Combating Security Risks

Various defenses needed to ensure risks, mitigations are under control

Cloud security is an increasing concern as more organizations transition to use public cloud providers in either a hybrid or cloud-native model. The initial step in any information technology security process where new technology is being implemented is to understand the risks that an organization is incurring.

Consider this information as you explore some of the types of risks associated with the inclusion of a cloud provider service (CPS) as part of a company’s infrastructure.

The following areas are considered among the highest associated with cloud computing (Cloud Security Alliance, 2020): Data breaches; Misconfiguration; Lack of cloud security architecture; Insufficient identity and access management; and Insider threat.

The world is experiencing the widespread impact of the COVID- 19 pandemic. This pandemic is causing disruptions and forcing changes upon businesses and individuals. Thus, changes of this magnitude deserve a re-assessment of an organization’s cybersecurity priorities and approaches.

Data breaches. These have often been high-visibility events reported in the news and causing substantial reputational harm. Beyond major data breaches, even low levels of data leakage can cause severe harm to an organization. This can start with reputational and brand injury; however, it can include loss of intellectual property or legal and regulatory liabilities.

When referring to the cloud, the key issues are whethser appropriate controls are in place. Controls should include robust auditing and reporting tools that can be implemented within the cloud platform. Auditing is important to help identify a breach or potential breach early on, which can dramatically mitigate the harm. This area can be a key deficiency in public cloud platforms where an organization may be relying on the provider to implement appropriate tools, and the organization’s existing toolset cannot operate within the cloud. At a minimum, a deep understanding of the environment and tools will need to be developed and incorporated into an organization’s cloud adoption process.

Another important mitigating technology is encryption and its associated key management service (U.S. NSC, 2020). The use of encryption, along with secure key management processes, can provide an additional layer of protection from a data breach event.

Misconfiguration. This is one of the most common security issues in public cloud environments (U.S. NSC, 2020). Security miscon figurations often lead to data breaches.

There are a few significant reasons why this risk is so prevalent. For one, the cloud platform is new for many organizations. They may lack the immediate knowledge and skills to implement con- figurations that approximate those in their existing environment. Secondly, their existing practices may not be appropriate for the cloud. A third reason is the cloud is more dynamic than existing on premise services. The configuration options and implementation can change, requiring more due diligence.

One powerful tool that can be leveraged to increase configuration consistency is automation. Using provisioning and configuration scripts can reduce the opportunity for misconfiguration and improve the rate of implementation and quality checks. Using automation allows additional review and auditing to reduce errors and improve security. A least-privilege practice is recommended as a baseline.

LACK OF CLOUD SECURITY ARCHITECTURE

Organizations often seem to stumble into the cloud without a defined and deliberate approach that provides an opportunity to address the foundations. There are many reasons for this, including time constraints or lack of technical understanding. Organizations that engage in “lift and shift” migrations attempting to apply their existing security practice haphazardly, often encounter difficulties (Cloud Security Alliance, 2020).

Cloud security concerns can be addressed by reviewing organizational security policies as they relate to cloud technology. The policies and principles of the organization should be durable, with the implementation being dependent on what the cloud platform provides. Items such as defense-in-depth, or managing privileged accounts are entirely valid; however, they should be mapped to the specific cloud provider capabilities.

INSUFFICIENT IDENTITY AND ACCESS MANAGEMENT

Identity and access management require a specific focus in cloud implementations. The first is addressing risks that occur with a large public-facing front door. In hybrid cloud implementations, identity federation infrastructure can be introduced. This is yet another security technology that needs to be reviewed, implemented and monitored. This requires new maintenance operating procedures and role identification. Cloud services may introduce new highprivileged accounts that need to be managed, such as a “subscription manager.” Password complexity needs to be defined, as well.

If an organization is using role-based access, what new roles are required? How will these new roles be managed? In the past, rolebased access had a significant impact on security because of miscon figuration issues. The results of a credential being compromised in the cloud could result in the exposure of information inside the organization’s existing perimeter.

Risks of compromised identities can be reduced by using multifactor identity solutions. Password policies, where applicable, should follow the existing internal standards. Federation and identity solutions should avoid storing or transmitting passwords that are not securely hashed or secured in another manner. Separation of duties can be a significant defensive approach, too. Application developers should not implement their credential stores, which could introduce new ways for credentials to be compromised.

INSIDER THREAT

Unlike external threats, insiders do not need to break into an organization’s computer systems. They already have some level of trusted access. Most unwelcome insider risks are due to negligence rather than malicious intent (Cloud Security Alliance, 2020). Insiders can compromise intellectual property, sensitive data, or compromise additional credentials. In some circumstances, there is a data breach; in others, it would be described as “data leakage.” As with any data breach, the organization’s reputation and brand are at stake. Negligence or lack of training can result in a significant negative impact.

The best mitigation for insider threats is the implementation of good role separation, security monitoring and auditing. Additionally, annual security training and education that includes policy, as well as technical material, is essential. Reviewing access and privileges regularly to maintain a least-privilege posture is important.

COVID-19 CONSIDERATIONS

There has been a dramatic increase in cyber scams and attacks since the COVID-19 pandemic began (Gallagher, 2020). There has also been an increase in spam and phishing attacks that use COVID-19 in their approach, as well. Many of these are being used to spread malware. Most organizations have existing security protections in place against these types of attacks. Still, to be most effective, security personnel should update spam filters, anti-virus signatures, message hygiene solutions and educate their population about these current risks.

The cloud can provide benefits for organizations adapting to the new COVID-19 requirements. For example, it provides a mechanism to increase capacity rapidly. Systems residents in the cloud do not require local operations for maintenance. This removes some planning and logistical challenges. The trade-off is to ensure your cloud service providers have an effective plan for maintaining their operations during the COVID-19 period (Bridgwater, 2020). Since COVID-19 has forced organizations to embrace remote work, the cloud can be an effective platform to ensure business continuity during a global pandemic (Krill, 2020).

With this in mind, the most direct security threat today is how the edge has shifted from inside the organization’s network perimeter into each worker’s household. This threat includes using workstations or mobile devices that are no longer under the enterprise’s direct control.

Employees are accessing and potentially storing the organization’s data. In fact, to help facilitate work-from-home scenarios, some organizations might be forced to migrate systems and data to the cloud that were previously accessible only within the organization perimeter. Applications and services that never contemplated this type of remote access might have exposures (SC Media, 2020). These potential exposures need to be evaluated before hastily migrating to the cloud.

Mitigation risk begins with the acknowledgement of the basics of protecting data in transit and protecting data at rest. Virtual private network technologies or other encrypted communications are essential to protect in-transit information. The use of encryption technologies, along with well-written and enforceable security policies, can be used to protect data residing on devices outside the boundaries of the organization. The use of network access control solutions can further protect an organization from compromised end devices.

These will be trying times for organizations and cybersecurity is more important than ever.

Cloud security risks look like the challenges that IT security professionals have dealt with since the days of big iron. Changing one’s technology platform to the cloud requires a new set of tools to address these longstanding challenges.

There are unique risks, but the most prominent are those that have always perplexed CSOs and administrators: secure the organization’s data, reduce misconfiguration, systematically implement security, manage identities and access, and defend against the negligent or malicious insider.

This article originally appeared in the July / August 2020 issue of Security Today.

Featured

  • Making the Grade with Locks and Door Hardware

    Managing and maintaining locks and door hardware across a school district or university campus is a big responsibility. A building’s security needs to change over time as occupancy and use demands evolve, which can make it even more challenging. Knowing the basics of common door hardware, including locks, panic devices and door closers, can make a difference in daily operations and emergency situations. Read Now

  • Choosing the Right Solution

    Today, there is a strong shift from on-prem installations to cloud or hybrid-cloud deployments. As reported in the 2024 Genetec State of Physical Security report, 66% of end users said they will move to managing or storing more physical security in the cloud over the next two years. Read Now

  • New Report Reveals Top Security Risks for U.S. Retail Chains

    Interface Systems, a provider of security, actionable insights, and purpose-built networks for multi-location businesses, has released its 2024 State of Remote Video Monitoring in Retail Chains report. The detailed study analyzed over 2 million monitoring requests across 4,156 retail locations in the United States from September 2023 to August 2024. Read Now

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

Featured Cybersecurity

Webinars

New Products

  • Automatic Systems V07

    Automatic Systems V07

    Automatic Systems, an industry-leading manufacturer of pedestrian and vehicle secure entrance control access systems, is pleased to announce the release of its groundbreaking V07 software. The V07 software update is designed specifically to address cybersecurity concerns and will ensure the integrity and confidentiality of Automatic Systems applications. With the new V07 software, updates will be delivered by means of an encrypted file. 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3