Businesses deploying cloud-based applications and services often overlook critical security steps as they scramble to keep up with the latest technology, and the rush is putting them at risk.
"There's a lot of customers who have this cloud-first mandate," says JK Lialias, senior director of cloud access at Forcepoint. "They've been told, 'thou shalt move to the cloud as much infrastructure as you possibly can.'"
A lot of pressure is on line-of-business employees to adopt cloud applications and infrastructure, he continues. IT departments are essential in delivering these services and often neglect to understand how on-premises data and processes translate to the cloud.
"What's happening in the move to the cloud has happened in the tech industry from the beginning," says Michael Landewe, Avanan co-founder and VP of business development. "People move to new tech based on new features and capabilities. Security always follows."
The gap between moving to the cloud and implementing strong security has shrunk as new technologies accelerate the process, he explains. However, most companies are still followers and don't take all the necessary steps, sacrificing security in the process.
Never Assume You're Secure
There's a lot of assumption when it comes to cloud responsibility. "Some businesses think the whole security issue is something you put into the provider's realm," says Jim Reavis, CEO of the Cloud Security Alliance. "The cloud provider may have security services and capabilities, which you can order as an extra, but a lot of responsibilities shift to the cloud."
Cloud providers typically own the hardware, network, host operator, and virtual machines, says Dan Hubbard, senior security architect at Lacework. The customer owns everything above that: operating systems, containers, applications, and all of the related access controls.
"This is where things get a little muddy from a corporate perspective," he explains. Most companies have parameters in traditional data centers, and their core principles and rules don't apply in the public cloud.
Landewe points to the shared responsibility model, which reminds companies they must secure data they move to the cloud. Many businesses, especially those with small IT departments, hand responsibility for data access and security to cloud providers. The service-level agreement from most vendors explains where customers are responsible for their data.
"You need to have an honest conversation with the vendor and ask, 'where does your security responsibility end and where does mine begin?'" he explains. The owner of the data still has to be entirely responsible for that information.
Skipped Steps and Dangerous Consequences
"It's one of those things where the speed sometimes impedes overall understanding and education," says Lialias of the transition to cloud. "This is one of the areas where it needs to be balanced."
Hubbard puts companies into two categories: cloud natives, which were founded in the cloud and don't need to migrate, and larger businesses with traditional data centers. The latter group is navigating the transition to public cloud and overlooking critical steps in the process.
Proper account configuration is key here. Last year's series of Amazon Web Services (AWS) leaks affecting major organizations, from Viacom to the Republican National Committee, demonstrated a broad oversight of basic cloud configuration steps. It's an easy and dangerous misstep.
"From what we have seen and what we know about these, they have all come down to client-based issues; mistakes they've made," says Reavis. AWS has strong security but most people don't know to properly configure their access so that data is secured. If they're making these configuration errors in AWS, they're likely making them in other services, he adds.
Cloud credentials must also be secured, Hubbard emphasizes. Attackers frequently steal login data for platforms like AWS and Azure, and abuse the power of the cloud on behalf of customers to mine cryptocurrency, send spam, and distribute distributed denial-of-service attacks.
"If someone gets access to those, they can impersonate you in your portion of the cloud," he says. "You need to manage access to the machines … who logs into machines, from where, and what do they do when they log in."
Admins should adopt two-factor authentication and lock access so administrative accounts can only log in from certain IP addresses. Uneducated admins can do a lot of damage very quickly, says Reavis, who says phishing and credential-based attacks will be common going forward. There should be closer scrutiny on how admin accounts are hardened.
"Once someone has access to your account, they do everything in their power to maintain that control," says Landewe. Administrators aren't the only ones at risk, he notes. Many attackers target low-level employees and, once they're in, use that access to target high-level workers.
Do Your Due Diligence
The average enterprise has about 1,000 software-as-a-service applications in use, says Lialias. They probably know about 600 of them, and there might be 30 that could potentially be very high risk. Businesses know they house both sanctioned and unsanctioned applications. It's up to them to understand what's out there and assume control over the software that employees use.
"The key for moving to the cloud is doing due diligence," he explains. "They swipe a card and click a button, and they forget their due diligence."
While mistakes can and will happen, businesses can stay one step ahead by ensuring accounts are properly configured, credentials are secured, and they have visibility into the applications being used and people using them. Being able to see and control data is essential.
Experts "hope" to see a slowdown in incidents like AWS bucket leaks and see companies marry caution with speed. However, many will need a wake-up call before adopting best practices.
"We're going to see more of the same in organizations needing to make a mistake to learn that they need to take this seriously," says Reavis. He advises businesses to look to educational programs from major cloud providers, the Cloud Security Alliance, and (ISC)², which all have cloud security courses.