10:30 AM
Amrit Williams
Amrit Williams
Connect Directly
E-Mail vvv

Visibility: The Key To Security In The Cloud

You can't secure what you can't see. These five best practices will shed some light on how to protect your data from the ground up.

Moving to the cloud can help organizations accelerate IT delivery and drive business agility. But it can also open up gaping security holes, leaving a company exposed to cyberattack. This means any organization operating in the cloud now must answer these questions: “What cloud servers are being attacked and how will I know?”

Unfortunately, the answers aren’t easy to get. Traditional security tools, like firewalls and intrusion detection systems, work great within an organization’s four walls but they don’t help much when it comes to the cloud. The elastic, dynamic nature of virtual infrastructures makes it extraordinarily difficult for security teams to see what’s happening in the cloud. And without that visibility, it’s impossible for them to enforce consistent policies, detect vulnerabilities, and react quickly to abnormal behavior.

Want help from your cloud provider? That only takes you part of the way. Cloud providers typically don’t protect anything above the hypervisor layer, so security is mainly your responsibility. Say you want to spin up a Windows 2000 server in the cloud, or Red Hat Linux. Security for those instances is your job, not the cloud vendor’s.

It’s called the “shared responsibility” model—and it’s advertised loud and clear by all cloud providers. Amazon Web Services puts it this way: “While AWS manages security of the cloud, security in the cloud is the responsibility of the customer. Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for applications in an on-site datacenter.”

Seems straightforward enough. But many customers are still confused. They think that because Amazon has all these great tools for protecting them up to the hypervisor that they’re then completely secure. What they don’t realize is that the security of the cloud instances they choose to spin up will always be their responsibility. Whether you’re operating in the public cloud or in a traditional datacenter, there are still critical control objectives you need to maintain, including data protection and threat management.

The consequences of weak cloud security can be dramatic. I recall the story of a business called Code Spaces that was forced to shut down after a hacker gained full access to its network, which was hosted in the cloud. The hacker demanded a ransom, which Code Space refused to pay. The hacker then deleted all of Code Space’s critical data, effectively destroying the company.

This is the quandary of protecting yourself in the cloud: you can’t secure what you can’t see. Thus gaining real-time visibility is paramount, especially for organizations looking to leverage the many different advantages of cloud infrastructure. And the situation becomes more complex as the organization uses more clouds—public, private, or hybrid—and combines them with its internal datacenters, which aren’t going away anytime soon.

So how do you get visibility in the cloud and ensure that you’re secure? You can start by understanding that security is your responsibility, then adhering to these five best practices.

1.  Continuous visibility. Know what’s going on with your infrastructure, applications, data, and users at all times. Given the automated, elastic, on-demand nature of modern virtual infrastructure, achieving this visibility can be a challenge. But by knowing what you’ve got and what it’s doing at all times, you can limit your attack surface and mitigate risk.

2.  Exposure management. This means adding context to your visibility. Once you gain visibility and transparency, you can successfully eliminate the obvious vulnerabilities that are known to exist within your networks, such as out-of-date workstations and mobile devices.

3.  Strong access control. In fact, weak access control has been responsible for a number of high-profile breaches recently, including the notorious Ashley Madison hack. The Ashley Madison CEO himself has said that the perpetrator of the hack was an insider, probably a third-party contractor, who was granted way more access than necessary. So make sure you have the appropriate access management and privilege monitoring in place. And make sure you are continuously monitoring user activity to ensure there are no deviations from your corporate policies.

4.  Data protection. This is another essential. It means protecting data at rest and data in motion, and also implementing technologies like data loss prevention (DLP) to ensure that, if compromised, your data can’t be sent outside your network.

5.  Compromise management. You must accept the fact that even the most stringent security practices can’t prevent all breaches all the time. They will happen. So prepare to mitigate them when they do. Put processes and technologies in place that enable you to react quickly and subdue security breaches before they get out of control. Create an action plan before breaches happen, and then follow it as soon as a breach is detected.

If you can’t quickly and accurately see what’s going on across your entire infrastructure at all times, you run the risk of not knowing when you’re being attacked or compromised and reacting too late. It’s no use showing up with a hose after your network has been burned to the ground. You need continuous visibility, backed up with comprehensive security functions. These are critical steps toward improving your security posture, especially when you’re dealing with the dynamic, elastic nature of modern cloud computing environments.

Amrit Williams has over 20 years of experience in information security and is currently the chief technology officer of CloudPassage. Amrit has held a variety of engineering, management and consulting positions prior to joining CloudPassage. Previously, Williams was the ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
9/21/2015 | 10:42:25 AM
Your five best practices are best encapsulated by a Cloud App Security Broker. It will help you identify shadow IT as well as authorized apps and define policies for your ecosystem. You can do this based on app or an even better practice by action (Save, Upload, Share, etc)
Enrico Fontan
Enrico Fontan,
User Rank: Strategist
9/21/2015 | 3:09:42 AM
IT cannot outsource accountability
I agree with your tips. Compromise management, that's a good point to start.

Looking at "Code spaces" issue we can understand something about role-based access control and business continuity.

First a company with a cloud provider based infrastructure should have several accounts to manage segregation of duties and protect data (backup administrators, VMs administrators, ...). With such segregation, a possible attack to cloud instance administrator panel can be mitigated.

And what about the backup 3-2-1 rule? Three backup copies, two different media whit one offsite.

Company IT has to look at several IT security aspects because IT has always the accountability for everything. It's not possible to outsource it.
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now about that mortgage refinance offer from Wells Fargo .....
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-08-14
Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Fixed in Apache HTTP Server 2.4.25 (A...
PUBLISHED: 2018-08-13
VMware Horizon 6 (6.x.x before 6.2.7), Horizon 7 (7.x.x before 7.5.1), and Horizon Client (4.x.x and prior before 4.8.1) contain an out-of-bounds read vulnerability in the Message Framework library. Successfully exploiting this issue may allow a less-privileged user to leak information from a privil...
PUBLISHED: 2018-08-13
Medtronic MMT 508 MiniMed insulin pump, 522 / MMT - 722 Paradigm REAL-TIME, 523 / MMT - 723 Paradigm Revel, 523K / MMT - 723K Paradigm Revel, and 551 / MMT - 751 MiniMed 530G The models identified above, when paired with a remote controller and having the "easy bolus" and "remote bolu...
PUBLISHED: 2018-08-13
Insecure configuration storage in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows remote attacker perform new attack vectors and take under control device and smart home.
PUBLISHED: 2018-08-13
Weak hashing algorithm in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows unauthenticated attacker extract clear text passwords and get root access on the device.