The Cloud Security Conundrum: Assets vs. Infrastructure The issue for cloud adopters is no longer where your data sits in AWS, on-premises, Azure, Salesforce, or what have you. The important questions are: Who has access to it, and how is it protected?
Cloud adoption is becoming more a matter of when, not if, for most major enterprises. McAfee estimates that 97% of organizations use some form of cloud services today, with the unstated supposition that more plan on transitioning a portion of their remaining on-premises IT assets to cloud infrastructure or analogous cloud services over the next few years.
Recent headlines have highlighted many examples of what many security experts have been concerned about for some time — the cyber-risk impact of moving data, assets, and infrastructure to cloud services, and the increased threat profile that is supposed to follow hand in hand. In one recent study, HyTrust found that the highest-priority concern for most IT executives when considering cloud adoption and cloud migration was cybersecurity — how to protect data, assets, and infrastructure when their organization no longer controls the entire technology stack underneath.
Although there are risks associated with cloud services that aren't present in a traditional on-premises IT environment (virtualization and cloud tenant isolation, shared network endpoints, third-party trust, etc.), and some traditional risks are amplified (insider threat, lack of cryptographic protections, session authenticity concerns, etc.), by and large it seems that if we peel back the layers on these recent headlines we see many of the of the stories bear a consistent underlying theme. In many cases, data exposures were attributable to improperly configured, user-controlled cloud assets and user-defined security controls, and not risks associated with the underlying cloud infrastructure or cloud service.
As Gartner predicted in a 2016 cloud security research report, "through 2020, 95% of cloud security failures will be the customer's fault." If coupled with McAfee's finding that one in four organizations already has experienced a data theft that affected its presence in the public cloud, it becomes imperative that cloud adopters and cloud users prioritize secure configuration and implementation of those aspects of the cloud they can control. Otherwise, they become yet another statistic.
If many cloud security breaches can be attributed to some form of user error, how can cloud adopters take charge of their own cloud security in order to reap the benefits of scale, efficiency, and flexibility afforded by cloud solutions? Many industry observers point to these five recommendations when discussing cybersecurity in the cloud:
- Move to DevOps or DevSecOps operating models for software development and cloud environment operation
- Automate security and configuration tooling to accommodate the dynamic nature of cloud environments
- Utilize continuous security and compliance monitoring tools to verify the cloud environment's security state
- Heavy use of cryptographic technologies to verify authenticity, chain of trust
- Appropriate obfuscation of data in transmission and at rest
What many of these recommendations fail to appreciate, however, is that organizations must undergo an even more fundamental shift in their security thinking when operating in the cloud. It is common knowledge that organizations lose control of some part of their IT security model when they lose control over the underlying IT assets as part of their move to the cloud. But many organizations still fail to appreciate that moving to the cloud abstracts the idea of asset ownership and control entirely — not just for the data, assets, and infrastructure migrated to the cloud but also for their internal organization.
This obviously does not mean that organizations no longer should prioritize physical and logical control and asset management for on-premises IT infrastructure. Rather, they should anchor their security strategy to something other than asset control = security, and focus on the data. While this seems self-apparent, it is incredible to me how many cloud adopters fail to appreciate the implications of this shift in thinking. No longer is the question whether my assets are sitting in Amazon Web Services, on-premises, in Azure, in Salesforce, or what have you. The question instead is: How is my data secured?
Because cloud adoption — both "major application" migrations to infrastructure-as-a-service providers and on-premises application replacement with SaaS solutions — provides so many different avenues for data to leave an organization, the practice of defining a security boundary (the traditional first step to security management) becomes unfeasible, incomplete, and potentially inaccurate very quickly, especially as cloud adoption trends continue within an organization and the number and complexity of cloud deployments multiply.
Focusing instead on the data the organization cares about as opposed to just the assets and infrastructure in place to support that data permits an organization to transition to a cloud security model just as effectively — if not more so — than traditional security models that predominantly focus on asset management as part of a security boundary definition. Focusing on the data — where it sits, who has access to it, and how it is otherwise protected — allows organizations to more easily prioritize security spending in the cloud, triage third-party dependencies that may not directly handle data but could affect the security posture of the data, and accurately manage responses to cybersecurity risks that pop up in the brave new world that is "the cloud."
Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.
Andrew Williams is the product director for the Cyber Risk Advisory and FedRAMP Assessment Services teams at Coalfire. As product director, Andrew oversees Coalfire's sales, delivery, and professional development strategy for all advisory and assessment personnel ... View Full Bio