You are currently viewing Rethinking Cyber-Defense Strategies in the Public-Cloud Age

Rethinking Cyber-Defense Strategies in the Public-Cloud Age

Rethinking Cyber-Defense Strategies in the Public-Cloud Age

Exploring what’s next for public-cloud security, including top risks and how to implement better risk management.

The pandemic has fast-tracked migration to the public cloud, including Amazon Web Services, Google Compute Platform and Microsoft Azure. But the journey hasn’t exactly been smooth as silk: The great migration has brought a raft of complex security challenges, which have led to headline-grabbing data exposures and more. Misconfigurations and a lack of visibility into cloud assets and inventory are the biggest culprits for public-cloud insecurity. Thankfully, there are approaches that can help.

“Even absent the pandemic there would still be a loss of appetite for [on-prem] data centers,” said Sid Nag, research vice president at Gartner. “Emerging technologies such as containerization, virtualization and edge computing are becoming more mainstream and driving additional cloud spending. Simply put, the pandemic served as a multiplier for CIOs’ interest in the cloud.”

However, as with any major sea change, this transition has caused a certain amount of confusion and scrambling on the part of some stakeholders, including, crucially, IT security staff.

Migration is “a non-trivial thing to do,” said Prevailion CTO Nate Warfield, and it “takes lots of planning to do it.” After all, it’s a seismic shift from the traditional work done by security and infrastructure teams, which are often far more accustomed to their traditional on-prem tasks – think racking a server, for example.

“With COVID, a lot of that planning got compressed,” Warfield observed, with organizations forced to make the move “far faster than they would have wanted to.”

That means that security has lagged, as IT security teams rush to get up to speed on cloud security, and all of the new challenges that it brings.

Cloud Blind Spots

There are indeed many challenges because there are multiple factors that complicate the deployment and maintenance of highly secure cloud environments. Some of the most common concerns and risks that scrambling IT security teams have run into include:

  • Insufficient staff skills
  • Data loss/leakage
  • API vulnerabilities
  • Malware infections
  • Insufficient identity and access management controls
  • Lack of visibility into what data and workloads are within cloud applications
  • Inability to monitor data in transit to and from cloud applications
  • Cloud applications being provisioned outside of IT visibility (e.g., shadow IT)
  • Inability to prevent malicious insider theft or misuse of data
  • Advanced threats and attacks against the cloud application provider
  • Inability to assess the security of the cloud application provider’s operations
  • Vendors failing to alert customers of vulnerabilities
  • Inability to maintain regulatory compliance
  • Misconfigurations of cloud hardware and/or cloud software

Misconfigurations

The lack of planning in the rush to the cloud has led to simple mistakes that trigger serious security catastrophes. According to the 2020 Cloud Threat Report from Oracle and KPMG, a full 51 percent of organizations reported that misconfigurations have led to compromise and exposure of sensitive data.

Shared Responsibility

As the NSA has explained in the past, public-cloud service providers often provide tools to help manage cloud configuration, and yet misconfiguration on the part of end customers “remains the most prevalent cloud vulnerability and can be exploited to access cloud data and services.”

customers benefited from the shared-responsibility model when all CSPs patched a container-escape vulnerability, CVE-2019-5736, that could have granted attackers access to the contents of the underlying OS and any virtual machines (VMs) running under the same hypervisor. In contrast, organizations that ran containers in their own data centers were on their own, having to rush to patch their container OS images.

Why CSPs Won’t Necessarily Call When They Spot Problems

In many cases, public-cloud providers “won’t even pass on notifications to their customers [when] they have received [notifications] from external researchers,” Warfield said. But it’s not that they don’t care about security, he said, pointing to Microsoft’s “well-developed process to secure its hypervisor layer.”

Lack of Visibility

Shadow IT is the term for data being housed in unsanctioned IT resources – i.e., employees using a cloud application to do their work that wasn’t provided by the company. It’s nothing new: Employees have long gone behind the backs of their organizations’ IT departments in a quest to find easier ways to get their jobs done, to innovate and to boost their productivity. But the problem is that IT security guardians can’t see shadow IT, manage it, secure it, or figure out when to permit or forbid its use.

The Road Ahead

Frequency analysis: What apps are being run by only one person? Who is that one person? What’s their need? Conversely, is the only user an autoclicker, which automates a mouse clicking on a computer screen?

User-behavior analytics: Users generate millions of network events every day. Using tools to perform analytics on their behavior can enable detection of compromised credentials, lateral movement and other malicious behavior. By uncovering patterns and insight, IT teams can identify evidence of intruder compromise, insider threats and risky behavior on the network.

Discovery: Visibility tools can give users insights into what, exactly, they’re running on the cloud: services that they might not even be aware they were running “until they got the bill,” Kaiser said. Such tools can also discover data that users weren’t sure that they were responsible for, including things that developers turned on for what should have been brief, task-related purposes, like those auto clickers.

Reference - Rethinking Cyber-Defense Strategies in the Public-Cloud Age

Leave a Reply