Mastering Cloud Security in our Breachy Times
2019 was a record year for data breaches with over 3800 reported incidents.
Between 2015 and 2018, the variation in the number of reported breaches was less than 200 incidents per year. But just in the first six months of 2019, the number of breaches increased by 54% compared to the same time last year.
In contrast, the number of records exposed in the first half of 2019 is 30% lower compared to the same time frame in 2017, however this may change in the second half, as the full extent of the data exfiltrated by Paige A. Thompson, the hacker accused in the Capital One data breach, becomes known. The estimate for the non-Cap-1 data stolen from those other 30 companies is in the multiple terabytes range.
A full 89% of the breaches in 2019 breaches are the result of outside attacks, resulting from misconfigured firewalls, databases and cloud services representing the exposure of over 3.2 billion records.
If one would string together a common theme, it would be the complexities of understanding what true cloud security entails.
Decline in Cloud Service Provider Confidence
As cloud computing continues to increase in popularity, more and more companies are outsourcing their cybersecurity concerns to cloud service providers and doing so at their peril. Prompted partially by the impact of the Paige Thompson hack, many enterprises are beginning to realize that taking control of cybersecurity and not blindingly turning responsibility over to cloud providers is essential to gaining full value from the benefits of cloud computing.
A recent survey by The Cloud Security Alliance, underscores a decline in confidence in cloud service providers owing to the recent increase in the quantity of data breaches that appears to be related to the cloud providers’ lack of appropriate controls. Denials of service, shared technology vulnerabilities, data loss and system configuration exploits which all featured in the previous surveys were now rated so low they have been excluded in the current report.
Defining your Data’s Value
Data is becoming the main target of cyber-attacks, so the merits of defining the business value of data and the impact of its loss are becoming essential issues for organizations that own or process data. Cloud-based resources are highly complex and dynamic, making them challenging to configure and traditional controls and change management approaches are not generally effective in the cloud. This gap has given rise to an explosion of technologies that scan continuously for misconfigured resources and can remediate problems in real time.
Moving to the cloud without this capability is like leaving your wallet on a hotel room bedside table.
According to McAfee’s latest Cloud Adoption and Risk report, the typical organization uses, on average, over 1,900 different cloud services spanning enterprise-ready delivery ranging from Office 365 to lesser known and riskier services such as Mega.
As such, sensitive data inevitably makes its way to the cloud, with 21% of all files in the cloud containing some form of sensitive content (e.g. financial records, business plans, source code, trading algorithms, etc.).
The Complications Behind Collaboration
One of the core benefits of cloud is the enabling of seamless collaboration and file-sharing which points directly to one of the chief risks. We are increasingly seeing organizations share files/folders through the process of generating links within the cloud service that point to a file/folder. The problem with this approach is that these types of shared links and their underlying files/folders can be accessed by anyone who has the link. This means once a link is shared, there are no controls that prevent the recipient of that link from forwarding it on to others, thereby significantly increasing the risk of data loss.
Moreover, it’s incredibly hard for IT security teams to track how many openly shared links exist and whether they have been shared with unauthorized parties in the past. Compounding this problem is the fact that a substantial percent of those openly shared links point to files/folders containing that sensitive data.
Infrastructure Services can be Easily Misconfigured
Another significant risk shows up in the configuration front for cloud-based infrastructure services. The rapid adoption of cloud services isn’t limited to SaaS services such Office 365, Box, or Salesforce. It now extends to the transformation of server and data center infrastructure into cloud-based services, classified as Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS).
Today, 65% of organizations around the world use some form of IaaS, 52% for PaaS. However, the individual services that customers can utilize in IaaS platforms come with deep and often complicated security configuration settings.
Not surprisingly, McAfee reports that the average organization has a startling 2,200 IaaS misconfiguration incidents per month. Think about that number. These include incidents arising from misconfiguring EC2 security group ports that may allow unrestricted inbound access. Paige Thompson knew this. And she isn’t alone.
AWS: A Wrangled Security Conversation
The average enterprise uses 50 S3 buckets alone. Of these, 7% provide unrestricted public access while 35% of all S3 buckets remain unencrypted. Amazon offers several built-in security features, giving organizations the ability to enforce a wide range of security, compliance, and governance policies, AWS settings can be very deep and complex.
Combine that with the fact that most organizations have a sprawling AWS environment and the security configurations are dynamic and can be changed at any time by an administrator, it becomes clear that manually checking AWS security configurations for services such as S3 buckets, EC2, security groups, etc. can be prohibitive. This is why a cloud access security broker (CASB) that continuously monitors and automates AWS security configuration audits across multiple instances is critical to assure your configurations don’t provide an opportunity for exploits.
All of the major cloud service providers have taken steps to improve their security controls by adding features such as encryption at rest, data loss prevention, and automated backups. But, according to Gartner, through 2022, 95 percent of cloud security failures will result from a specific customer issue and will not be the responsibility of the CSP. To safeguard yourself against cloud-computing risks, you must supplement your CSP’s security measures with additional security tools as well as continue to educate your employees on security awareness and end-user hygiene.
Shared Responsibility Only a Starting Point
Customers of AWS and other public cloud providers should not fall for the myth that cloud service providers can completely protect their customized and highly individualized cloud instances. AWS secures the core areas of their cloud platform via their shared responsibility model, which includes infrastructure and hosting services. AWS customers are responsible for securing operating systems, platforms, and data and most importantly, privileged access credentials.
Organizations need to consider the shared responsibility model is only the starting point on creating an enterprise-wide security strategy with a Zero Trust Security framework being the long-term goal. AWS’s identity access management (IAM) solution is only an interim stop-gap to the long-term challenge of achieving Zero Trust Privilege across an enterprise ecosystem that is going to become more hybrid or multi-cloud and far more dangerous as time goes on.
In addition, the truth is that identity and access management solutions built into public cloud offerings such as AWS, Microsoft Azure, and Google Cloud are at best interim solutions to a long-term security challenge many organizations are facing today. Instead of relying only on a public cloud provider’s IAM and security solutions, every organization’s cloud security goals need to include a holistic approach to identity and access management and not create silos for each cloud environment they are using.
While AWS continues to invest in their IAM solution, organizations need to prioritize protecting their privileged access credentials, aka, the keys to the kingdom, to guarantee that hackers can’t manipulate cloud services environments to get to your most critical assets.
Recommendations and Considerations
Regulations Around Data
The kind of data you store in the cloud is an important consideration in your decision process to choose one CSP over another. Assuming that there are mandated security requirements around that data such as PII or HIPAA will direct you to a CSP who has documented experience managing that data. For example, if you are choosing a cloud service provider to host your Protected Health Information (PHI), you should require an assessment of security standards and HIPAA compliance before moving any data into their cloud.
Get Intimate with your CSP
Some good questions to ask when evaluating whether a cloud service provider is a fit for an organization concerned with securing that data include: Do you perform regular SOC audits and assessments? How do you protect against malicious activity? Do you conduct background checks on all employees? What types of systems do you have in place for employee monitoring, access determination, and audit trails?
While monitoring is essential in any data environment, it’s critical to emphasize that changes in modern cloud environments, especially those of SaaS environments, tend to occur more frequently and their impacts are felt immediately. The results can be dramatic because of the nature of elastic infrastructure. At any time, someone’s accidental or malicious actions could severely impact the security of your development, production, or test systems.
Running a modern infrastructure without real-time security observability and continuous monitoring is like flying blind. You have no insight into what’s happening in your environment, and no way to start immediate mitigation when an issue arises. You need to monitor application and host-based access to understand the state of your application over time. Monitoring systems for manual user actions is especially important in the current DevOps world where engineers are likely to have access to production. It’s possible they are managing systems using manual tasks, so use this as an opportunity to identify processes that are suited for automation.
Setting Baseline Configurations
As we have pointed out, security configurations in cloud environments such as Amazon Direct Connect can be complicated, and it is easy to inadvertently leave access to your systems and data open to the world, as has been proven by all the recent stories about S3 leaks and the Paige Thompson mega-breach.
Given the changeable (and sometimes volatile) nature of SaaS environments, where services can be created and removed in real time on an ongoing basis, failure to configure services appropriately, and failure to monitor settings can jeopardize security. Ultimately, this will erode the trust that customers are placing in you to protect their data.
By setting configurations against an established baseline and continuously monitoring them, you can avoid problems when setting up services, and you can detect and respond to configuration issues more quickly when they occur.
This is by no means a complete list of precautions you should take before embarking on your cloud journey, but these few sample issues should give you an indication of how challenging a cloud migration can become. If one listens only to the CSPs, the journey sounds like a walk in the park, but it doesn’t serve their interests to point out the quantity of resident alligators, location of the quicksand and poisoned swamps and the ways in which you can identify the myriad snake pits.
Those details are all on you.
Good cybersecurity is indistinguishable from properly run LOB operations. Too often these teams are at odds inside an organization. Cybersecurity is often perceived as slowing down a business by for instance, overly focusing on policing the activities of DevOps teams. But as we pointed out in last week’s blog post, proper cybersecurity can be a business enabler and even become a profit-center. It is up to the CISO to determine how and with which language s/he can more effectively persuade C-suite execs and LOB managers to embrace the market value that a well-run cybersecurity program can deliver.
Regardless of the marketing narrative to the contrary, moving data to a CSP will greatly expand your threat landscape and risk profile. Approaching a migration to cloud services without a properly considered cybersecurity architecture that identifies the required controls and a clearly vetted and mitigated issue list is a fool’s errand at best.
Don’t be that person.