Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:02 AM
Connect Directly

Need for 'Guardrails' in Cloud-Native Applications Intensifies

With more organizations shifting to cloud services in the pandemic, experts say the traditionally manual process of securing them will be replaced by automated tools in 2021 and beyond.

The security fallout from the sprint to set up employees' home offices in the COVID-19 pandemic wasn't just about vulnerable endpoints and home networks: Even more worrisome was the rushed adoption of cloud-based technologies as physical offices and security operations centers went dark and home offices lit up.

The hybrid physical and cloud-based IT infrastructure is real now in many organizations, altering the enterprise landscape for 2021 and beyond thanks to COVID-19 prompting organizations to shift to a work-from-home model practically overnight.

Organizations already had been struggling to manage and properly secure their physical IT infrastructures, which had expanded with mobile and Internet of Things devices and risked exposing corporate data.

Related Content:

9 Tips to Prepare for the Future of Cloud & Network Security

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: How AI Will Supercharge Spear-Phishing

Now add cloud services to the mix – such as AWS S3 data storage, Salesforce, Slack, ServiceNow, and others – and the potential for blind spots and vulnerable devices multiplies. The infamous wave of leaky AWS S3 storage bucket incidents that began in 2017 and continues today was just a hint of what's to come, given how easy it is to inadvertently mess up cloud security.

The core challenge is visibility and control of what connects to the corporate network, and the cloud has exacerbated an already murky and difficult task. Most reputable cloud-based services actually come with built-in security controls, but it's still up to the customer to manage and configure those settings, and that's often the problem. According to Gartner, 99% of cloud security mishaps through 2025 will be at the hands of the customer. And that will likely lead to leaking and compromise of sensitive data.

Several startups and technologies are emerging to attempt to address the visibility and management problem. DisruptOps, for example, the brainchild of Securosis principals Rich Mogull, Mike Rothman, and Adrian Lane, spun out of a project built by the veteran security consultants and recently raised $9 million in Series A funding less than two years after its fall 2018 launch. The cloud-based service provides what the founders call "guardrails" that automatically assess and enforce security policies in a cloud infrastructure – including configuration mishaps.

Last month, security-as-a-service startup JupiterOne emerged from stealth with $19 million in Series A funding. Its service automatically finds and keeps updated online physical and virtual devices and assets in an organization, including cloud-native services.

Identifying and managing the security of cloud-native services and assets traditionally has been a time-consuming, manual job. Assigning engineers the task of manually taking inventory and maintaining all of an organization's assets is costly as well, notes Will Gregorian, CISO of wealth management service Addepar.

"You're always [just] catching up to the asset management program," he says.

Addepar recently swapped out its government, risk management, and compliance (GRC) tool for JupiterOne's service. Gregorian says his firm now can run queries on AWS S3 accounts to ensure they're properly locked down and not exposed on the public Internet, and measure policies assigned to a storage bucket.

"You can see who has access to what bucket," for example, he says, as well as identify access keys that are no longer needed and can be retired.

Misconfiguration of security-as-a-service (SaaS) or cloud-native applications is common and mainly due to human error and the fact that it's nearly impossible to manually keep up with all of the potential settings and connections offered in these services. According to a new survey from AppOmni, nearly 60% of organizations today manually audit their cloud-based applications for security and compliance. In addition, just 31% run automated tools to manage SaaS configuration and security, while 10% have no process for it whatsoever.

"Security teams are often so busy being reactive with ransomware, needing to patch, and hardening the perimeter" that managing SaaS configuration is often left up to the lines of business, which rely on IT to manually configure and administer the apps, notes Brendan O'Connor, CEO of AppOmni, which offers a service that manages the security of SaaS applications, including APIs and configuration settings.

Often security teams don't even have login access to Salesforce.com or other applications used in an organization, he notes. That can lead to misconfiguration of security controls in ServiceNow, Slack, and other cloud-based applications, O'Connor says.

"Visibility is the core challenge," he says, and security teams typically don't have the bandwidth to fully master all of the details of these apps or the way API connections with SaaS applications all work both internally and externally.

Massive SaaS applications such Salesforce and ServiceNow have "hundreds of knobs and switches" to learn, he says. AppOmni's service regularly finds users with unnecessary and overly permissioned access to these apps, he says, and it's mostly due to configuration mistakes or oversight rather than malicious activity.

Even so, an account left exposed to the public Internet is ripe for abuse, especially with cybercriminals regularly scanning for vulnerable systems sitting out there.

Kurt John, chief cybersecurity officer at Siemens USA, says many organizations went from mapping out a gradual cloud rollout to an instant adoption in the pandemic that upended their plans.

"With this accelerated move ... they obviously need to prioritize business operations, and a lot of times that happens at the detriment of security," he says.

That's why organizations need to invest in sufficient cloud asset management and configuration management, notes Richard Stiennon, founder of IT-Harvest. Stiennon says there likely will be waves of data breach disclosures in 2021 in the wake of COVID-19-related phishing attacks this year.

"I'm worried next year is going to be the all about breaches again," Stiennon says.

And given that some 96% of organizations worldwide plan to relocate sensitive data to the cloud in the next two years, according to a new study by Trustwave, breaches could get even uglier if organizations don't properly manage and secure their cloud services.

Meantime, the rapid cloud adoption amid COVID-19 is accelerating new technologies to help manage these new hybrid infrastructures: the next big thing for getting the cloud under control could be a more useful AI model. Keith Neilson, technical evangelist for cloud governance vendor CloudSphere, says in 2021, AI will evolve from just detecting anomalies, as most of its iterations do today, to actually alerting security teams about credible threats.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
11/3/2020 | 9:57:09 AM
Very true. There are are few Cloud Security Posture Management (CSPM) tools that automate checks on your cloud security settings.
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...