09:00 AM
By Jeremy Linden, Director of Product Management, Expanse
By Jeremy Linden, Director of Product Management, Expanse
Sponsored Article

Discovering Cloud Unknown Unknowns

Cloud asset discovery is one of the most overlooked and least understood components of most organizations' cloud strategies. Here's why.

Discovering an organization’s Internet edge was a straightforward effort when IT had its own data centers and security was a matter of scanning a static IP address list to ensure asset security. Today, most organizations have, or are building, substantial cloud footprints. A huge driver of this is developers, marketing and other non-IT functions creating (and abandoning) assets in the cloud.  Many of these unknown and unauthorized cloud assets are in ephemeral IP space, making it even harder for organizations to get a holistic view of their cloud footprint for security and infrastructure management.

As global cloud adoption climbs, new IT and security challenges emerge that current tools fail to address. While securing known assets is straightforward, it is not possible to secure what is not known -- things like shadow IT and rogue development, both of which abound in the cloud. Enterprise cloud footprints present unique challenges including:

  • The failure of existing tools to discover cloud assets across authorized and unauthorized providers in a current, reliable, and comprehensive manner;
  • The ease and speed with which unknown and unauthorized cloud assets can be spun up and remain active and undiscovered;
  • The deficiency of existing tools to reliably surface owned assets vs. other assets in multi-tenant or ephemeral environments. 

Managing and securing assets in ephemeral IP space requires a view of assets that is both current and accurate. Incumbent cloud management tools fail because they track cloud IP addresses to an organization simply because that IP address was once seen hosting a company asset at one time. This information quickly gets stale and isn’t useful or actionable for securing rogue cloud assets. As a result, security paradigms designed for static networks don't work in the cloud. Worse, relying on this ineffective approach can cause IT and security practitioners to scan, penetration test, and waste time investigating assets that aren’t even theirs -- all while missing critical unknown cloud assets that create risk.

Many cloud management tool vendors argue that they provide a comprehensive view of assets via integrations with IaaS management interfaces. Dr. Marshall Kuypers, senior director of cyber risk at Expanse, cautions that "on the surface, this may seem like a good solution, but this strategy only covers what’s already being tracked, and that may provide a false security assurance."

Dr. Kuypers notes that these integrations fail to identify "unknown unknowns," which are routine in large organizations and result from out-of-policy marketing, development, and other business functions that drive rogue cloud deployments. Multi-tenancy exacerbates the issue since assets from more than one company can exist on the same IP.

Dr. Kuypers further states that customers who use Expanses's whole-of-Internet cloud discovery routinely find between a 3% and 70% increase of cloud-based Internet assets they were unaware of -- and these assets typically comprise some of the most risky misconfigurations on organizations’ Internet edge. The discoveries typically include things like exposed (and sometimes already compromised) datastore services, abandoned development environments, and even pop-up e-commerce sites.

The "Whole-of-Internet" Approach
Today, an organization’s cloud assets can reside in any provider in the world - including residential/commercial cloud providers. To fully solve the problem, organizations must take a discovery-first, “whole-of-Internet” approach to cloud security.

Once cloud assets are discovered and any risky misconfigurations are exposed, organizations can then leverage a myriad of cloud security tools on the market, or simply the IaaS console, to manage asset permissions and other configuration items. But cloud asset discovery must be a continuous process to maintain a clear and accurate picture of the organizational cloud footprint.

About the Author

Jeremy Linden is director of product management at Expanse. He has over ten years of experience in computer security, wearing hats that vary from security analyst to engineering and product management. Prior to Expanse, Jeremy held security product management roles at OpenDNS and Lookout.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
1/4/2019 | 8:25:59 AM
To view a small example
Nothing in league with the scope of this article but ever check on the sheer number of on-line resumes you have "out there?"    Perhaps that is why I continue to receive NYState based job notes when I live in Georgia. 
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Now, we come here to play Paw-ke Man Go!"
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-01-20
Hotels_Server through 2018-11-05 has SQL Injection via the controller/fetchpwd.php username parameter.
PUBLISHED: 2019-01-20
The Sky Go Desktop application 1.0.19-1 through 1.0.23-1 for Windows performs several requests over cleartext HTTP. This makes the data submitted in these requests prone to Man in The Middle (MiTM) attacks, whereby an attacker would be able to obtain the data sent in these requests. Some of the requ...
PUBLISHED: 2019-01-20
The ThreadX-based firmware on Marvell Avastar Wi-Fi devices allows remote attackers to execute arbitrary code or cause a denial of service (block pool overflow) via malformed Wi-Fi packets during identification of available Wi-Fi networks. Exploitation of the Wi-Fi device can lead to exploitation of...
PUBLISHED: 2019-01-18
Spring Web Services, versions 2.4.3, 3.0.4, and older unsupported versions of all three projects, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.
PUBLISHED: 2019-01-18
Spring Batch versions 3.0.9, 4.0.1, 4.1.0, and older unsupported versions, were susceptible to XML External Entity Injection (XXE) when receiving XML data from untrusted sources.