Combating Security Risks
Various defenses needed to ensure risks, mitigations are under control
- By Cliff Krahenbill
- Aug 07, 2020
Cloud security is an increasing concern as more organizations
transition to use public cloud providers in
either a hybrid or cloud-native model. The initial step
in any information technology security process where
new technology is being implemented is to understand the risks
that an organization is incurring.
Consider this information as you explore some of the types of
risks associated with the inclusion of a cloud provider service (CPS)
as part of a company’s infrastructure.
The following areas are considered among the highest associated
with cloud computing (Cloud Security Alliance, 2020): Data breaches;
Misconfiguration; Lack of cloud security architecture; Insufficient
identity and access management; and Insider threat.
The world is experiencing the widespread impact of the COVID-
19 pandemic. This pandemic is causing disruptions and forcing
changes upon businesses and individuals. Thus, changes of this
magnitude deserve a re-assessment of an organization’s cybersecurity
priorities and approaches.
Data breaches. These have often been high-visibility events reported
in the news and causing substantial reputational harm. Beyond
major data breaches, even low levels of data leakage can cause
severe harm to an organization. This can start with reputational
and brand injury; however, it can include loss of intellectual property
or legal and regulatory liabilities.
When referring to the cloud, the key issues are whethser appropriate
controls are in place. Controls should include robust auditing
and reporting tools that can be implemented within the cloud platform.
Auditing is important to help identify a breach or potential
breach early on, which can dramatically mitigate the harm. This
area can be a key deficiency in public cloud platforms where an organization
may be relying on the provider to implement appropriate
tools, and the organization’s existing toolset cannot operate within
the cloud. At a minimum, a deep understanding of the environment
and tools will need to be developed and incorporated into an organization’s
cloud adoption process.
Another important mitigating technology is encryption and its
associated key management service (U.S. NSC, 2020). The use of
encryption, along with secure key management processes, can provide
an additional layer of protection from a data breach event.
Misconfiguration. This is one of the most common security issues
in public cloud environments (U.S. NSC, 2020). Security miscon
figurations often lead to data breaches.
There are a few significant reasons why this risk is so prevalent.
For one, the cloud platform is new for many organizations. They
may lack the immediate knowledge and skills to implement con-
figurations that approximate those in their existing environment.
Secondly, their existing practices may not be appropriate for the
cloud. A third reason is the cloud is more dynamic than existing
on premise services. The configuration options and implementation
can change, requiring more due diligence.
One powerful tool that can be leveraged to increase configuration
consistency is automation. Using provisioning and configuration
scripts can reduce the opportunity for misconfiguration
and improve the rate of implementation and quality checks. Using
automation allows additional review and auditing to reduce
errors and improve security. A least-privilege practice is recommended
as a baseline.
LACK OF CLOUD SECURITY ARCHITECTURE
Organizations often seem to stumble into the cloud without a
defined and deliberate approach that provides an opportunity to
address the foundations. There are many reasons for this, including
time constraints or lack of technical understanding. Organizations
that engage in “lift and shift” migrations attempting to apply their
existing security practice haphazardly, often encounter difficulties
(Cloud Security Alliance, 2020).
Cloud security concerns can be addressed by reviewing organizational
security policies as they relate to cloud technology. The
policies and principles of the organization should be durable, with
the implementation being dependent on what the cloud platform
provides. Items such as defense-in-depth, or managing privileged
accounts are entirely valid; however, they should be mapped to the
specific cloud provider capabilities.
INSUFFICIENT IDENTITY AND ACCESS MANAGEMENT
Identity and access management require a specific focus in cloud
implementations. The first is addressing risks that occur with a large
public-facing front door. In hybrid cloud implementations, identity
federation infrastructure can be introduced. This is yet another
security technology that needs to be reviewed, implemented and
monitored. This requires new maintenance operating procedures
and role identification. Cloud services may introduce new highprivileged
accounts that need to be managed, such as a “subscription
manager.” Password complexity needs to be defined, as well.
If an organization is using role-based access, what new roles are
required? How will these new roles be managed? In the past, rolebased
access had a significant impact on security because of miscon
figuration issues. The results of a credential being compromised
in the cloud could result in the exposure of information inside the
organization’s existing perimeter.
Risks of compromised identities can be reduced by using multifactor
identity solutions. Password policies, where applicable, should
follow the existing internal standards. Federation and identity solutions
should avoid storing or transmitting passwords that are not
securely hashed or secured in another manner. Separation of duties
can be a significant defensive approach, too. Application developers
should not implement their credential stores, which could introduce
new ways for credentials to be compromised.
INSIDER THREAT
Unlike external threats, insiders do not need to break into an
organization’s computer systems. They already have some level of
trusted access. Most unwelcome insider risks are due to negligence
rather than malicious intent (Cloud Security Alliance, 2020). Insiders
can compromise intellectual property, sensitive data, or compromise
additional credentials. In some circumstances, there is a data
breach; in others, it would be described as “data leakage.”
As with any data breach, the organization’s reputation and
brand are at stake. Negligence or lack of training can result in a
significant negative impact.
The best mitigation for insider threats is the implementation of
good role separation, security monitoring and auditing. Additionally,
annual security training and education that includes policy, as
well as technical material, is essential. Reviewing access and privileges
regularly to maintain a least-privilege posture is important.
COVID-19 CONSIDERATIONS
There has been a dramatic increase in cyber scams and attacks
since the COVID-19 pandemic began (Gallagher, 2020). There
has also been an increase in spam and phishing attacks that use
COVID-19 in their approach, as well. Many of these are being
used to spread malware. Most organizations have existing security
protections in place against these types of attacks. Still, to be most
effective, security personnel should update spam filters, anti-virus
signatures, message hygiene solutions and educate their population
about these current risks.
The cloud can provide benefits for organizations adapting
to the new COVID-19 requirements. For example, it provides a
mechanism to increase capacity rapidly. Systems residents in the
cloud do not require local operations for maintenance. This removes
some planning and logistical challenges. The trade-off
is to ensure your cloud service providers have an effective plan
for maintaining their operations during the COVID-19 period
(Bridgwater, 2020). Since COVID-19 has forced organizations to
embrace remote work, the cloud can be an effective platform to
ensure business continuity during a global pandemic (Krill, 2020).
With this in mind, the most direct security threat today is how
the edge has shifted from inside the organization’s network perimeter
into each worker’s household. This threat includes using workstations
or mobile devices that are no longer under the enterprise’s
direct control.
Employees are accessing and potentially storing the organization’s
data. In fact, to help facilitate work-from-home scenarios,
some organizations might be forced to migrate systems and data
to the cloud that were previously accessible only within the organization
perimeter. Applications and services that never contemplated
this type of remote access might have exposures (SC Media,
2020). These potential exposures need to be evaluated before
hastily migrating to the cloud.
Mitigation risk begins with the acknowledgement of the basics
of protecting data in transit and protecting data at rest. Virtual
private network technologies or other encrypted communications
are essential to protect in-transit information. The use of encryption
technologies, along with well-written and enforceable security
policies, can be used to protect data residing on devices outside the
boundaries of the organization. The use of network access control
solutions can further protect an organization from compromised
end devices.
These will be trying times for organizations and cybersecurity
is more important than ever.
Cloud security risks look like the challenges that IT security professionals
have dealt with since the days of big iron. Changing one’s
technology platform to the cloud requires a new set of tools to address
these longstanding challenges.
There are unique risks, but the most prominent are those that
have always perplexed CSOs and administrators:
secure the organization’s data, reduce misconfiguration,
systematically implement security, manage
identities and access, and defend against the
negligent or malicious insider.
This article originally appeared in the July / August 2020 issue of Security Today.