Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
3/1/2018
09:00 AM
Raymond Pompon
Raymond Pompon
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Journey to the Cloud: Overcoming Security Risks

Lessons learned from a global consultancy's 10-year transition from on-premises to 99% cloud-based infrastructure.

Let me share with you the story of a large, multinational technology consultancy's migration from on-premises to 99% cloud-delivery infrastructure and applications. The transition began a decade ago with an email upgrade. The firm found it difficult to expand their physical server room so it moved to a cloud-based e-mail application. It took some work to find the right vendor and the right solution but, in the end, the company saved money, and soon added cloud-based CRM as well.

Because the consultancy was also growing crazy fast, officials needed to quickly add capacity. Soon they looked to the cloud for every new upgrade and app rollout. Their first true cloud environment was nailed up via an IPsec VPN to an early cloud player in the infrastructure-as-a-service (IaaS) business. They put a virtual Active Directory server up in the cloud to manage authentication, authorization, and accounting (AAA), and things just took off.  As this grew, they found they could deploy databases, web servers, applications—whatever the consultancy needed. The capacity was there with many of the security tools they were familiar with already.

One of the consultancy’s biggest security concerns was uptime, which they solved by finding a strong cloud vendor. Disaster recovery (DR) and business continuity are always big challenges, especially for a globally-dispersed and fast-growing organization like they had become. The trick was to make sure their cloud providers could match their requirements. This meant taking a lot of time to review contracts and service level agreements (SLAs) at the outset, and then holding the providers’ feet to the fire when promises did not match reality.

SLAs and Access
Management understood that a bad cloud provider could negatively impact uptime if the providers' expectations are different from their own. For example, most organizations know how good or bad their own DR capability is, but for a cloud provider, it can be a mystery. Also, some interesting problems can creep through the cracks in ways you don’t expect. Having short outages of just several minutes randomly throughout the workday can be worse than one big long outage. This is especially true for non-real-time services like email, where you might not notice when messages aren’t getting delivered. However, some cloud provider SLAs are written to cover longer outages rather than the short ones, so it's important to read carefully. This is especially true with platform-as-service (PaaS) cloud providers who are serving a single application and the vendor is more a niche (and therefore smaller and possibly weaker) player.

For the consultancy, managing access to their cloud was also a challenge, especially since they employed a mix of consultants and developers. Many people needed a wide range of access capabilities, and many needed full access to their own boxes. For this they turned to role-based access control to ensure people got what they needed on only the systems they needed and nothing else. Luckily, powerful security tools are available to do this. As needed, the consultancy can require multi-factor authentication (MFA) at the beginning of a session and then turn that around into single sign-on to ease access throughout the user workflow. This was especially helpful for those with elevated access as they could strongly authenticate them right off the bat.

Detection & Monitoring
As for detective and monitoring security tools, most large IaaS vendors provide virtual networking capability, which the consultancy tapped for packet capture and analysis. PaaS vendors are used differently, but most provided detailed audit logs on user logins and actions which they needed for audit purposes. Some large IaaS vendors also provided additional monitoring alarms to help with pesky things like developers accidently dropping authentication credentials into public code repositories.

One major challenge for the consultancy was dealing with different cloud environments. Some cloud vendors who have multiple offerings can have different knobs and gauges for their varying services. The consultancy’s security operations team would learn how to lock down and monitor something in one service area, only to find that things worked much differently in another.

Then there are the frequent upgrades within the service, which can change the look of a console or add new features. Even within the same cloud provider, it can be like managing security for different applications and environments. This can lead to complexity and security blind spots. It gets even more difficult when there is a mixture of different cloud vendors. To this day, there are likely additional security capabilities that the consultancy hasn’t taken advantage of yet because they haven’t had the time to learn them. To help with this, it’s best to ensure that someone on the enterprise security team attends cloud provider training sessions and conferences.

Compliance: The Last Big Challenge
Commonly, most cloud providers certify their platform up to a certain level and then from there, you need to deal with additional risk and compliance requirements. Cloud providers don't cover it all. That boundary and the accompanying responsibility is sometimes misunderstood by newcomers or executives. All things being equal, a non-technical person will just assume because XYZ Cloud has passed a particular audit, they think they’re done with security and they can rest. That’s almost never the case.

Overall, the consultancy’s journey to the cloud has been a game-changer. The lessons they learned made them a better and more valuable organization for their customers. And their security program has grown stronger.

Get the latest application threat intelligence from F5 Labs.

 

Raymond Pompon is a Principal Threat Researcher Evangelist with F5 labs. With over 20 years of experience in Internet security, he has worked closely with Federal law enforcement in cyber-crime investigations. He has recently written IT Security Risk Control Management: An ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Inside a SamSam Ransomware Attack
Ajit Sancheti, CEO and Co-Founder, Preempt,  6/20/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
F5 makes apps go-faster, smarter, and safer. With solutions for the cloud and the data center, F5 technology provides unparalleled visibility and control, allowing customers to secure their users, applications, and data. For more information, visit www.f5.com.
Featured Writers
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12716
PUBLISHED: 2018-06-25
The API service on Google Home and Chromecast devices before mid-July 2018 does not prevent DNS rebinding attacks from reading the scan_results JSON data, which allows remote attackers to determine the physical location of most web browsers by leveraging the presence of one of these devices on its l...
CVE-2018-12705
PUBLISHED: 2018-06-24
DIGISOL DG-BR4000NG devices have XSS via the SSID (it is validated only on the client side).
CVE-2018-12706
PUBLISHED: 2018-06-24
DIGISOL DG-BR4000NG devices have a Buffer Overflow via a long Authorization HTTP header.
CVE-2018-12714
PUBLISHED: 2018-06-24
An issue was discovered in the Linux kernel through 4.17.2. The filter parsing in kernel/trace/trace_events_filter.c could be called with no filter, which is an N=0 case when it expected at least one line to have been read, thus making the N-1 index invalid. This allows attackers to cause a denial o...
CVE-2018-12713
PUBLISHED: 2018-06-24
GIMP through 2.10.2 makes g_get_tmp_dir calls to establish temporary filenames, which may result in a filename that already exists, as demonstrated by the gimp_write_and_read_file function in app/tests/test-xcf.c. This might be leveraged by attackers to overwrite files or read file content that was ...