Cloud

3/21/2016
08:23 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Cloud Security: Understanding New Risks, Rising To New Challenges

In a business world dominated by the cloud, security ops has to change the way we play the game in order to accomplish our strategic goals.

During the course of my travels, there is one topic that comes up in nearly every meeting I attend: organizations moving to the cloud. Whether we like it or not, cloud migration is upon us, and the pace at which it is occurring seems to increase with each passing day.  Many organizations I work with have already moved a number of business functions to the cloud, are in the process of doing so, or are seriously evaluating or planning for a move in this direction.

From a business perspective, this is not surprising. The cloud provides the attractive benefits of both lower cost and greater business continuity to an organization.  Not surprisingly, it can also introduce additional risk.  Of course, as security professionals, our primary duty is to mitigate unacceptable risk to the business.

But in the case of a move to the cloud, security managers won’t win any friends or influence any people by fighting what is shaping up to be one of the biggest business transformations in recent history.  Better tofocus on understanding the risk that a move to the cloud presents, with the ultimate goal of understanding how best to mitigate that risk.  What are some of the additional risks that an organization faces in the cloud?  While not an exhaustive list, here are a critical four:

  • Explosive variety: Sensitive, proprietary, or confidential information becomes accessible from nearly everywhere and every type of device.  That means we need to think about protecting that critical data wherever it may transit or rest, even if that means thinking about doing so on a record number of different “endpoint” platforms.
  • Limited visibility: The move to the cloud takes us out of the traditional confines and telemetry collection ability of the enterprise network. Because of this, visibility across the wide variety of endpoints for logging, monitoring, and auditing purposes becomes critical.  Otherwise, we don’t have the ability to see what’s going on outside of the enterprise, which is where many newer endpoints live most of the time.
  • Weakened detection: Even the best, most precise, highly tuned alerting content cannot facilitate detection if there is no underlying data supporting it.  Limited visibility means weakened detection, unfortunately.
  • Impeded response: Even if I have good visibility and detection across my cloud environment, I still face response challenges.  If an endpoint (of any variety) becomes compromised, I need to contain and remediate the compromise.  But what if that endpoint is on the other side of town, the other side of the country, or halfway around the world?  Today’s mobility means that I need to think about how I will contain and remediate compromise in an environment where endpoints are nearly always on the move.

Risks & Challenges

The move to the cloud creates interesting challenges for security organizations, not the least of which is learning how to work more  collaboratively with the business. This is important to ensure that security operations retain our ability to operate (and respond to iincidents as the environment changes.  This is a bit of a philosophical change from our role in the past, but it is one we are going to need to get used to. Here are my thoughts on how to maintain continuity in security ops and incident response in this rapidly changing environment 

  • Visibility: Again, visibility is one of the first and most serious casualties of the move to the cloud.  Do we have the necessary visibility into the various endpoints where critical data transits and resides?  If not, this is something we need to think about across all types of endpoints (laptops, thin clients, tablets, smartphones, etc.).
  • Access: Can we get our service providers to grant us access to our log data?  Do we have the necessary access to the endpoint?  Both of these will help us prevent our detection from being weakened.  In addition, they can also help us tremendously during incident response.  What exactly happened and when?  Do I need to contain and remediate one or more endpoints remotely?  Access to the right data is the key to answering those questions.
  • Controls: It will be important to implement a reasonable set of controls across a wide variety of endpoints. If we remember the amount of coveted data that transits these devices, we can easily see why we want to maintain as much control as is feasible without significantly impeding business operations. There is significant room to improve here, given where we are currently.
  • Agreements: Do we have the right agreements in place with our service providers come response time?  If we need to respond to an incident involving one or more of our outsourced business functions, do we have the necessary procedures, relationships, and access in place to do so?  If not, this is something to think about as well.

Fighting the move to the cloud is a losing battle. But that doesn’t mean we have to throw our arms up and give up on mitigating risk through other means. What the attackers are most often after is our sensitive, confidential, or proprietary information. When we shift our risk mitigation focus to protecting that data, regardless of where it transits or resides, it allows us to devise a strategy to continue to operate in today’s rapidly changing environment. Even in a business world dominated by the cloud, we can still accomplish our strategic security objectives.  We just have to change the way we play the game a bit.

Related Content:

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Josh (Twitter: @ananalytical) is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA and also serves as security advisor to ExtraHop. Prior to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Privacy Ops: The New Nexus for CISOs & DPOs
Amit Ashbel, Security Evangelist, Cognigo,  2/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8955
PUBLISHED: 2019-02-21
In Tor before 0.3.3.12, 0.3.4.x before 0.3.4.11, 0.3.5.x before 0.3.5.8, and 0.4.x before 0.4.0.2-alpha, remote denial of service against Tor clients and relays can occur via memory exhaustion in the KIST cell scheduler.
CVE-2019-1698
PUBLISHED: 2019-02-21
A vulnerability in the web-based user interface of Cisco Internet of Things Field Network Director (IoT-FND) Software could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External E...
CVE-2019-1700
PUBLISHED: 2019-02-21
A vulnerability in field-programmable gate array (FPGA) ingress buffer management for the Cisco Firepower 9000 Series with the Cisco Firepower 2-port 100G double-width network module (PID: FPR9K-DNM-2X100G) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) conditio...
CVE-2019-6340
PUBLISHED: 2019-02-21
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RE...
CVE-2019-8996
PUBLISHED: 2019-02-21
In Signiant Manager+Agents before 13.5, the implementation of the set command has a Buffer Overflow.