Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:50 PM
Connect Directly

Security vs. Speed: The Risk of Rushing to the Cloud

Companies overlook critical security steps as they move to adopt the latest cloud applications and services.

Businesses deploying cloud-based applications and services often overlook critical security steps as they scramble to keep up with the latest technology, and the rush is putting them at risk.

"There's a lot of customers who have this cloud-first mandate," says JK Lialias, senior director of cloud access at Forcepoint. "They've been told, 'thou shalt move to the cloud as much infrastructure as you possibly can.'"

A lot of pressure is on line-of-business employees to adopt cloud applications and infrastructure, he continues. IT departments are essential in delivering these services and often neglect to understand how on-premises data and processes translate to the cloud.

"What's happening in the move to the cloud has happened in the tech industry from the beginning," says Michael Landewe, Avanan co-founder and VP of business development. "People move to new tech based on new features and capabilities. Security always follows."

The gap between moving to the cloud and implementing strong security has shrunk as new technologies accelerate the process, he explains. However, most companies are still followers and don't take all the necessary steps, sacrificing security in the process.

Never Assume You're Secure
There's a lot of assumption when it comes to cloud responsibility. "Some businesses think the whole security issue is something you put into the provider's realm," says Jim Reavis, CEO of the Cloud Security Alliance. "The cloud provider may have security services and capabilities, which you can order as an extra, but a lot of responsibilities shift to the cloud."

Cloud providers typically own the hardware, network, host operator, and virtual machines, says Dan Hubbard, senior security architect at Lacework. The customer owns everything above that: operating systems, containers, applications, and all of the related access controls.

"This is where things get a little muddy from a corporate perspective," he explains. Most companies have parameters in traditional data centers, and their core principles and rules don't apply in the public cloud.

Landewe points to the shared responsibility model, which reminds companies they must secure data they move to the cloud. Many businesses, especially those with small IT departments, hand responsibility for data access and security to cloud providers. The service-level agreement from most vendors explains where customers are responsible for their data.

"You need to have an honest conversation with the vendor and ask, 'where does your security responsibility end and where does mine begin?'" he explains. The owner of the data still has to be entirely responsible for that information.

Skipped Steps and Dangerous Consequences
"It's one of those things where the speed sometimes impedes overall understanding and education," says Lialias of the transition to cloud. "This is one of the areas where it needs to be balanced."

Hubbard puts companies into two categories: cloud natives, which were founded in the cloud and don't need to migrate, and larger businesses with traditional data centers. The latter group is navigating the transition to public cloud and overlooking critical steps in the process.

Proper account configuration is key here. Last year's series of Amazon Web Services (AWS) leaks affecting major organizations, from Viacom to the Republican National Committee, demonstrated a broad oversight of basic cloud configuration steps. It's an easy and dangerous misstep.

"From what we have seen and what we know about these, they have all come down to client-based issues; mistakes they've made," says Reavis. AWS has strong security but most people don't know to properly configure their access so that data is secured. If they're making these configuration errors in AWS, they're likely making them in other services, he adds.

Cloud credentials must also be secured, Hubbard emphasizes. Attackers frequently steal login data for platforms like AWS and Azure, and abuse the power of the cloud on behalf of customers to mine cryptocurrency, send spam, and distribute distributed denial-of-service attacks.

"If someone gets access to those, they can impersonate you in your portion of the cloud," he says. "You need to manage access to the machines … who logs into machines, from where, and what do they do when they log in."

Admins should adopt two-factor authentication and lock access so administrative accounts can only log in from certain IP addresses. Uneducated admins can do a lot of damage very quickly, says Reavis, who says phishing and credential-based attacks will be common going forward. There should be closer scrutiny on how admin accounts are hardened.

"Once someone has access to your account, they do everything in their power to maintain that control," says Landewe. Administrators aren't the only ones at risk, he notes. Many attackers target low-level employees and, once they're in, use that access to target high-level workers.

Do Your Due Diligence
The average enterprise has about 1,000 software-as-a-service applications in use, says Lialias. They probably know about 600 of them, and there might be 30 that could potentially be very high risk. Businesses know they house both sanctioned and unsanctioned applications. It's up to them to understand what's out there and assume control over the software that employees use.

"The key for moving to the cloud is doing due diligence," he explains. "They swipe a card and click a button, and they forget their due diligence."

While mistakes can and will happen, businesses can stay one step ahead by ensuring accounts are properly configured, credentials are secured, and they have visibility into the applications being used and people using them. Being able to see and control data is essential.

Experts "hope" to see a slowdown in incidents like AWS bucket leaks and see companies marry caution with speed. However, many will need a wake-up call before adopting best practices.

"We're going to see more of the same in organizations needing to make a mistake to learn that they need to take this seriously," says Reavis. He advises businesses to look to educational programs from major cloud providers, the Cloud Security Alliance, and (ISC)², which all have cloud security courses.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
2/14/2018 | 1:37:11 PM
Re: Not safe
Woz - our great ancient savant from Apple - stated flat out that there is no security in the cloud.  That said, the cloud is - at most base - just a longer RJ-45 or optic cable from your endpooint to another server somewhere in the world hosted by god knows who.  The cloud has to reside on something somewhere and adding layers of exposure on top of your own protection increases risk many times over.   Not to add too that another set of human hands on a distant keyboard working with your data as an unknown too.

No safety in the cloud - it is a snake oil pitch worthy of W.C. Fields
User Rank: Apprentice
2/9/2018 | 6:20:26 AM
Re: Not safe
Thumbs up. I totally agree.
User Rank: Ninja
2/7/2018 | 7:34:27 PM
Re: Not safe
As with all optimization choices, it depends on your priorities.  For many use-cases, the hybrid-cloud model provides the best balance of security vs. cost tradeoffs.  As other commenters have mentioned, the physical location of the public-cloud assets can have important security implications.  Most important is which of your organization's data assets you trust to the public-cloud, and which do you keep within your own perimeter.  Start there; then evaluate public-cloud vendors/services. 
User Rank: Strategist
2/7/2018 | 10:14:59 AM
Re: Not safe
I am sorry you feel that way, I know it can be overwhelming at times and I have felt that pain.

It is possible to use cloud services safely, when thought and care are woven into the decision-making process from the very start, not least of all determining what services and data are eligible to be shipped to the cloud and which must stay within the enterprise.

If the course of technology has taught us anything it is that over a shortish period of time the market will consolidate into fewer potential suppliers and the less than spectacular ones will go out of business relatively quickly.

Don't throw the metaphoric baby out with the bathwater just yet.
User Rank: Strategist
2/7/2018 | 10:06:26 AM
Understanding the kill chain is a key part of due diligence
When selecting a SaaS provider it amazes me how infrequently someone thinks to ask the provider who supplies their platform, their infrstructure and their support services.

It is not very often that a second-tier or lower SaaS provider houses their own servers, does their own maintenance and backups, or provides their own customer support.

These are usually spread out to multiple providers, and understanding who they are and who provides service to them must be a part of security due diligence. You have to know where your data is going to end up and who will have what level of access to it.

While the initial supplier may do and say all the right things in regard to security and privacy, it is necessary to go through the whole chain of suppliers to determine the complete truth.
User Rank: Strategist
2/7/2018 | 9:56:31 AM
Not safe
Yeah, i can tottaly agree with your tips, you are right) Cloud is not safe at all 
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-17
A heap based buffer overflow vulneraibility exists in GNU LibreDWG 0.10 via bit_calc_CRC ../../src/bits.c:2213.
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_compressed_section ../../src/decode.c:2417.
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exits in GNU LibreDWG 0.10 via: read_2004_section_classes ../../src/decode.c:2440.
PUBLISHED: 2021-05-17
A null pointer deference issue exists in GNU LibreDWG 0.10 via get_bmp ../../programs/dwgbmp.c:164.
PUBLISHED: 2021-05-17
A null pointer deference issue exists in GNU LibreDWG 0.10 via read_2004_compressed_section ../../src/decode.c:2337.