Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

9/25/2018
02:30 PM
Andrew Williams
Andrew Williams
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The Cloud Security Conundrum: Assets vs. Infrastructure

The issue for cloud adopters is no longer where your data sits in AWS, on-premises, Azure, Salesforce, or what have you. The important questions are: Who has access to it, and how is it protected?

Cloud adoption is becoming more a matter of when, not if, for most major enterprises. McAfee estimates that 97% of organizations use some form of cloud services today, with the unstated supposition that more plan on transitioning a portion of their remaining on-premises IT assets to cloud infrastructure or analogous cloud services over the next few years.

Recent headlines have highlighted many examples of what many security experts have been concerned about for some time — the cyber-risk impact of moving data, assets, and infrastructure to cloud services, and the increased threat profile that is supposed to follow hand in hand. In one recent study, HyTrust found that the highest-priority concern for most IT executives when considering cloud adoption and cloud migration was cybersecurity — how to protect data, assets, and infrastructure when their organization no longer controls the entire technology stack underneath.

Although there are risks associated with cloud services that aren't present in a traditional on-premises IT environment (virtualization and cloud tenant isolation, shared network endpoints, third-party trust, etc.), and some traditional risks are amplified (insider threat, lack of cryptographic protections, session authenticity concerns, etc.), by and large it seems that if we peel back the layers on these recent headlines we see many of the of the stories bear a consistent underlying theme. In many cases, data exposures were attributable to improperly configured, user-controlled cloud assets and user-defined security controls, and not risks associated with the underlying cloud infrastructure or cloud service.

As Gartner predicted in a 2016 cloud security research report, "through 2020, 95% of cloud security failures will be the customer's fault." If coupled with McAfee's finding that one in four organizations already has experienced a data theft that affected its presence in the public cloud, it becomes imperative that cloud adopters and cloud users prioritize secure configuration and implementation of those aspects of the cloud they can control. Otherwise, they become yet another statistic.

If many cloud security breaches can be attributed to some form of user error, how can cloud adopters take charge of their own cloud security in order to reap the benefits of scale, efficiency, and flexibility afforded by cloud solutions? Many industry observers point to these five recommendations when discussing cybersecurity in the cloud:

  • Move to DevOps or DevSecOps operating models for software development and cloud environment operation
  • Automate security and configuration tooling to accommodate the dynamic nature of cloud environments
  • Utilize continuous security and compliance monitoring tools to verify the cloud environment's security state
  • Heavy use of cryptographic technologies to verify authenticity, chain of trust
  • Appropriate obfuscation of data in transmission and at rest

What many of these recommendations fail to appreciate, however, is that organizations must undergo an even more fundamental shift in their security thinking when operating in the cloud. It is common knowledge that organizations lose control of some part of their IT security model when they lose control over the underlying IT assets as part of their move to the cloud. But many organizations still fail to appreciate that moving to the cloud abstracts the idea of asset ownership and control entirely — not just for the data, assets, and infrastructure migrated to the cloud but also for their internal organization.

This obviously does not mean that organizations no longer should prioritize physical and logical control and asset management for on-premises IT infrastructure. Rather, they should anchor their security strategy to something other than asset control = security, and focus on the data. While this seems self-apparent, it is incredible to me how many cloud adopters fail to appreciate the implications of this shift in thinking. No longer is the question whether my assets are sitting in Amazon Web Services, on-premises, in Azure, in Salesforce, or what have you. The question instead is: How is my data secured?

Because cloud adoption — both "major application" migrations to infrastructure-as-a-service providers and on-premises application replacement with SaaS solutions — provides so many different avenues for data to leave an organization, the practice of defining a security boundary (the traditional first step to security management) becomes unfeasible, incomplete, and potentially inaccurate very quickly, especially as cloud adoption trends continue within an organization and the number and complexity of cloud deployments multiply.

Focusing instead on the data the organization cares about as opposed to just the assets and infrastructure in place to support that data permits an organization to transition to a cloud security model just as effectively — if not more so — than traditional security models that predominantly focus on asset management as part of a security boundary definition. Focusing on the data — where it sits, who has access to it, and how it is otherwise protected — allows organizations to more easily prioritize security spending in the cloud, triage third-party dependencies that may not directly handle data but could affect the security posture of the data, and accurately manage responses to cybersecurity risks that pop up in the brave new world that is "the cloud."

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Andrew Williams is the Director of Program Development at Coalfire. In this role, he is responsible for working closely with Coalfire customers, industry bodies and regulatory authorities, and internal stakeholders to ensure Coalfire's services, delivery, and talent are ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20527
PUBLISHED: 2021-04-19
IBM Resilient SOAR V38.0 could allow a privileged user to create create malicious scripts that could be executed as another user. IBM X-Force ID: 198759.
CVE-2021-27028
PUBLISHED: 2021-04-19
A Memory Corruption Vulnerability in Autodesk FBX Review version 1.4.0 may lead to remote code execution through maliciously crafted DLL files.
CVE-2021-27029
PUBLISHED: 2021-04-19
The user may be tricked into opening a malicious FBX file which may exploit a Null Pointer Dereference vulnerability in FBX's Review causing the application to crash leading to a denial of service.
CVE-2021-27030
PUBLISHED: 2021-04-19
A user may be tricked into opening a malicious FBX file which may exploit a Directory Traversal Remote Code Execution vulnerability in FBX’s Review causing it to run arbitrary code on the system.
CVE-2021-27031
PUBLISHED: 2021-04-19
A user may be tricked into opening a malicious FBX file which may exploit a use-after-free vulnerability in FBX's Review causing the application to reference a memory location controlled by an unauthorized third party, thereby running arbitrary code on the system.