these days when the economies of scale and ready-made capabilities of public cloud services are so enticing? And even in the public cloud security responsibilities are shared, so the answer is still “you” to a greater or lesser extent.

    Who is responsible for security in the public cloud?
    It depends on what kind of service you use. Is it SaaS, PaaS, or IaaS? Each of these operates with a different shared responsibility model. The service provider is supposed to take care of securing their backend infrastructure but the customer of the service, that’s your organization, is responsible for securing their own assets in the cloud.

    On the simple end of the spectrum there’s Software as a Service (SaaS). These are often office productivity, file sharing, and collaboration applications. Examples range from general services such as Microsoft Office and G Suite to specialty business functions such as those supplied by Confluence or GitHub. In this model, you are primarily responsible for identity and access management and controlling the data you store in the service. It sounds simple but it is very easy and common to put confidential data in the cloud and inadvertently enable public sharing of that data.

    Cloud-Security-activate-security-teamYour responsibility becomes substantially more extensive when it comes to Platform as a Service (PaaS) or Infrastructure as a Service (IaaS) options such as AWS, Microsoft Azure, Google Cloud Platform (GCP), etc. In this case you have a much more extensive set of assets to inventory, configure, protect, and manage. Ignore any of these and you risk exposure in the cloud. This includes:
    • Applications, platforms, operating systems
    • Identity and access control and administrative privileges
    • Compute assets, data repositories, servers
    • Web apps and servers
    • Networking traffic, ports, protocols, and services including firewalls, proxies, routers, and switches
    • Data encryption, authentication, DLP, and data recovery
    • Security services such as certificates, web application firewalls, anti-malware, vulnerability management, email and web browser protections, application security

    "Sometimes you are at risk when it isn’t you.

    You may be at risk even if you are not responsible for a resource that is exposed in the cloud. You may have a partner, vendor, or subsidiary using the cloud for a service that connects back to your infrastructure or hosts sensitive resources you rely on to operate your business. There are some very famous breaches that originated from compromised affiliate organizations. "

    Sometimes you are responsible even when you are not technically responsible. 
    Wait. What?  It’s a compliance thing.

    Privacy regulations such as the General Data Protection Regulation (GDPR) consider you responsible for security practices and breaches that occur at cloud service providers who process or host your sensitive data.  For compliance purposes you are the data owner and your cloud service provider is your data processor. You are still responsible for the privacy of the data you own even if it is being processed by a third-party cloud service and compliance regimes will penalize you if you have a breach due to an unsafe third-party service. 

    What are the most common reasons for cloud exposure?
    • Infrastructure misconfigurations like an Amazon S3 Bucket set to allow public access or ports left open on a networking device
    • Original settings left in place like an admin account using a default password 
    • TLS deployment errors, use of weak certificates, old hashing or cryptographic functions 
    • User actions such as deploying assets that allow public access accidentally or thinking security by obscurity is protection enough
    • Cross-site scripting and SQL injections
    • Old, abandoned, and vulnerable network devices, servers, operating systems, and applications not updated or maintained
    • Cloud application misconfigurations that allow public access to sensitive data
    • Insecure APIs, interfaces, and test accounts
    • Stolen user credentials and compromised endpoints
    What is the most fundamental cloud security problem? 
    You don’t know what you don’t know.

    The volume, speed, and distributed method of adopting cloud resources makes it difficult to keep track of all your assets there, much less make sure everything is secure against attack. Unknown assets are usually a result of three macro issues:

    1. Shadow IT.
      It’s so easy to open an account with a public cloud service. Fred the self-styled techie guy in that business unit, you know the one, can spin up five misconfigured workloads in five minutes completely outside the purview of IT. 

    2. Cloud migration projects.
      Migrating systems from legacy architectures into the cloud is tricky. If you are doing it right, you are not simply replicating what you had in your data center, you are reimagining how you can do it better considering the new options that are available in the cloud.  This inherently means you have people mastering new systems, and with a learning curve you get mistakes. In the flurry of testing and setting up new systems, it is easy to forget a step and end up with default settings, dangling test systems, or unfinished workload setups that create exposures.    

    3. Old or abandoned services.
      Cloud computing may still seem new but it’s been around for many years. Assets deployed years ago may not have been patched or updated in a while. You may have cloud resources you don’t use at all anymore but they are still connected to your infrastructure so their risk exposure is your risk exposure. The cloud is full of resources that companies have completely forgotten about due to staff turnover, reorganizations, layoffs, mergers, divestitures, or maybe just the dynamic nature of a changing business strategy. 

    Cloud risk exposure is a legitimate concern for the cloud projects and assets you know about; imagine the risk exposure from shadow IT you don’t know about. The scope of these unknown assets is surprisingly large. In fact, most IT organizations are blind to 50% or more of the assets they already have in the cloud.

    GRAPH-organizations fail

    What is your second fundamental cloud security problem? 

    You will never hear a SOC analyst say they don’t have enough alerts. And it seems there is a new security solution available every week to help you with some specific cloud security issue that will provide even more red flags. You will also never hear a CISO complain that they have too many experienced security professionals on staff. Experienced security experts are notoriously hard to recruit due to more demand than available talent. You can safely assume that you will never have enough internal resources to research and fix everything.   

    Get started with an effective process

    01

    Reconnaissance

    Inventory your cloud assets. This includes discovering as many as possible of those cloud workloads, data repositories, and machines you don’t currently track. You have to know an asset exists before you can do anything.

    02

    Security Testing

    Identify which of your assets in the cloud present an exposure risk to your organization. Find out which assets are vulnerable to attack or, worse, may already be open to public access.

    03

    Prioritization

    Stack rank your cloud risk issues to prioritize your response activities. This way your valuable IT team makes the most impact as efficiently as possible.

    04

    Take Action

    This may be activating your response to the team to get that misconfiguration fixed, patching or decommissioning that old vulnerable machine, fixing that certificate problem, or making sure that operating system is updated. Or, this may mean activating deeper security scrutiny, such as deploying your red team for targeted pen testing to further explore the extent of an issue or double check that a previously unknown asset is indeed now secure.

    05

    Validate and Repeat

    Confirm you’ve fixed the issues you think you fixed. Check for new issues. And now go back to Step One and do it all over again.

    The most effective approach

    With so much of your extended IT ecosystem now residing “outside” of your organization and in the cloud, an excellent way to validate your security effectiveness is with an outside-in approach using an attack surface and risk management solution that will:

    1. Identify any assets you have in the cloud that already present a risk of exposure to your organization because they can be targeted by an outsider. 
    2. Identify if any of these resources are misconfigured or vulnerable to attack. 
    3. Prioritize the problems identified based on business context and the severity of the security issue. 
    4. Identify the team responsible for the assets in question.
    5. Regularly rescan and update. 

    Then you can take that prioritized set of issues and get to work using your extended security resources (e.g., which may include subsidiaries and partners) to solve them. This way, you find and fix the most critical cloud security issues first.  

    About Raphael Reich, Vice President Product Marketing

    Raphael Reich, Vice President Product Marketing, has helped bring innovative, category-defining security products to market for two decades.

    Contact Author:
    • linkedin
    • email
    mobile

    Your Digital Transformation Requires Digital Risk Protection

    Schedule a Demo to See How We Do It!
    Demo Request
    Contact Us
    © 2020 CyCognito - All Rights Reserved Privacy Policy | Terms of Use