Cloud
3/21/2016
08:23 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Cloud Security: Understanding New Risks, Rising To New Challenges

In a business world dominated by the cloud, security ops has to change the way we play the game in order to accomplish our strategic goals.

During the course of my travels, there is one topic that comes up in nearly every meeting I attend: organizations moving to the cloud. Whether we like it or not, cloud migration is upon us, and the pace at which it is occurring seems to increase with each passing day.  Many organizations I work with have already moved a number of business functions to the cloud, are in the process of doing so, or are seriously evaluating or planning for a move in this direction.

From a business perspective, this is not surprising. The cloud provides the attractive benefits of both lower cost and greater business continuity to an organization.  Not surprisingly, it can also introduce additional risk.  Of course, as security professionals, our primary duty is to mitigate unacceptable risk to the business.

But in the case of a move to the cloud, security managers won’t win any friends or influence any people by fighting what is shaping up to be one of the biggest business transformations in recent history.  Better tofocus on understanding the risk that a move to the cloud presents, with the ultimate goal of understanding how best to mitigate that risk.  What are some of the additional risks that an organization faces in the cloud?  While not an exhaustive list, here are a critical four:

  • Explosive variety: Sensitive, proprietary, or confidential information becomes accessible from nearly everywhere and every type of device.  That means we need to think about protecting that critical data wherever it may transit or rest, even if that means thinking about doing so on a record number of different “endpoint” platforms.
  • Limited visibility: The move to the cloud takes us out of the traditional confines and telemetry collection ability of the enterprise network. Because of this, visibility across the wide variety of endpoints for logging, monitoring, and auditing purposes becomes critical.  Otherwise, we don’t have the ability to see what’s going on outside of the enterprise, which is where many newer endpoints live most of the time.
  • Weakened detection: Even the best, most precise, highly tuned alerting content cannot facilitate detection if there is no underlying data supporting it.  Limited visibility means weakened detection, unfortunately.
  • Impeded response: Even if I have good visibility and detection across my cloud environment, I still face response challenges.  If an endpoint (of any variety) becomes compromised, I need to contain and remediate the compromise.  But what if that endpoint is on the other side of town, the other side of the country, or halfway around the world?  Today’s mobility means that I need to think about how I will contain and remediate compromise in an environment where endpoints are nearly always on the move.

Risks & Challenges

The move to the cloud creates interesting challenges for security organizations, not the least of which is learning how to work more  collaboratively with the business. This is important to ensure that security operations retain our ability to operate (and respond to iincidents as the environment changes.  This is a bit of a philosophical change from our role in the past, but it is one we are going to need to get used to. Here are my thoughts on how to maintain continuity in security ops and incident response in this rapidly changing environment 

  • Visibility: Again, visibility is one of the first and most serious casualties of the move to the cloud.  Do we have the necessary visibility into the various endpoints where critical data transits and resides?  If not, this is something we need to think about across all types of endpoints (laptops, thin clients, tablets, smartphones, etc.).
  • Access: Can we get our service providers to grant us access to our log data?  Do we have the necessary access to the endpoint?  Both of these will help us prevent our detection from being weakened.  In addition, they can also help us tremendously during incident response.  What exactly happened and when?  Do I need to contain and remediate one or more endpoints remotely?  Access to the right data is the key to answering those questions.
  • Controls: It will be important to implement a reasonable set of controls across a wide variety of endpoints. If we remember the amount of coveted data that transits these devices, we can easily see why we want to maintain as much control as is feasible without significantly impeding business operations. There is significant room to improve here, given where we are currently.
  • Agreements: Do we have the right agreements in place with our service providers come response time?  If we need to respond to an incident involving one or more of our outsourced business functions, do we have the necessary procedures, relationships, and access in place to do so?  If not, this is something to think about as well.

Fighting the move to the cloud is a losing battle. But that doesn’t mean we have to throw our arms up and give up on mitigating risk through other means. What the attackers are most often after is our sensitive, confidential, or proprietary information. When we shift our risk mitigation focus to protecting that data, regardless of where it transits or resides, it allows us to devise a strategy to continue to operate in today’s rapidly changing environment. Even in a business world dominated by the cloud, we can still accomplish our strategic security objectives.  We just have to change the way we play the game a bit.

Related Content:

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Josh is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA. Prior to joining IDRRA, Josh served as vice president, chief technology officer, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.