Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

9/25/2018
02:30 PM
Andrew Williams
Andrew Williams
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Cloud Security Conundrum: Assets vs. Infrastructure

The issue for cloud adopters is no longer where your data sits in AWS, on-premises, Azure, Salesforce, or what have you. The important questions are: Who has access to it, and how is it protected?

Cloud adoption is becoming more a matter of when, not if, for most major enterprises. McAfee estimates that 97% of organizations use some form of cloud services today, with the unstated supposition that more plan on transitioning a portion of their remaining on-premises IT assets to cloud infrastructure or analogous cloud services over the next few years.

Recent headlines have highlighted many examples of what many security experts have been concerned about for some time — the cyber-risk impact of moving data, assets, and infrastructure to cloud services, and the increased threat profile that is supposed to follow hand in hand. In one recent study, HyTrust found that the highest-priority concern for most IT executives when considering cloud adoption and cloud migration was cybersecurity — how to protect data, assets, and infrastructure when their organization no longer controls the entire technology stack underneath.

Although there are risks associated with cloud services that aren't present in a traditional on-premises IT environment (virtualization and cloud tenant isolation, shared network endpoints, third-party trust, etc.), and some traditional risks are amplified (insider threat, lack of cryptographic protections, session authenticity concerns, etc.), by and large it seems that if we peel back the layers on these recent headlines we see many of the of the stories bear a consistent underlying theme. In many cases, data exposures were attributable to improperly configured, user-controlled cloud assets and user-defined security controls, and not risks associated with the underlying cloud infrastructure or cloud service.

As Gartner predicted in a 2016 cloud security research report, "through 2020, 95% of cloud security failures will be the customer's fault." If coupled with McAfee's finding that one in four organizations already has experienced a data theft that affected its presence in the public cloud, it becomes imperative that cloud adopters and cloud users prioritize secure configuration and implementation of those aspects of the cloud they can control. Otherwise, they become yet another statistic.

If many cloud security breaches can be attributed to some form of user error, how can cloud adopters take charge of their own cloud security in order to reap the benefits of scale, efficiency, and flexibility afforded by cloud solutions? Many industry observers point to these five recommendations when discussing cybersecurity in the cloud:

  • Move to DevOps or DevSecOps operating models for software development and cloud environment operation
  • Automate security and configuration tooling to accommodate the dynamic nature of cloud environments
  • Utilize continuous security and compliance monitoring tools to verify the cloud environment's security state
  • Heavy use of cryptographic technologies to verify authenticity, chain of trust
  • Appropriate obfuscation of data in transmission and at rest

What many of these recommendations fail to appreciate, however, is that organizations must undergo an even more fundamental shift in their security thinking when operating in the cloud. It is common knowledge that organizations lose control of some part of their IT security model when they lose control over the underlying IT assets as part of their move to the cloud. But many organizations still fail to appreciate that moving to the cloud abstracts the idea of asset ownership and control entirely — not just for the data, assets, and infrastructure migrated to the cloud but also for their internal organization.

This obviously does not mean that organizations no longer should prioritize physical and logical control and asset management for on-premises IT infrastructure. Rather, they should anchor their security strategy to something other than asset control = security, and focus on the data. While this seems self-apparent, it is incredible to me how many cloud adopters fail to appreciate the implications of this shift in thinking. No longer is the question whether my assets are sitting in Amazon Web Services, on-premises, in Azure, in Salesforce, or what have you. The question instead is: How is my data secured?

Because cloud adoption — both "major application" migrations to infrastructure-as-a-service providers and on-premises application replacement with SaaS solutions — provides so many different avenues for data to leave an organization, the practice of defining a security boundary (the traditional first step to security management) becomes unfeasible, incomplete, and potentially inaccurate very quickly, especially as cloud adoption trends continue within an organization and the number and complexity of cloud deployments multiply.

Focusing instead on the data the organization cares about as opposed to just the assets and infrastructure in place to support that data permits an organization to transition to a cloud security model just as effectively — if not more so — than traditional security models that predominantly focus on asset management as part of a security boundary definition. Focusing on the data — where it sits, who has access to it, and how it is otherwise protected — allows organizations to more easily prioritize security spending in the cloud, triage third-party dependencies that may not directly handle data but could affect the security posture of the data, and accurately manage responses to cybersecurity risks that pop up in the brave new world that is "the cloud."

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Andrew Williams is the Director of Program Development at Coalfire. In this role, he is responsible for working closely with Coalfire customers, industry bodies and regulatory authorities, and internal stakeholders to ensure Coalfire's services, delivery, and talent are ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.