Vulnerabilities / Threats

10:30 AM
Tim Prendergast
Tim Prendergast
Connect Directly
E-Mail vvv

Fear & Loathing In The Cloud

Whether you've already bought your ticket for the cloud or still have some issues to sort through, fine-tune your security practices to make sure your ride is a smooth one.

For those of us who started our careers amid the structure and disciplined rigor of old-school, waterfall, data center-centric application development, the cloud seems like a psychedelic trip straight out of a Hunter S. Thompson book. Code is being deployed in nearly continuous fashion. Servers are history. Penetration tests are so out of date by the time they're done, you might as well have not even tried. It can be overwhelming, and there are days you probably want to jump in a red Chevrolet Impala and hit the road.

Each week, I talk to folks in enterprises who are either beginning or accelerating their to move from traditional on-premises infrastructure to the cloud. They anticipate they will realize benefits including increased agility, reduced costs, flexibility, and ease of use. But along with this transition there are new security concerns, fear, and, yes, sometimes a little bit of loathing. They've heard cloud stories from their friends, after all.

However, almost all organizations recognize that they need to adapt and modernize their security policies and posture so they can continue to achieve corporate goals while taking advantage of everything the cloud offers. Security can be the ultimate accelerator or the biggest blocker in cloud adoption and technical innovation. Many security and development professionals are struggling to find the right cloud security approach to fit their modern IT practices. They worry most about the lack of control and visibility but also don't want to see their organizations fall behind competitors because they've slowed or blocked cloud adoption.

When it comes to cloud security today, there are many issues that organizations are trying to sort through, but here are a few I hear the most. 

  1. Organizations viewing the cloud as just another product: You can't make an assessment of your security today and assume it holds true tomorrow. Heck, it probably won't hold true an hour from now. The cloud is living, breathing, and rapidly changing. Security within this constantly changing environment has to be continuous, or it won't be effective. Traditional security solutions weren't created to fit the rapidly changing elastic infrastructure of the cloud. While attacks become increasingly automated, you need to adopt new security tools and techniques to work effectively in this new ecosystem.   

  2. Traditional scanning won't do: Traditional data center solutions rely on being in the path of traffic, being deployed within an application or operating system, or on traditional network-based IP scanning techniques. That approach doesn't work in the cloud. Users run application stacks on abstracted services and platform-as-a-service layers or leverage API-driven services that render conventional security solutions ineffective. Cloud environments are so fundamentally different from their static on-premises counterparts that they require an entirely new way of administering security practices, and this means adopting new cloud security technologies that provide extreme visibility.

  3. Differentiating real security issues from "noise": Teams working in the cloud benefit from speed and acceleration, but it's important to recognize how their approach to security must be vastly different. Discerning real vulnerabilities from solely infrastructure noise is a major challenge. All this change and noise make a manual inspection of the infrastructure too slow to be effective. The API-centric cloud world requires a new way for defenders to protect their environments, but not all cloud and IT teams really understand these security nuances. Security automation is one way to overcome the knowledge and skills shortfall that exists in every development and IT shop.

  4. Lack of compliance with API-driven cloud security: The emergence of API-driven cloud service suites has changed the way security must be architected, implemented, and managed. While the API is a completely new threat surface that we need to defend, it also provides the ability to automate detection and remediation. As new compliance benchmarks such as the CIS AWS Foundations Benchmark are released, we will have a means to assess our security posture against industry-defined best practices and ensure that we're taking the right steps to keep our customers, employees, infrastructure, and intellectual property secure. Cloud migration is happening quickly, and compliance with rapidly evolving security requirements is an ever-increasing challenge that must be resolved through automation. 

Whether your organization was born in the cloud, is migrating to the public cloud, is building out a private cloud, or has a crazy complex hallucination-inducing hybrid cloud strategy, the cloud is happening, and it's an absolute necessity that we adapt our security practices. No longer is security left to the security guys: we all have a part in creating a holistic, continuous, and rapid security program fit to support the cloud. As Hunter S. Thompson wrote, "Buy the ticket, take the ride."

Related Content:

Tim Prendergast co-founded to help others avoid the pain he endured when helping Adobe adopt the cloud at a massive level.  After years of building, operating, and securing services in Amazon Web Services, he set out to make security approachable and ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
10/4/2016 | 12:39:54 PM
Re: Fear & Loathing In The Cloud
@anna.beh, I have to wonder what you do to make a statement like "obligated to go to cloud"? Give me one good reason to make your manufacturing shop floor dependent on an internet connection to get product labels printed after they make them? Or look up the next thing they need to make? 

And the cloud is more expensive in almost every case, from the rent you pay for everything to the beefed up WAN connections you need to depend on an internet based service. 

Unless you are playing the private cloud card, which is nothing more than fancy name for the virtualization movement that has been going on since the term "cloud" first came out.

I'm thinking your job is heavily vested in some cloud company to make a statement like that. 
User Rank: Apprentice
10/4/2016 | 12:44:18 AM
security for cloud computing
There needs to be development for security in cloud use so that way businesses can stay more secure. It would also be nice to see some of the main vendors offering certifications for cloud security.
User Rank: Ninja
10/3/2016 | 8:05:30 AM
actual purpose
many of us are inclined to believe the Real Purpose of "The Cloud" -- is (1) surveillance; and (2) license enforcement;   iow regulation of digital and network activity;
User Rank: Apprentice
9/30/2016 | 3:19:09 AM
Fear & Loathing In The Cloud
Today it is an obligation for companies to move to the cloud, but is it that security can be guaranteed in the same way? I'm not sure and I understand the fears of the company for the transition to the cloud!
User Rank: Apprentice
9/29/2016 | 11:12:17 AM
Makes me thing of this wonderful sticker :) and statment Cloud, what could go wrong :)

Its these types of thoughts that really make me think about some of the blind followers who simply think going to cloud will solve all of their enterprise problems.

And finding it might be easier only if you think about all the little things, but at the end its not perfect solution always.
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-04-23
Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature.
PUBLISHED: 2019-04-23
cipso_v4_validate in include/net/cipso_ipv4.h in the Linux kernel before 3.11.7, when CONFIG_NETLABEL is disabled, allows attackers to cause a denial of service (infinite loop and crash), as demonstrated by icmpsic, a different vulnerability than CVE-2013-0310.
PUBLISHED: 2019-04-23
A memory leak in archive_read_format_zip_cleanup in archive_read_support_format_zip.c in libarchive through 3.3.3 allows remote attackers to cause a denial of service via a crafted ZIP file because of a HAVE_LZMA_H typo.
PUBLISHED: 2019-04-22
A vulnerability was discovered wherein a specially crafted URL could enable reflected XSS via JavaScript in the pony mail interface.
PUBLISHED: 2019-04-22
An issue was discovered in the Medha WiFi FTP Server application 1.8.3 for Android. An attacker can read the username/password of a valid user via /data/data/com.medhaapps.wififtpserver/shared_prefs/com.medhaapps.wififtpserver_preferences.xml