Combating Security Risks

Various defenses needed to ensure risks, mitigations are under control

• By Cliff Krahenbill
• Aug 07, 2020

Cloud security is an increasing concern as more organizations transition to use public cloud providers in either a hybrid or cloud-native model. The initial step in any information technology security process where new technology is being implemented is to understand the risks that an organization is incurring.

Consider this information as you explore some of the types of risks associated with the inclusion of a cloud provider service (CPS) as part of a company’s infrastructure.

The following areas are considered among the highest associated with cloud computing (Cloud Security Alliance, 2020): Data breaches; Misconfiguration; Lack of cloud security architecture; Insufficient identity and access management; and Insider threat.

The world is experiencing the widespread impact of the COVID- 19 pandemic. This pandemic is causing disruptions and forcing changes upon businesses and individuals. Thus, changes of this magnitude deserve a re-assessment of an organization’s cybersecurity priorities and approaches.

Data breaches. These have often been high-visibility events reported in the news and causing substantial reputational harm. Beyond major data breaches, even low levels of data leakage can cause severe harm to an organization. This can start with reputational and brand injury; however, it can include loss of intellectual property or legal and regulatory liabilities.

When referring to the cloud, the key issues are whethser appropriate controls are in place. Controls should include robust auditing and reporting tools that can be implemented within the cloud platform. Auditing is important to help identify a breach or potential breach early on, which can dramatically mitigate the harm. This area can be a key deficiency in public cloud platforms where an organization may be relying on the provider to implement appropriate tools, and the organization’s existing toolset cannot operate within the cloud. At a minimum, a deep understanding of the environment and tools will need to be developed and incorporated into an organization’s cloud adoption process.

Another important mitigating technology is encryption and its associated key management service (U.S. NSC, 2020). The use of encryption, along with secure key management processes, can provide an additional layer of protection from a data breach event.

Misconfiguration. This is one of the most common security issues in public cloud environments (U.S. NSC, 2020). Security miscon figurations often lead to data breaches.

There are a few significant reasons why this risk is so prevalent. For one, the cloud platform is new for many organizations. They may lack the immediate knowledge and skills to implement con- figurations that approximate those in their existing environment. Secondly, their existing practices may not be appropriate for the cloud. A third reason is the cloud is more dynamic than existing on premise services. The configuration options and implementation can change, requiring more due diligence.

One powerful tool that can be leveraged to increase configuration consistency is automation. Using provisioning and configuration scripts can reduce the opportunity for misconfiguration and improve the rate of implementation and quality checks. Using automation allows additional review and auditing to reduce errors and improve security. A least-privilege practice is recommended as a baseline.

LACK OF CLOUD SECURITY ARCHITECTURE

Organizations often seem to stumble into the cloud without a defined and deliberate approach that provides an opportunity to address the foundations. There are many reasons for this, including time constraints or lack of technical understanding. Organizations that engage in “lift and shift” migrations attempting to apply their existing security practice haphazardly, often encounter difficulties (Cloud Security Alliance, 2020).

Cloud security concerns can be addressed by reviewing organizational security policies as they relate to cloud technology. The policies and principles of the organization should be durable, with the implementation being dependent on what the cloud platform provides. Items such as defense-in-depth, or managing privileged accounts are entirely valid; however, they should be mapped to the specific cloud provider capabilities.

INSUFFICIENT IDENTITY AND ACCESS MANAGEMENT

Identity and access management require a specific focus in cloud implementations. The first is addressing risks that occur with a large public-facing front door. In hybrid cloud implementations, identity federation infrastructure can be introduced. This is yet another security technology that needs to be reviewed, implemented and monitored. This requires new maintenance operating procedures and role identification. Cloud services may introduce new highprivileged accounts that need to be managed, such as a “subscription manager.” Password complexity needs to be defined, as well.

If an organization is using role-based access, what new roles are required? How will these new roles be managed? In the past, rolebased access had a significant impact on security because of miscon figuration issues. The results of a credential being compromised in the cloud could result in the exposure of information inside the organization’s existing perimeter.

Risks of compromised identities can be reduced by using multifactor identity solutions. Password policies, where applicable, should follow the existing internal standards. Federation and identity solutions should avoid storing or transmitting passwords that are not securely hashed or secured in another manner. Separation of duties can be a significant defensive approach, too. Application developers should not implement their credential stores, which could introduce new ways for credentials to be compromised.

INSIDER THREAT

Unlike external threats, insiders do not need to break into an organization’s computer systems. They already have some level of trusted access. Most unwelcome insider risks are due to negligence rather than malicious intent (Cloud Security Alliance, 2020). Insiders can compromise intellectual property, sensitive data, or compromise additional credentials. In some circumstances, there is a data breach; in others, it would be described as “data leakage.” As with any data breach, the organization’s reputation and brand are at stake. Negligence or lack of training can result in a significant negative impact.

The best mitigation for insider threats is the implementation of good role separation, security monitoring and auditing. Additionally, annual security training and education that includes policy, as well as technical material, is essential. Reviewing access and privileges regularly to maintain a least-privilege posture is important.

COVID-19 CONSIDERATIONS

There has been a dramatic increase in cyber scams and attacks since the COVID-19 pandemic began (Gallagher, 2020). There has also been an increase in spam and phishing attacks that use COVID-19 in their approach, as well. Many of these are being used to spread malware. Most organizations have existing security protections in place against these types of attacks. Still, to be most effective, security personnel should update spam filters, anti-virus signatures, message hygiene solutions and educate their population about these current risks.

The cloud can provide benefits for organizations adapting to the new COVID-19 requirements. For example, it provides a mechanism to increase capacity rapidly. Systems residents in the cloud do not require local operations for maintenance. This removes some planning and logistical challenges. The trade-off is to ensure your cloud service providers have an effective plan for maintaining their operations during the COVID-19 period (Bridgwater, 2020). Since COVID-19 has forced organizations to embrace remote work, the cloud can be an effective platform to ensure business continuity during a global pandemic (Krill, 2020).

With this in mind, the most direct security threat today is how the edge has shifted from inside the organization’s network perimeter into each worker’s household. This threat includes using workstations or mobile devices that are no longer under the enterprise’s direct control.

Employees are accessing and potentially storing the organization’s data. In fact, to help facilitate work-from-home scenarios, some organizations might be forced to migrate systems and data to the cloud that were previously accessible only within the organization perimeter. Applications and services that never contemplated this type of remote access might have exposures (SC Media, 2020). These potential exposures need to be evaluated before hastily migrating to the cloud.

Mitigation risk begins with the acknowledgement of the basics of protecting data in transit and protecting data at rest. Virtual private network technologies or other encrypted communications are essential to protect in-transit information. The use of encryption technologies, along with well-written and enforceable security policies, can be used to protect data residing on devices outside the boundaries of the organization. The use of network access control solutions can further protect an organization from compromised end devices.

These will be trying times for organizations and cybersecurity is more important than ever.

Cloud security risks look like the challenges that IT security professionals have dealt with since the days of big iron. Changing one’s technology platform to the cloud requires a new set of tools to address these longstanding challenges.

There are unique risks, but the most prominent are those that have always perplexed CSOs and administrators: secure the organization’s data, reduce misconfiguration, systematically implement security, manage identities and access, and defend against the negligent or malicious insider.

This article originally appeared in the July / August 2020 issue of Security Today.