Vulnerabilities / Threats
9/29/2016
10:30 AM
Tim Prendergast
Tim Prendergast
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Fear & Loathing In The Cloud

Whether you've already bought your ticket for the cloud or still have some issues to sort through, fine-tune your security practices to make sure your ride is a smooth one.

For those of us who started our careers amid the structure and disciplined rigor of old-school, waterfall, data center-centric application development, the cloud seems like a psychedelic trip straight out of a Hunter S. Thompson book. Code is being deployed in nearly continuous fashion. Servers are history. Penetration tests are so out of date by the time they're done, you might as well have not even tried. It can be overwhelming, and there are days you probably want to jump in a red Chevrolet Impala and hit the road.

Each week, I talk to folks in enterprises who are either beginning or accelerating their to move from traditional on-premises infrastructure to the cloud. They anticipate they will realize benefits including increased agility, reduced costs, flexibility, and ease of use. But along with this transition there are new security concerns, fear, and, yes, sometimes a little bit of loathing. They've heard cloud stories from their friends, after all.

However, almost all organizations recognize that they need to adapt and modernize their security policies and posture so they can continue to achieve corporate goals while taking advantage of everything the cloud offers. Security can be the ultimate accelerator or the biggest blocker in cloud adoption and technical innovation. Many security and development professionals are struggling to find the right cloud security approach to fit their modern IT practices. They worry most about the lack of control and visibility but also don't want to see their organizations fall behind competitors because they've slowed or blocked cloud adoption.

When it comes to cloud security today, there are many issues that organizations are trying to sort through, but here are a few I hear the most. 

  1. Organizations viewing the cloud as just another product: You can't make an assessment of your security today and assume it holds true tomorrow. Heck, it probably won't hold true an hour from now. The cloud is living, breathing, and rapidly changing. Security within this constantly changing environment has to be continuous, or it won't be effective. Traditional security solutions weren't created to fit the rapidly changing elastic infrastructure of the cloud. While attacks become increasingly automated, you need to adopt new security tools and techniques to work effectively in this new ecosystem.   

  2. Traditional scanning won't do: Traditional data center solutions rely on being in the path of traffic, being deployed within an application or operating system, or on traditional network-based IP scanning techniques. That approach doesn't work in the cloud. Users run application stacks on abstracted services and platform-as-a-service layers or leverage API-driven services that render conventional security solutions ineffective. Cloud environments are so fundamentally different from their static on-premises counterparts that they require an entirely new way of administering security practices, and this means adopting new cloud security technologies that provide extreme visibility.

  3. Differentiating real security issues from "noise": Teams working in the cloud benefit from speed and acceleration, but it's important to recognize how their approach to security must be vastly different. Discerning real vulnerabilities from solely infrastructure noise is a major challenge. All this change and noise make a manual inspection of the infrastructure too slow to be effective. The API-centric cloud world requires a new way for defenders to protect their environments, but not all cloud and IT teams really understand these security nuances. Security automation is one way to overcome the knowledge and skills shortfall that exists in every development and IT shop.

  4. Lack of compliance with API-driven cloud security: The emergence of API-driven cloud service suites has changed the way security must be architected, implemented, and managed. While the API is a completely new threat surface that we need to defend, it also provides the ability to automate detection and remediation. As new compliance benchmarks such as the CIS AWS Foundations Benchmark are released, we will have a means to assess our security posture against industry-defined best practices and ensure that we're taking the right steps to keep our customers, employees, infrastructure, and intellectual property secure. Cloud migration is happening quickly, and compliance with rapidly evolving security requirements is an ever-increasing challenge that must be resolved through automation. 

Whether your organization was born in the cloud, is migrating to the public cloud, is building out a private cloud, or has a crazy complex hallucination-inducing hybrid cloud strategy, the cloud is happening, and it's an absolute necessity that we adapt our security practices. No longer is security left to the security guys: we all have a part in creating a holistic, continuous, and rapid security program fit to support the cloud. As Hunter S. Thompson wrote, "Buy the ticket, take the ride."

Related Content:

Tim Prendergast co-founded Evident.io to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level.  After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TerryB
50%
50%
TerryB,
User Rank: Ninja
10/4/2016 | 12:39:54 PM
Re: Fear & Loathing In The Cloud
@anna.beh, I have to wonder what you do to make a statement like "obligated to go to cloud"? Give me one good reason to make your manufacturing shop floor dependent on an internet connection to get product labels printed after they make them? Or look up the next thing they need to make? 

And the cloud is more expensive in almost every case, from the rent you pay for everything to the beefed up WAN connections you need to depend on an internet based service. 

Unless you are playing the private cloud card, which is nothing more than fancy name for the virtualization movement that has been going on since the term "cloud" first came out.

I'm thinking your job is heavily vested in some cloud company to make a statement like that. 
alman153
50%
50%
alman153,
User Rank: Apprentice
10/4/2016 | 12:44:18 AM
security for cloud computing
There needs to be development for security in cloud use so that way businesses can stay more secure. It would also be nice to see some of the main vendors offering certifications for cloud security.
macker490
50%
50%
macker490,
User Rank: Ninja
10/3/2016 | 8:05:30 AM
actual purpose
many of us are inclined to believe the Real Purpose of "The Cloud" -- is (1) surveillance; and (2) license enforcement;   iow regulation of digital and network activity;
anna.beh
50%
50%
anna.beh,
User Rank: Apprentice
9/30/2016 | 3:19:09 AM
Fear & Loathing In The Cloud
Today it is an obligation for companies to move to the cloud, but is it that security can be guaranteed in the same way? I'm not sure and I understand the fears of the company for the transition to the cloud!
clone99
100%
0%
clone99,
User Rank: Apprentice
9/29/2016 | 11:12:17 AM
Makes me thing of this wonderful sticker :) and statment Cloud, what could go wrong :)
https://www.stickermule.com/marketplace/12529-cloud-what-could-go-wrong

Its these types of thoughts that really make me think about some of the blind followers who simply think going to cloud will solve all of their enterprise problems.

And finding it might be easier only if you think about all the little things, but at the end its not perfect solution always.
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Darn - typed UNICORN instead of UNICODE.  
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.