Cloud

9/25/2018
02:30 PM
Andrew Williams
Andrew Williams
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Cloud Security Conundrum: Assets vs. Infrastructure

The issue for cloud adopters is no longer where your data sits in AWS, on-premises, Azure, Salesforce, or what have you. The important questions are: Who has access to it, and how is it protected?

Cloud adoption is becoming more a matter of when, not if, for most major enterprises. McAfee estimates that 97% of organizations use some form of cloud services today, with the unstated supposition that more plan on transitioning a portion of their remaining on-premises IT assets to cloud infrastructure or analogous cloud services over the next few years.

Recent headlines have highlighted many examples of what many security experts have been concerned about for some time — the cyber-risk impact of moving data, assets, and infrastructure to cloud services, and the increased threat profile that is supposed to follow hand in hand. In one recent study, HyTrust found that the highest-priority concern for most IT executives when considering cloud adoption and cloud migration was cybersecurity — how to protect data, assets, and infrastructure when their organization no longer controls the entire technology stack underneath.

Although there are risks associated with cloud services that aren't present in a traditional on-premises IT environment (virtualization and cloud tenant isolation, shared network endpoints, third-party trust, etc.), and some traditional risks are amplified (insider threat, lack of cryptographic protections, session authenticity concerns, etc.), by and large it seems that if we peel back the layers on these recent headlines we see many of the of the stories bear a consistent underlying theme. In many cases, data exposures were attributable to improperly configured, user-controlled cloud assets and user-defined security controls, and not risks associated with the underlying cloud infrastructure or cloud service.

As Gartner predicted in a 2016 cloud security research report, "through 2020, 95% of cloud security failures will be the customer's fault." If coupled with McAfee's finding that one in four organizations already has experienced a data theft that affected its presence in the public cloud, it becomes imperative that cloud adopters and cloud users prioritize secure configuration and implementation of those aspects of the cloud they can control. Otherwise, they become yet another statistic.

If many cloud security breaches can be attributed to some form of user error, how can cloud adopters take charge of their own cloud security in order to reap the benefits of scale, efficiency, and flexibility afforded by cloud solutions? Many industry observers point to these five recommendations when discussing cybersecurity in the cloud:

  • Move to DevOps or DevSecOps operating models for software development and cloud environment operation
  • Automate security and configuration tooling to accommodate the dynamic nature of cloud environments
  • Utilize continuous security and compliance monitoring tools to verify the cloud environment's security state
  • Heavy use of cryptographic technologies to verify authenticity, chain of trust
  • Appropriate obfuscation of data in transmission and at rest

What many of these recommendations fail to appreciate, however, is that organizations must undergo an even more fundamental shift in their security thinking when operating in the cloud. It is common knowledge that organizations lose control of some part of their IT security model when they lose control over the underlying IT assets as part of their move to the cloud. But many organizations still fail to appreciate that moving to the cloud abstracts the idea of asset ownership and control entirely — not just for the data, assets, and infrastructure migrated to the cloud but also for their internal organization.

This obviously does not mean that organizations no longer should prioritize physical and logical control and asset management for on-premises IT infrastructure. Rather, they should anchor their security strategy to something other than asset control = security, and focus on the data. While this seems self-apparent, it is incredible to me how many cloud adopters fail to appreciate the implications of this shift in thinking. No longer is the question whether my assets are sitting in Amazon Web Services, on-premises, in Azure, in Salesforce, or what have you. The question instead is: How is my data secured?

Because cloud adoption — both "major application" migrations to infrastructure-as-a-service providers and on-premises application replacement with SaaS solutions — provides so many different avenues for data to leave an organization, the practice of defining a security boundary (the traditional first step to security management) becomes unfeasible, incomplete, and potentially inaccurate very quickly, especially as cloud adoption trends continue within an organization and the number and complexity of cloud deployments multiply.

Focusing instead on the data the organization cares about as opposed to just the assets and infrastructure in place to support that data permits an organization to transition to a cloud security model just as effectively — if not more so — than traditional security models that predominantly focus on asset management as part of a security boundary definition. Focusing on the data — where it sits, who has access to it, and how it is otherwise protected — allows organizations to more easily prioritize security spending in the cloud, triage third-party dependencies that may not directly handle data but could affect the security posture of the data, and accurately manage responses to cybersecurity risks that pop up in the brave new world that is "the cloud."

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Andrew Williams is the product director for the Cyber Risk Advisory and FedRAMP Assessment Services teams at Coalfire.  As product director, Andrew oversees Coalfire's sales, delivery, and professional development strategy for all advisory and assessment personnel ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
'PowerSnitch' Hacks Androids via Power Banks
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/8/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-1848
PUBLISHED: 2018-12-14
IBM Business Automation Workflow 18.0.0.0 and 18.0.0.1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force...
CVE-2018-1977
PUBLISHED: 2018-12-14
IBM DB2 for Linux, UNIX and Windows 11.1 (includes DB2 Connect Server) contains a denial of service vulnerability. A remote, authenticated DB2 user could exploit this vulnerability by issuing a specially-crafted SELECT statement with TRUNCATE function. IBM X-Force ID: 154032.
CVE-2018-18006
PUBLISHED: 2018-12-14
Hardcoded credentials in the Ricoh myPrint application 2.9.2.4 for Windows and 2.2.7 for Android give access to any externally disclosed myPrint WSDL API, as demonstrated by discovering API secrets of related Google cloud printers, encrypted passwords of mail servers, and names of printed files.
CVE-2018-18984
PUBLISHED: 2018-12-14
Medtronic CareLink 2090 Programmer CareLink 9790 Programmer 29901 Encore Programmer, all versions, The affected products do not encrypt or do not sufficiently encrypt the following sensitive information while at rest PII and PHI.
CVE-2018-19003
PUBLISHED: 2018-12-14
GE Mark VIe, EX2100e, EX2100e_Reg, and LS2100e Versions 03.03.28C to 05.02.04C, EX2100e All versions prior to v04.09.00C, EX2100e_Reg All versions prior to v04.09.00C, and LS2100e All versions prior to v04.09.00C The affected versions of the application have a path traversal vulnerability that fails...