Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

7/9/2019
02:00 PM
Derrick Johnson
Derrick Johnson
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Cloud Security and Risk Mitigation

Just because your data isn't on-premises doesn't mean you're not responsible for security.

The cloud certainly offers advantages, but as with any large-scale deployment, the cloud can also offer unforeseen challenges. The concept of the cloud just being "someone else's data center" makes me cringe because it assumes you're relinquishing security responsibility because "someone else will take care of it."

Yes, cloud systems, networks, and applications are not physically located within your control, but security responsibility and risk mitigation are. Cloud infrastructure providers allow a great deal of control in terms of how you set up that environment, what you put there, how you protect your data, and how you monitor that environment. Managing risk throughout that environment and providing alignment with your existing security framework is what's most important. 

Privacy and Risk
With the EU's General Data Protection Regulation and similar policies in some US states (Arizona, Colorado, California, and others), organizations face increased requirements when protecting data in the cloud. And the solution isn't as simple as deploying data loss prevention software in a data center because the data center has become fragmented. You now have a bunch of services, systems, and infrastructures that aren't owned by you but still require visibility and control.

Cloud services and infrastructures that share or exchange information also become difficult to manage: Who owns the service-level agreements? Is there a single pane of glass that monitors everything? DevOps has forced corporations to go as far as implementing microsegmentation and adjusting processes around firewall rule change management. Furthermore, serverless computing has provided organizations with a way to cut costs and speed productivity by allowing developers to run code without having to worry about infrastructures and platforms. Without a handle on virtual private clouds and workload deployments, however, things can spin out of control and you start to see data leaking from one environment just as you've achieved a comfortable level of security in another.

Mitigation
Several steps can be taken to help mitigate risk to an organization's data in the cloud.

1. Design to align. First, align your cloud environment with cybersecurity frameworks. Often, organizations move to the cloud so rapidly that the security controls historically applied to their on-premises data centers don't migrate effectively to the cloud. Furthermore, an organization may relax the security microscope on software-as-a-service (SaaS) applications such as Salesforce or Office 365. But even with these legitimate business applications, data may end up being leaked if you don't have the right visibility and control. Aligning cloud provider technology with cybersecurity frameworks and business operating procedures provides for a highly secure, more productive implementation of a cloud platform, giving better results and a successful deployment.

2. Make yourself at home. Cloud systems and networks should be treated the way you treat your LAN and data center. Amazon's Shared Responsibility Model, for example, outlines where Amazon's security responsibility ends and your security responsibility begins. While threats at the compute layer exist — as we've seen with Meltdown, Foreshadow, and Spectre — recent cloud data breaches have shown a breakdown in an organization's security responsibility area, namely operating system security, data encryption, and access control. If your organization has standards that govern the configuration of servers, vulnerability management, patching, identity and access management, encryption, segmentation, firewall rules, application development, and monitoring, see to it that those standards are applied to cloud services and are audited regularly.

3. Stop the "sneaking out at night." Not too long ago, you would see organizations struggle with employees who set up unsecured wireless access points in an attempt to gain flexibility and efficiency. Fast forward to today — wireless controllers providing rogue detection and intrusion prevention system capabilities have helped rein in that activity. With the cloud, employees are setting up cloud storage accounts, serverless computing environments, and virtual private networks as needed to circumvent cumbersome change control procedures, cut costs, and gain similar flexibility and efficiency. By rearchitecting legacy networks, readjusting decades-old processes and procedures, implementing cloud proxy or cloud access security broker (CASB) technology, and coupling that with strong endpoint security controls and an effective awareness campaign, an organization can provide that level of flexibility and efficiency but still provide for data protection.

4. Keep a close watch. The cybersecurity operations center (CSOC) should no longer be concerned with just the local network and data centers. The operational monitoring procedures, threat hunting, intelligence, and incident response that the SOC uses also apply to cloud environments where the organization's data resides. Monitoring SaaS applications where corporate data may reside is challenging but can be done using effective endpoint security coupled with the monitoring of cloud access solutions (CASB, proxy, and others). For a serverless environment, depending on your CSOC requirements, this may mean the application of third-party monitoring platforms or solutions beyond what cloud providers offer. In all cases, event logging and triggers need to feed back to the CSOC to be correlated with local event data, analytics, and threat intelligence.

With all the cloud services available, it's no wonder companies struggle to manage risk. Shifting from a culture of "do whatever it takes to get the job done" to "do what is right for the business" takes a lot of coordinated effort and time but is rooted in security becoming a business enabler rather than continuing to be in the business of "no."

Organizations must include security in technology decisions if security is to continue to protect the business, and security must understand the needs of the business and changes in technology in order to be that enabler. To help to prevent people from seeking their own solutions to technology problems, IT and security teams must evolve their assets and functions to accommodate that speed and convenience or find themselves constantly trying to keep up. 

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

 

Derrick Johnson is the National Practice Director for Secure Infrastructure Services within AT&T Cybersecurity Consulting, responsible for its direction and overall business performance. Derrick's practice provides strategic and tactical cybersecurity consulting services ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
7/9/2019 | 2:24:03 PM
What I have been saying for years
There is nothing real called a CLOUD ---- it is an extremely long RJ-45 or fibre-optic cable from your endpoint in your building TO something else - server, datacenter - in another location FAR FAR away under somebody else's hand control.  God knows who THEY are and what they can do with the data.  Woz - the great one from Apple - said years ago that there is NO security in the cloud.  Fools think it is more secure than other choices - it is perhaps less secure because of somebody else's hands on a keyboard.  Warning posted
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15208
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
CVE-2020-15209
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
CVE-2020-15210
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
CVE-2020-15211
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
CVE-2020-15212
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...