Cloud

2/6/2018
05:50 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Security vs. Speed: The Risk of Rushing to the Cloud

Companies overlook critical security steps as they move to adopt the latest cloud applications and services.

Businesses deploying cloud-based applications and services often overlook critical security steps as they scramble to keep up with the latest technology, and the rush is putting them at risk.

"There's a lot of customers who have this cloud-first mandate," says JK Lialias, senior director of cloud access at Forcepoint. "They've been told, 'thou shalt move to the cloud as much infrastructure as you possibly can.'"

A lot of pressure is on line-of-business employees to adopt cloud applications and infrastructure, he continues. IT departments are essential in delivering these services and often neglect to understand how on-premises data and processes translate to the cloud.

"What's happening in the move to the cloud has happened in the tech industry from the beginning," says Michael Landewe, Avanan co-founder and VP of business development. "People move to new tech based on new features and capabilities. Security always follows."

The gap between moving to the cloud and implementing strong security has shrunk as new technologies accelerate the process, he explains. However, most companies are still followers and don't take all the necessary steps, sacrificing security in the process.

Never Assume You're Secure
There's a lot of assumption when it comes to cloud responsibility. "Some businesses think the whole security issue is something you put into the provider's realm," says Jim Reavis, CEO of the Cloud Security Alliance. "The cloud provider may have security services and capabilities, which you can order as an extra, but a lot of responsibilities shift to the cloud."

Cloud providers typically own the hardware, network, host operator, and virtual machines, says Dan Hubbard, senior security architect at Lacework. The customer owns everything above that: operating systems, containers, applications, and all of the related access controls.

"This is where things get a little muddy from a corporate perspective," he explains. Most companies have parameters in traditional data centers, and their core principles and rules don't apply in the public cloud.

Landewe points to the shared responsibility model, which reminds companies they must secure data they move to the cloud. Many businesses, especially those with small IT departments, hand responsibility for data access and security to cloud providers. The service-level agreement from most vendors explains where customers are responsible for their data.

"You need to have an honest conversation with the vendor and ask, 'where does your security responsibility end and where does mine begin?'" he explains. The owner of the data still has to be entirely responsible for that information.

Skipped Steps and Dangerous Consequences
"It's one of those things where the speed sometimes impedes overall understanding and education," says Lialias of the transition to cloud. "This is one of the areas where it needs to be balanced."

Hubbard puts companies into two categories: cloud natives, which were founded in the cloud and don't need to migrate, and larger businesses with traditional data centers. The latter group is navigating the transition to public cloud and overlooking critical steps in the process.

Proper account configuration is key here. Last year's series of Amazon Web Services (AWS) leaks affecting major organizations, from Viacom to the Republican National Committee, demonstrated a broad oversight of basic cloud configuration steps. It's an easy and dangerous misstep.

"From what we have seen and what we know about these, they have all come down to client-based issues; mistakes they've made," says Reavis. AWS has strong security but most people don't know to properly configure their access so that data is secured. If they're making these configuration errors in AWS, they're likely making them in other services, he adds.

Cloud credentials must also be secured, Hubbard emphasizes. Attackers frequently steal login data for platforms like AWS and Azure, and abuse the power of the cloud on behalf of customers to mine cryptocurrency, send spam, and distribute distributed denial-of-service attacks.

"If someone gets access to those, they can impersonate you in your portion of the cloud," he says. "You need to manage access to the machines … who logs into machines, from where, and what do they do when they log in."

Admins should adopt two-factor authentication and lock access so administrative accounts can only log in from certain IP addresses. Uneducated admins can do a lot of damage very quickly, says Reavis, who says phishing and credential-based attacks will be common going forward. There should be closer scrutiny on how admin accounts are hardened.

"Once someone has access to your account, they do everything in their power to maintain that control," says Landewe. Administrators aren't the only ones at risk, he notes. Many attackers target low-level employees and, once they're in, use that access to target high-level workers.

Do Your Due Diligence
The average enterprise has about 1,000 software-as-a-service applications in use, says Lialias. They probably know about 600 of them, and there might be 30 that could potentially be very high risk. Businesses know they house both sanctioned and unsanctioned applications. It's up to them to understand what's out there and assume control over the software that employees use.

"The key for moving to the cloud is doing due diligence," he explains. "They swipe a card and click a button, and they forget their due diligence."

While mistakes can and will happen, businesses can stay one step ahead by ensuring accounts are properly configured, credentials are secured, and they have visibility into the applications being used and people using them. Being able to see and control data is essential.

Experts "hope" to see a slowdown in incidents like AWS bucket leaks and see companies marry caution with speed. However, many will need a wake-up call before adopting best practices.

"We're going to see more of the same in organizations needing to make a mistake to learn that they need to take this seriously," says Reavis. He advises businesses to look to educational programs from major cloud providers, the Cloud Security Alliance, and (ISC)², which all have cloud security courses.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
2/14/2018 | 1:37:11 PM
Re: Not safe
Woz - our great ancient savant from Apple - stated flat out that there is no security in the cloud.  That said, the cloud is - at most base - just a longer RJ-45 or optic cable from your endpooint to another server somewhere in the world hosted by god knows who.  The cloud has to reside on something somewhere and adding layers of exposure on top of your own protection increases risk many times over.   Not to add too that another set of human hands on a distant keyboard working with your data as an unknown too.

No safety in the cloud - it is a snake oil pitch worthy of W.C. Fields
Alsec
50%
50%
Alsec,
User Rank: Apprentice
2/9/2018 | 6:20:26 AM
Re: Not safe
Thumbs up. I totally agree.
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
2/7/2018 | 7:34:27 PM
Re: Not safe
As with all optimization choices, it depends on your priorities.  For many use-cases, the hybrid-cloud model provides the best balance of security vs. cost tradeoffs.  As other commenters have mentioned, the physical location of the public-cloud assets can have important security implications.  Most important is which of your organization's data assets you trust to the public-cloud, and which do you keep within your own perimeter.  Start there; then evaluate public-cloud vendors/services. 
nosmo_king
50%
50%
nosmo_king,
User Rank: Strategist
2/7/2018 | 10:14:59 AM
Re: Not safe
I am sorry you feel that way, I know it can be overwhelming at times and I have felt that pain.

It is possible to use cloud services safely, when thought and care are woven into the decision-making process from the very start, not least of all determining what services and data are eligible to be shipped to the cloud and which must stay within the enterprise.

If the course of technology has taught us anything it is that over a shortish period of time the market will consolidate into fewer potential suppliers and the less than spectacular ones will go out of business relatively quickly.

Don't throw the metaphoric baby out with the bathwater just yet.
nosmo_king
100%
0%
nosmo_king,
User Rank: Strategist
2/7/2018 | 10:06:26 AM
Understanding the kill chain is a key part of due diligence
When selecting a SaaS provider it amazes me how infrequently someone thinks to ask the provider who supplies their platform, their infrstructure and their support services.

It is not very often that a second-tier or lower SaaS provider houses their own servers, does their own maintenance and backups, or provides their own customer support.

These are usually spread out to multiple providers, and understanding who they are and who provides service to them must be a part of security due diligence. You have to know where your data is going to end up and who will have what level of access to it.

While the initial supplier may do and say all the right things in regard to security and privacy, it is necessary to go through the whole chain of suppliers to determine the complete truth.
aumickmanuela
100%
0%
aumickmanuela,
User Rank: Strategist
2/7/2018 | 9:56:31 AM
Not safe
Yeah, i can tottaly agree with your tips, you are right) Cloud is not safe at all 
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.