Cloud

9/25/2018
02:30 PM
Andrew Williams
Andrew Williams
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Cloud Security Conundrum: Assets vs. Infrastructure

The issue for cloud adopters is no longer where your data sits in AWS, on-premises, Azure, Salesforce, or what have you. The important questions are: Who has access to it, and how is it protected?

Cloud adoption is becoming more a matter of when, not if, for most major enterprises. McAfee estimates that 97% of organizations use some form of cloud services today, with the unstated supposition that more plan on transitioning a portion of their remaining on-premises IT assets to cloud infrastructure or analogous cloud services over the next few years.

Recent headlines have highlighted many examples of what many security experts have been concerned about for some time — the cyber-risk impact of moving data, assets, and infrastructure to cloud services, and the increased threat profile that is supposed to follow hand in hand. In one recent study, HyTrust found that the highest-priority concern for most IT executives when considering cloud adoption and cloud migration was cybersecurity — how to protect data, assets, and infrastructure when their organization no longer controls the entire technology stack underneath.

Although there are risks associated with cloud services that aren't present in a traditional on-premises IT environment (virtualization and cloud tenant isolation, shared network endpoints, third-party trust, etc.), and some traditional risks are amplified (insider threat, lack of cryptographic protections, session authenticity concerns, etc.), by and large it seems that if we peel back the layers on these recent headlines we see many of the of the stories bear a consistent underlying theme. In many cases, data exposures were attributable to improperly configured, user-controlled cloud assets and user-defined security controls, and not risks associated with the underlying cloud infrastructure or cloud service.

As Gartner predicted in a 2016 cloud security research report, "through 2020, 95% of cloud security failures will be the customer's fault." If coupled with McAfee's finding that one in four organizations already has experienced a data theft that affected its presence in the public cloud, it becomes imperative that cloud adopters and cloud users prioritize secure configuration and implementation of those aspects of the cloud they can control. Otherwise, they become yet another statistic.

If many cloud security breaches can be attributed to some form of user error, how can cloud adopters take charge of their own cloud security in order to reap the benefits of scale, efficiency, and flexibility afforded by cloud solutions? Many industry observers point to these five recommendations when discussing cybersecurity in the cloud:

  • Move to DevOps or DevSecOps operating models for software development and cloud environment operation
  • Automate security and configuration tooling to accommodate the dynamic nature of cloud environments
  • Utilize continuous security and compliance monitoring tools to verify the cloud environment's security state
  • Heavy use of cryptographic technologies to verify authenticity, chain of trust
  • Appropriate obfuscation of data in transmission and at rest

What many of these recommendations fail to appreciate, however, is that organizations must undergo an even more fundamental shift in their security thinking when operating in the cloud. It is common knowledge that organizations lose control of some part of their IT security model when they lose control over the underlying IT assets as part of their move to the cloud. But many organizations still fail to appreciate that moving to the cloud abstracts the idea of asset ownership and control entirely — not just for the data, assets, and infrastructure migrated to the cloud but also for their internal organization.

This obviously does not mean that organizations no longer should prioritize physical and logical control and asset management for on-premises IT infrastructure. Rather, they should anchor their security strategy to something other than asset control = security, and focus on the data. While this seems self-apparent, it is incredible to me how many cloud adopters fail to appreciate the implications of this shift in thinking. No longer is the question whether my assets are sitting in Amazon Web Services, on-premises, in Azure, in Salesforce, or what have you. The question instead is: How is my data secured?

Because cloud adoption — both "major application" migrations to infrastructure-as-a-service providers and on-premises application replacement with SaaS solutions — provides so many different avenues for data to leave an organization, the practice of defining a security boundary (the traditional first step to security management) becomes unfeasible, incomplete, and potentially inaccurate very quickly, especially as cloud adoption trends continue within an organization and the number and complexity of cloud deployments multiply.

Focusing instead on the data the organization cares about as opposed to just the assets and infrastructure in place to support that data permits an organization to transition to a cloud security model just as effectively — if not more so — than traditional security models that predominantly focus on asset management as part of a security boundary definition. Focusing on the data — where it sits, who has access to it, and how it is otherwise protected — allows organizations to more easily prioritize security spending in the cloud, triage third-party dependencies that may not directly handle data but could affect the security posture of the data, and accurately manage responses to cybersecurity risks that pop up in the brave new world that is "the cloud."

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Andrew Williams is the product director for the Cyber Risk Advisory and FedRAMP Assessment Services teams at Coalfire.  As product director, Andrew oversees Coalfire's sales, delivery, and professional development strategy for all advisory and assessment personnel ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6157
PUBLISHED: 2019-04-22
In various firmware versions of Lenovo System x, the integrated management module II (IMM2)'s first failure data capture (FFDC) includes the web server's private key in the generated log file for support.
CVE-2015-1343
PUBLISHED: 2019-04-22
All versions of unity-scope-gdrive logs search terms to syslog.
CVE-2016-1573
PUBLISHED: 2019-04-22
Versions of Unity8 before 8.11+16.04.20160122-0ubuntu1 file plugins/Dash/CardCreator.js will execute any code found in place of a fallback image supplied by a scope.
CVE-2016-1579
PUBLISHED: 2019-04-22
UDM provides support for running commands after a download is completed, this is currently made use of for click package installation. This functionality was not restricted to unconfined applications. Before UDM version 1.2+16.04.20160408-0ubuntu1 any confined application could make use of the UDM C...
CVE-2016-1584
PUBLISHED: 2019-04-22
In all versions of Unity8 a running but not active application on a large-screen device could talk with Maliit and consume keyboard input.