RSA CONFERENCE 2018 – San Francisco – Businesses moving their data and processes to the cloud are worried about the ability to view and secure them, as indicated by trends and announcements at RSA. Visibility and control were two commonly voiced concerns related to cloud security.
In a panel at this year's Cloud Security Alliance (CSA) Summit, a group of security experts discussed the transition process in a panel entitled "Getting to Mission Critical with Cloud."
"Moving to cloud is a business enabler for a couple of different reasons," said Stephen Scharf, CISO of DTCC. "It allows you to go rebuild in a new environment, which some of us never get a chance to do." Many security leaders inherit their own historical infrastructure, he explains, and trying to secure that "is almost impossible."
"I think there's an opportunity with the cloud that we've never been given before," chimed in Jerry Archer, CISO at Sallie Mae. "I think it's a gas pedal for the business."
However, the transition is fraught with challenges, noted Dan Solero, assistant vice president of technology security at AT&T. Many businesses are adopting cloud services and tools before understanding how to secure them. It's their responsibility to understand the risk, create awareness, and collaborate to get ahead of cloud security threats.
Data visibility and control are two primary cloud concerns, said CSA CTO Daniele Catteddu in an interview with Dark Reading. "The need for a more granular view of what's going on in the organization will be necessary," he notes, as businesses connect more devices to the cloud.
Indeed, many IT departments are flying blind in the cloud. In a survey of more than 570 security and IT pros, Bitglass found 78% have visibility into user logins but only 58% have visibility into file downloads, and 56% into file uploads. Less than half (44%) have visibility into external sharing and DLP policy violations, and only 15% can view anomalous behavior across apps.
Top Cloud Concerns
Manuel Nedbal, founder and CTO at ShieldX Networks, pointed to six types of cloud security threats likely to challenge cloud-enabled businesses: "cross-cloud" attacks between the private and public cloud, attacks within the data center, attacks between cloud tenants, cross-workload attacks, orchestration attacks, and serverless attacks.
In describing these threats, Nedbal pointed to a common theme pervading the week's discussions: the perimeter is moving into "unprotected territory" within cloud-based environments, and its new shape can put businesses at risk if the right steps aren't taken. Traditional multi-layer security tools like firewalls and intrusion prevention systems are less effective in protecting against lateral attacks because they can't move into public cloud.
"If you have multilayered security there, you're in pretty good shape in terms of traffic from the outside," he said of traditional defenses. However, if an attacker slips through the cracks, "they have the run of the place." If a threat actor enters the data center, often there is no defense to stop them from accessing sensitive data and resources, an example of a cross-data center attack.
Many organizations think they don't need to buckle down on security if they don't host sensitive data in the cloud; however, attackers commonly use public clouds to enter on-prem environments. Once your business brings workloads to the cloud, your on-prem perimeter extends into the public cloud, exposing on-prem data to attackers. As a result, many businesses adopt a fragmented security approach, which is often complex to maintain and leaves the enterprise exposed to attackers if no lateral defense is in place.
Security Defense: Starting with Basics, Moving to Cloud
"This is a year that we're starting to see more willingness to consider having security services delivered from the cloud than in the past," says Patrick Foxhoven, CIO and vice president of emerging technologies at ZScaler.
The growing adoption of cloud services is making businesses more comfortable with the idea of cloud-based security, he explains. If a company is willing to trust the cloud with their email and other sensitive data, it's less of a stretch to ease them into cloud-based security tools.
However, businesses still need to make sure they have basic security steps in place. David Weston, principal security group manager at Microsoft, points to common attacks he sees in today's threat landscape.
"The stuff we're seeing is the unpatched public-facing services, and misconfiguration," he said in an interview with Dark Reading. "There's also trends in credential targeting, at least rolling credential attacks." In these public cloud attacks, threat actors take the identities of everyone they'd like to target and use one password across all of them.
"By my count, we still don't have a major breach that's been attributed to a flaw in the cloud infrastructure itself," says Misha Govshteyn, senior vice president of products and marketing at Alert Logic. "I'm not aware of any breaches attributed to underlying flaws in their cloud platforms."
"The biggest thing we're still battling is misconfiguration in cloud environments," he continues, adding that businesses have "a tremendous amount of control" over cloud configurability. "Every time we see a data leak or compromise, it's because a customer has failed to do something, as opposed to a cloud provider themselves has failed."
"There should be no reason to miss these flaws," says Govshteyn. "It's all configuration-level issues."
Services Buckle Down on Cloud
Companies this week announced products and services to help secure companies making the move to cloud. Kaspersky announced a hybrid cloud security offering, a management tool that integrates with Amazon Web Services and Microsoft Azure.
Its idea is to recognize businesses may not be fully ready to move to cloud due to poor visibility. The tool combines exploit prevention, vulnerability assessment, and automated patch management, anti-ransomware, and behavior detection into a single system.
A new partnership between FireEye and Oracle will focus on cloud security. FireEye Email Security is now available on the Oracle Cloud Marketplace, and customers can evaluate the email security tool running on Oracle Cloud Infrastructure via the Oracle Jump Start demo lab.
- 7 Steps to a Smooth, Secure Cloud Transition
- 7 Non-Financial Data Types to Secure
- NIST Seeking Comments on New AppSec Practices Standards
- Why We Need Privacy Solutions That Scale Across Borders
Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.