The security fallout from the sprint to set up employees' home offices in the COVID-19 pandemic wasn't just about vulnerable endpoints and home networks: Even more worrisome was the rushed adoption of cloud-based technologies as physical offices and security operations centers went dark and home offices lit up.
The hybrid physical and cloud-based IT infrastructure is real now in many organizations, altering the enterprise landscape for 2021 and beyond thanks to COVID-19 prompting organizations to shift to a work-from-home model practically overnight.
Organizations already had been struggling to manage and properly secure their physical IT infrastructures, which had expanded with mobile and Internet of Things devices and risked exposing corporate data.
Now add cloud services to the mix – such as AWS S3 data storage, Salesforce, Slack, ServiceNow, and others – and the potential for blind spots and vulnerable devices multiplies. The infamous wave of leaky AWS S3 storage bucket incidents that began in 2017 and continues today was just a hint of what's to come, given how easy it is to inadvertently mess up cloud security.
The core challenge is visibility and control of what connects to the corporate network, and the cloud has exacerbated an already murky and difficult task. Most reputable cloud-based services actually come with built-in security controls, but it's still up to the customer to manage and configure those settings, and that's often the problem. According to Gartner, 99% of cloud security mishaps through 2025 will be at the hands of the customer. And that will likely lead to leaking and compromise of sensitive data.
Several startups and technologies are emerging to attempt to address the visibility and management problem. DisruptOps, for example, the brainchild of Securosis principals Rich Mogull, Mike Rothman, and Adrian Lane, spun out of a project built by the veteran security consultants and recently raised $9 million in Series A funding less than two years after its fall 2018 launch. The cloud-based service provides what the founders call "guardrails" that automatically assess and enforce security policies in a cloud infrastructure – including configuration mishaps.
Last month, security-as-a-service startup JupiterOne emerged from stealth with $19 million in Series A funding. Its service automatically finds and keeps updated online physical and virtual devices and assets in an organization, including cloud-native services.
Identifying and managing the security of cloud-native services and assets traditionally has been a time-consuming, manual job. Assigning engineers the task of manually taking inventory and maintaining all of an organization's assets is costly as well, notes Will Gregorian, CISO of wealth management service Addepar.
"You're always [just] catching up to the asset management program," he says.
Addepar recently swapped out its government, risk management, and compliance (GRC) tool for JupiterOne's service. Gregorian says his firm now can run queries on AWS S3 accounts to ensure they're properly locked down and not exposed on the public Internet, and measure policies assigned to a storage bucket.
"You can see who has access to what bucket," for example, he says, as well as identify access keys that are no longer needed and can be retired.
Misconfiguration of security-as-a-service (SaaS) or cloud-native applications is common and mainly due to human error and the fact that it's nearly impossible to manually keep up with all of the potential settings and connections offered in these services. According to a new survey from AppOmni, nearly 60% of organizations today manually audit their cloud-based applications for security and compliance. In addition, just 31% run automated tools to manage SaaS configuration and security, while 10% have no process for it whatsoever.
"Security teams are often so busy being reactive with ransomware, needing to patch, and hardening the perimeter" that managing SaaS configuration is often left up to the lines of business, which rely on IT to manually configure and administer the apps, notes Brendan O'Connor, CEO of AppOmni, which offers a service that manages the security of SaaS applications, including APIs and configuration settings.
Often security teams don't even have login access to Salesforce.com or other applications used in an organization, he notes. That can lead to misconfiguration of security controls in ServiceNow, Slack, and other cloud-based applications, O'Connor says.
"Visibility is the core challenge," he says, and security teams typically don't have the bandwidth to fully master all of the details of these apps or the way API connections with SaaS applications all work both internally and externally.
Massive SaaS applications such Salesforce and ServiceNow have "hundreds of knobs and switches" to learn, he says. AppOmni's service regularly finds users with unnecessary and overly permissioned access to these apps, he says, and it's mostly due to configuration mistakes or oversight rather than malicious activity.
Even so, an account left exposed to the public Internet is ripe for abuse, especially with cybercriminals regularly scanning for vulnerable systems sitting out there.
Kurt John, chief cybersecurity officer at Siemens USA, says many organizations went from mapping out a gradual cloud rollout to an instant adoption in the pandemic that upended their plans.
"With this accelerated move ... they obviously need to prioritize business operations, and a lot of times that happens at the detriment of security," he says.
That's why organizations need to invest in sufficient cloud asset management and configuration management, notes Richard Stiennon, founder of IT-Harvest. Stiennon says there likely will be waves of data breach disclosures in 2021 in the wake of COVID-19-related phishing attacks this year.
"I'm worried next year is going to be the all about breaches again," Stiennon says.
And given that some 96% of organizations worldwide plan to relocate sensitive data to the cloud in the next two years, according to a new study by Trustwave, breaches could get even uglier if organizations don't properly manage and secure their cloud services.
Meantime, the rapid cloud adoption amid COVID-19 is accelerating new technologies to help manage these new hybrid infrastructures: the next big thing for getting the cloud under control could be a more useful AI model. Keith Neilson, technical evangelist for cloud governance vendor CloudSphere, says in 2021, AI will evolve from just detecting anomalies, as most of its iterations do today, to actually alerting security teams about credible threats.