Cloud

3/21/2016
08:23 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Cloud Security: Understanding New Risks, Rising To New Challenges

In a business world dominated by the cloud, security ops has to change the way we play the game in order to accomplish our strategic goals.

During the course of my travels, there is one topic that comes up in nearly every meeting I attend: organizations moving to the cloud. Whether we like it or not, cloud migration is upon us, and the pace at which it is occurring seems to increase with each passing day.  Many organizations I work with have already moved a number of business functions to the cloud, are in the process of doing so, or are seriously evaluating or planning for a move in this direction.

From a business perspective, this is not surprising. The cloud provides the attractive benefits of both lower cost and greater business continuity to an organization.  Not surprisingly, it can also introduce additional risk.  Of course, as security professionals, our primary duty is to mitigate unacceptable risk to the business.

But in the case of a move to the cloud, security managers won’t win any friends or influence any people by fighting what is shaping up to be one of the biggest business transformations in recent history.  Better tofocus on understanding the risk that a move to the cloud presents, with the ultimate goal of understanding how best to mitigate that risk.  What are some of the additional risks that an organization faces in the cloud?  While not an exhaustive list, here are a critical four:

  • Explosive variety: Sensitive, proprietary, or confidential information becomes accessible from nearly everywhere and every type of device.  That means we need to think about protecting that critical data wherever it may transit or rest, even if that means thinking about doing so on a record number of different “endpoint” platforms.
  • Limited visibility: The move to the cloud takes us out of the traditional confines and telemetry collection ability of the enterprise network. Because of this, visibility across the wide variety of endpoints for logging, monitoring, and auditing purposes becomes critical.  Otherwise, we don’t have the ability to see what’s going on outside of the enterprise, which is where many newer endpoints live most of the time.
  • Weakened detection: Even the best, most precise, highly tuned alerting content cannot facilitate detection if there is no underlying data supporting it.  Limited visibility means weakened detection, unfortunately.
  • Impeded response: Even if I have good visibility and detection across my cloud environment, I still face response challenges.  If an endpoint (of any variety) becomes compromised, I need to contain and remediate the compromise.  But what if that endpoint is on the other side of town, the other side of the country, or halfway around the world?  Today’s mobility means that I need to think about how I will contain and remediate compromise in an environment where endpoints are nearly always on the move.

Risks & Challenges

The move to the cloud creates interesting challenges for security organizations, not the least of which is learning how to work more  collaboratively with the business. This is important to ensure that security operations retain our ability to operate (and respond to iincidents as the environment changes.  This is a bit of a philosophical change from our role in the past, but it is one we are going to need to get used to. Here are my thoughts on how to maintain continuity in security ops and incident response in this rapidly changing environment 

  • Visibility: Again, visibility is one of the first and most serious casualties of the move to the cloud.  Do we have the necessary visibility into the various endpoints where critical data transits and resides?  If not, this is something we need to think about across all types of endpoints (laptops, thin clients, tablets, smartphones, etc.).
  • Access: Can we get our service providers to grant us access to our log data?  Do we have the necessary access to the endpoint?  Both of these will help us prevent our detection from being weakened.  In addition, they can also help us tremendously during incident response.  What exactly happened and when?  Do I need to contain and remediate one or more endpoints remotely?  Access to the right data is the key to answering those questions.
  • Controls: It will be important to implement a reasonable set of controls across a wide variety of endpoints. If we remember the amount of coveted data that transits these devices, we can easily see why we want to maintain as much control as is feasible without significantly impeding business operations. There is significant room to improve here, given where we are currently.
  • Agreements: Do we have the right agreements in place with our service providers come response time?  If we need to respond to an incident involving one or more of our outsourced business functions, do we have the necessary procedures, relationships, and access in place to do so?  If not, this is something to think about as well.

Fighting the move to the cloud is a losing battle. But that doesn’t mean we have to throw our arms up and give up on mitigating risk through other means. What the attackers are most often after is our sensitive, confidential, or proprietary information. When we shift our risk mitigation focus to protecting that data, regardless of where it transits or resides, it allows us to devise a strategy to continue to operate in today’s rapidly changing environment. Even in a business world dominated by the cloud, we can still accomplish our strategic security objectives.  We just have to change the way we play the game a bit.

Related Content:

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Understanding Evil Twin AP Attacks and How to Prevent Them
Ryan Orsi, Director of Product Management for Wi-Fi at WatchGuard Technologies,  11/14/2018
7 Free (or Cheap) Ways to Increase Your Cybersecurity Knowledge
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15769
PUBLISHED: 2018-11-16
RSA BSAFE Micro Edition Suite versions prior to 4.0.11 (in 4.0.x series) and versions prior to 4.1.6.2 (in 4.1.x series) contain a key management error issue. A malicious TLS server could potentially cause a Denial Of Service (DoS) on TLS clients during the handshake when a very large prime value is...
CVE-2018-18955
PUBLISHED: 2018-11-16
In the Linux kernel 4.15.x through 4.19.x before 4.19.2, map_write() in kernel/user_namespace.c allows privilege escalation because it mishandles nested user namespaces with more than 5 UID or GID ranges. A user who has CAP_SYS_ADMIN in an affected user namespace can bypass access controls on resour...
CVE-2018-19311
PUBLISHED: 2018-11-16
Centreon 3.4.x allows XSS via the Service field to the main.php?p=20201 URI, as demonstrated by the "Monitoring > Status Details > Services" screen.
CVE-2018-19312
PUBLISHED: 2018-11-16
Centreon 3.4.x allows SQL Injection via the searchVM parameter to the main.php?p=20408 URI.
CVE-2018-19318
PUBLISHED: 2018-11-16
SRCMS 3.0.0 allows CSRF via admin.php?m=Admin&c=manager&a=update to change the username and password of the super administrator account.