Cloud

2/6/2018
05:50 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Security vs. Speed: The Risk of Rushing to the Cloud

Companies overlook critical security steps as they move to adopt the latest cloud applications and services.

Businesses deploying cloud-based applications and services often overlook critical security steps as they scramble to keep up with the latest technology, and the rush is putting them at risk.

"There's a lot of customers who have this cloud-first mandate," says JK Lialias, senior director of cloud access at Forcepoint. "They've been told, 'thou shalt move to the cloud as much infrastructure as you possibly can.'"

A lot of pressure is on line-of-business employees to adopt cloud applications and infrastructure, he continues. IT departments are essential in delivering these services and often neglect to understand how on-premises data and processes translate to the cloud.

"What's happening in the move to the cloud has happened in the tech industry from the beginning," says Michael Landewe, Avanan co-founder and VP of business development. "People move to new tech based on new features and capabilities. Security always follows."

The gap between moving to the cloud and implementing strong security has shrunk as new technologies accelerate the process, he explains. However, most companies are still followers and don't take all the necessary steps, sacrificing security in the process.

Never Assume You're Secure
There's a lot of assumption when it comes to cloud responsibility. "Some businesses think the whole security issue is something you put into the provider's realm," says Jim Reavis, CEO of the Cloud Security Alliance. "The cloud provider may have security services and capabilities, which you can order as an extra, but a lot of responsibilities shift to the cloud."

Cloud providers typically own the hardware, network, host operator, and virtual machines, says Dan Hubbard, senior security architect at Lacework. The customer owns everything above that: operating systems, containers, applications, and all of the related access controls.

"This is where things get a little muddy from a corporate perspective," he explains. Most companies have parameters in traditional data centers, and their core principles and rules don't apply in the public cloud.

Landewe points to the shared responsibility model, which reminds companies they must secure data they move to the cloud. Many businesses, especially those with small IT departments, hand responsibility for data access and security to cloud providers. The service-level agreement from most vendors explains where customers are responsible for their data.

"You need to have an honest conversation with the vendor and ask, 'where does your security responsibility end and where does mine begin?'" he explains. The owner of the data still has to be entirely responsible for that information.

Skipped Steps and Dangerous Consequences
"It's one of those things where the speed sometimes impedes overall understanding and education," says Lialias of the transition to cloud. "This is one of the areas where it needs to be balanced."

Hubbard puts companies into two categories: cloud natives, which were founded in the cloud and don't need to migrate, and larger businesses with traditional data centers. The latter group is navigating the transition to public cloud and overlooking critical steps in the process.

Proper account configuration is key here. Last year's series of Amazon Web Services (AWS) leaks affecting major organizations, from Viacom to the Republican National Committee, demonstrated a broad oversight of basic cloud configuration steps. It's an easy and dangerous misstep.

"From what we have seen and what we know about these, they have all come down to client-based issues; mistakes they've made," says Reavis. AWS has strong security but most people don't know to properly configure their access so that data is secured. If they're making these configuration errors in AWS, they're likely making them in other services, he adds.

Cloud credentials must also be secured, Hubbard emphasizes. Attackers frequently steal login data for platforms like AWS and Azure, and abuse the power of the cloud on behalf of customers to mine cryptocurrency, send spam, and distribute distributed denial-of-service attacks.

"If someone gets access to those, they can impersonate you in your portion of the cloud," he says. "You need to manage access to the machines … who logs into machines, from where, and what do they do when they log in."

Admins should adopt two-factor authentication and lock access so administrative accounts can only log in from certain IP addresses. Uneducated admins can do a lot of damage very quickly, says Reavis, who says phishing and credential-based attacks will be common going forward. There should be closer scrutiny on how admin accounts are hardened.

"Once someone has access to your account, they do everything in their power to maintain that control," says Landewe. Administrators aren't the only ones at risk, he notes. Many attackers target low-level employees and, once they're in, use that access to target high-level workers.

Do Your Due Diligence
The average enterprise has about 1,000 software-as-a-service applications in use, says Lialias. They probably know about 600 of them, and there might be 30 that could potentially be very high risk. Businesses know they house both sanctioned and unsanctioned applications. It's up to them to understand what's out there and assume control over the software that employees use.

"The key for moving to the cloud is doing due diligence," he explains. "They swipe a card and click a button, and they forget their due diligence."

While mistakes can and will happen, businesses can stay one step ahead by ensuring accounts are properly configured, credentials are secured, and they have visibility into the applications being used and people using them. Being able to see and control data is essential.

Experts "hope" to see a slowdown in incidents like AWS bucket leaks and see companies marry caution with speed. However, many will need a wake-up call before adopting best practices.

"We're going to see more of the same in organizations needing to make a mistake to learn that they need to take this seriously," says Reavis. He advises businesses to look to educational programs from major cloud providers, the Cloud Security Alliance, and (ISC)², which all have cloud security courses.

Related Content:

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
aumickmanuela
100%
0%
aumickmanuela,
User Rank: Apprentice
2/7/2018 | 9:56:31 AM
Not safe
Yeah, i can tottaly agree with your tips, you are right) Cloud is not safe at all 
nosmo_king
100%
0%
nosmo_king,
User Rank: Strategist
2/7/2018 | 10:06:26 AM
Understanding the kill chain is a key part of due diligence
When selecting a SaaS provider it amazes me how infrequently someone thinks to ask the provider who supplies their platform, their infrstructure and their support services.

It is not very often that a second-tier or lower SaaS provider houses their own servers, does their own maintenance and backups, or provides their own customer support.

These are usually spread out to multiple providers, and understanding who they are and who provides service to them must be a part of security due diligence. You have to know where your data is going to end up and who will have what level of access to it.

While the initial supplier may do and say all the right things in regard to security and privacy, it is necessary to go through the whole chain of suppliers to determine the complete truth.
nosmo_king
50%
50%
nosmo_king,
User Rank: Strategist
2/7/2018 | 10:14:59 AM
Re: Not safe
I am sorry you feel that way, I know it can be overwhelming at times and I have felt that pain.

It is possible to use cloud services safely, when thought and care are woven into the decision-making process from the very start, not least of all determining what services and data are eligible to be shipped to the cloud and which must stay within the enterprise.

If the course of technology has taught us anything it is that over a shortish period of time the market will consolidate into fewer potential suppliers and the less than spectacular ones will go out of business relatively quickly.

Don't throw the metaphoric baby out with the bathwater just yet.
BrianN060
50%
50%
BrianN060,
User Rank: Strategist
2/7/2018 | 7:34:27 PM
Re: Not safe
As with all optimization choices, it depends on your priorities.  For many use-cases, the hybrid-cloud model provides the best balance of security vs. cost tradeoffs.  As other commenters have mentioned, the physical location of the public-cloud assets can have important security implications.  Most important is which of your organization's data assets you trust to the public-cloud, and which do you keep within your own perimeter.  Start there; then evaluate public-cloud vendors/services. 
Alsec
50%
50%
Alsec,
User Rank: Apprentice
2/9/2018 | 6:20:26 AM
Re: Not safe
Thumbs up. I totally agree.
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
2/14/2018 | 1:37:11 PM
Re: Not safe
Woz - our great ancient savant from Apple - stated flat out that there is no security in the cloud.  That said, the cloud is - at most base - just a longer RJ-45 or optic cable from your endpooint to another server somewhere in the world hosted by god knows who.  The cloud has to reside on something somewhere and adding layers of exposure on top of your own protection increases risk many times over.   Not to add too that another set of human hands on a distant keyboard working with your data as an unknown too.

No safety in the cloud - it is a snake oil pitch worthy of W.C. Fields
13 Russians Indicted for Massive Operation to Sway US Election
Kelly Sheridan, Associate Editor, Dark Reading,  2/16/2018
Facebook Aims to Make Security More Social
Kelly Sheridan, Associate Editor, Dark Reading,  2/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.