Securing the cloud requires a different mindset than securing your on-prem infrastructure
Enterprise cloud operations are expanding and maturing, but as with any natural maturation, inevitable growing pains must be endured and overcome.
As organizations increasingly migrate operations to the cloud providers, security experts rapidly are realizing that automated cloud security services are essential to mitigate risk in these environments. But automated, they are also learning, does not mean easy or unchallenging. And further, even once the applications are firmly ensconced in the cloud automated security operations do not end.
“With the accelerating use of cloud solutions and connected devices, evolving cyber threats and changing regulatory landscapes, data privacy and cybersecurity are top priorities for businesses,” says Linda Rhodes, attorney and partner in Mayer Brown LLP’s technology transactions legal practice in Washington, D.C. “At the same time, big data, combined with mass computing power, is fueling the advancement and sophistication of automation and artificial intelligence, which opens up the potential for tackling difficult data privacy and cybersecurity issues.”
Indeed, since the financial, operational and even security benefits of cloud environments are becoming sharply clear for a growing number of enterprises, they recognize that they must learn how to best make it all work. Forrester Research, Inc. predicted that the public cloud services market will blossom to more than $236 billion by 2020 on the strength of the business case for offloading operations to the cloud.
William Rials, associate director and professor of practice and applied computing at Tulane University’s School of Professional Advancement (SoPA), teaches courses on business and technology. He points out that according to researcher Gartner Inc., by 2020 a “no-cloud policy will be as rare as a no internet policy and the global cloud market. This creates challenges for compliance and security governance using traditional, slower-moving IT methods.”
But, with ever-growing cyber concerns and a continued dearth of experienced security personnel to field these issues, automated security operations must be in place as companies migrate their applications and these applications must be seen to remain secure. This is especially true even when the servers themselves are no longer under the control of the internal IT team.
Irvine, Calif.-based Nathan Wenzler, senior director of cybersecurity at Seattle’s Moss Adams accounting, consulting and wealth management firm, points out that as more companies are moving their operations into the cloud, security becomes even more critical on two fronts: security within the underlying infrastructure of the cloud service itself and additional layers of security that are hosted in their own cloud platforms to protect hosted assets.
“In both cases, the scalability cloud platforms provide is one of the key benefits that organizations are looking to take advantage of, but it’s that same scalability that can make security measures incredibly difficult to implement and manage,” Wenzler says. “For organizations [that] are not fully comfortable operating in a cloud environment, or are just making that transition, this can be a jarring problem, as the tools and techniques they once relied on for protecting their own data centers where they controlled every variable may not necessarily work any longer.” Hence, the necessity of automated security tools and functions, he adds.
Security is still your responsibility
Most organizations want to move to the cloud not only to replace their data centers, but to reap business benefits such as agility, time to value, and cost control for “bursty applications,” says Steven Aiello, security and compliance solutions principal for Chicago-based AHEAD, a technology consulting firm. “The cloud changes the way that security teams operate in a very similar fashion,” he notes. “Security engineers no longer need to worry if hypervisors are being patched, or if their router and switching firmware is up to date.”
And, as more small-and-mid-sized enterprises move to cloud environments, the requisite automated security services are moving downstream as well, according to Matt Wilson, chief information security advisor at Southampton, Pa.-based BTB Security, a cybersecurity consulting firm.
“Automation and orchestration have become the go-to methodology for risk mitigation in many organizations, but typically this practice has been reserved for larger enterprises and those with more mature information security programs,” he says. “However, we’ve seen an increased interest from smaller organizations, although we’re far from critical mass.”
One of the key missteps organizations can make is in assuming that because their data or processing centers are no longer in their internal network that they can become more complacent in their own security management. This sort of out-of-sight, out-of-mind thinking can be costly.
Patrick Criss, CISO for Deland, Fla.’s fast-growing Surety Bank, points out that by employing cloud and properly implementing automated security tools, enterprises can gain “an additional level of control and, in some cases, cover security gaps that exist in the organization itself.”
“While this provides value, it remains paramount that the organization maintained a strong security program with the technical expertise to review and validate the controls,” Criss continues. “It becomes even more important and challenging to review and validate the services that are outside of the organization’s control.”
Jacob Lehmann, managing director of Friedman CyZen LLC, the cybersecurity advisory practice of Friedman LLP, agrees. “Don’t assume because it’s on the cloud that security of your data and your clients’ data are not your responsibility,” Lehmann cautions. “Rest assured if there is a breach, your terms and services agreement will not make your cloud provider responsible for any of your lost or stolen data.”
With the move to automated cloud security, enterprises still must test on a regular basis for weak credentials, lack of two-factor authentication, insecure APIs, operating system image vulnerabilities, malicious insiders, unintended information disclosures and denial of service attacks, he adds.
With automation, enterprises security teams also have to be more mindful than ever before about how they keep the practices and processes regimented across the board. One of the critical security benefits of automation is that it can greatly help standardize secure configurations by removing — or at least reducing — human intervention, which can lead to inconsistencies and misconfigurations of users, Lehmann points out. But with this change comes a new, more imperative obligation for consistency.
“There needs to be a standard process for utilizing cloud resources in a secure manor, which is easily automated,” Lehmann explains, citing examples of processes related to using private keys and how they are managed to access resources. “This needs to be standard operating procedure.”
Adventures (and misadventures) in automating cloud security
In the military, the saying goes that a failure to plan is a plan for failure. So too it is with moving to automated cloud security services, our experts point out. “The most common mistake is starting without a plan,” says Bruce Beam, (ISC)² director of infrastructure and security. “Without a clear plan and strategy many security vulnerabilities can be created and they often multiply as the environment expands.”
Criss says that ensuring a smooth move to automated cloud services begins with the process of selecting a cloud service provider itself. “It is imperative to ensure that the service provider has applied the same security controls across all of the hosting platforms,” Criss advises, noting that enterprises demand that their service provider should be contractually obligated to produce reporting, evidence of testing, and notifications of security changes or events that affect any of the existing environments where the application is currently hosted along with an environment where the application could be moved.
“As the client,” Criss adds, “you should include your specific security requirements along with the regular reporting requirements, intervals and the right to audit the security controls that are agreed to.”
As basic as it might seem, another critical misstep is in ignoring the value of embracing more automated security services in the first place. Rials says it is still commonplace for many organizations to continue using traditional — and arguably outdated — IT tools and techniques to manage cloud security and compliance. Well-meaning but misaligned enterprise cybersecurity professionals might install a firewall and intrusion prevention system/ intrusion detection system (IPS/IDS) at the network edge and control ingress and egress to the protected assets inside the network, without thought for how cloud environments demands defense in depth, he says.
“Often times it is assumed that if you simply host your firewall in the cloud, you can properly secure your cloud resources in the same way that you manage them onpremises. This type of security architecture is fundamentally at odds with today’s cloud architecture,” Rials says. “Applying ‘tried and true’ traditional cyber defense methods will not be successful in an automated cloud security environment.” Instead, enterprise security teams should utilize software defined networking (SDN) security features, micro-segmentation and other cloud based security options, Rials suggests.
Even when an enterprise recognizes the vaunted need for automated security services as they venture into the cloud, they might not be doing their correct due diligence beforehand, according to Doug Barbin, principal and cybersecurity practice leader of Schellman & Company, Inc., an independent security and privacy compliance assessor, who is based in Sacramento, Calif. “The largest mistake we see is not doing a proper risk assessment,” Barbin says. “Everyone says they do a risk assessment, but understanding the specific use cases and threats is most important, even when heavily leveraging cloud services.”
Security concerns that might have been an issue in traditional, on-premise environments can often be more serious in the fasterpaced, more rote, and often less-forgiving automated cloud scenario, according to Aiello. “When you automate a process, not only is the process executed faster, but it’s executed the same way, every time, [with] servers and applications built in that same consistent manner,” Aiello points out. “Dangerous cyber-attackers live in the cracks of human error in misconfiguration, and even the most advanced security analysts find deviations from the norm in their environment.”
With automation completely changing the security paradigm, new security threats can emerge. For example, Aiello suggests an attacker might change Windows registry keys without the IT security team knowing, or drop a web shell backdoor onto a server farm and gain remote access, if companies are not tracking their event logs.
Lehmann concurs, noting that cybersecurity professionals failing to keep tabs on these automated processes, as well as regularly monitoring and validating that all systems are working correctly, are frequent and crucial mistakes he has seen.
“This gives a false sense of confidence that all is well,” he adds. “Companies have to be diligent in establishing secure baselines of where and how data is used on the cloud.” With automation, Lehmann says, comes a greater focus on “baking security into [development operations], not just bolting it on afterwards, [which becomes] especially critical on any platforms hosted on the cloud.”
He continues: “We see a ton of applications that are rushed into the cloud with security as an afterthought and not part of the development lifecycle.” When enterprises more frequently and thoughtfully ingrain security into their development operations (DevOps), he says, it mitigates common risk issues such as hard-coded credentials in plain text, unnecessary API functions, and a lack of business continuity regarding data privacy issues.
While automated cloud security offers undeniable advantages, Rhodes cautions that enterprises should refrain from thinking that it is a panacea for all their security ills. Since the artificial intelligence and machine learning utilized by these systems works, in large part, on probabilities — analyzing large volumes of data — these systems can more effectively and efficiently analyze certain patterns of behavior as “threats” or “non-threats.” However, as cyber threats evolve, Rhodes says, even automated security systems might “mischaracterize a behavior as a threat, when it is really not, or vice versa.”
Also, she points out, there are types of threats that “may not be subject to detection by an automated system, at least not yet or not in all cases,” such as for an unauthorized user of otherwise valid credentials or human error in uploading regulated data into a noncompliant cloud offering. For these reasons alone, Rhodes underscores the importance of continuing to actively manage, monitor and update these newer systems.
“Automated security should be viewed as a means for enhancing a company’s existing cybersecurity and data privacy program,” she concludes, “not a replacement of it.”
A cloudy outlook for security?
Ensuring consistency in an enterprise’s security posture is difficult enough, but in a cloud environment, this imperative becomes decidedly more complicated. Our cybersecurity experts provide insights for how organizations might better orchestrate their security services to fit within this new cloud environment.
It’s not just the technology, stupid. It is important to remember that security is not just a “technology problem” but rather is meant to address risk at all levels, including from a legal liability standpoint, says Nathan Wenzler, senior director of cybersecurity at Moss Adams consulting. “It’s imperative that organizations must understand the terms of use and where liability rests for any issues that may come up from using a cloud provider’s services,” he says. “The tools and automation are all there that can empower your organization to develop robust security measures around all of your cloud-based assets, but the responsibility to make good use of them is on you, not the providers,” Wenzler notes Taking complete ownership of the enterprise’s cloud security efforts, both with the platform and the security tools it leverages, is the key way to avoid most all of the problems that come up when running your operations from the cloud.
Leverage APIs wherever possible. One of the most important ways to help make security in the new cloud environments work is to leverage APIs wherever possible, according to Wenzler. “This is true for both your hosting platforms as well as any security tools you plan to use to protect your assets,” he says. “Thankfully, most all of the major players in the cloud infrastructure services market make fairly robust APIs available so that customers can create automated integrations with their own services, applications and assets.” However, it is important to ensure that one’s cloud security vendors offer products that also take full advantage of these services. It can make the difference between a security tool that claims to have some means to protect your cloud-hosted assets and one that has a more native integration with the platform itself and can scale and flex as the environment needs.
Keep the basics in mind. Countless examples exist where organizations fail spectacularly at the basics of patching, as well as hardening, configuration and access control, according to Matt Wilson, chief information security advisor at BTB Security, a cybersecurity consulting firm. “Before we can automate, we must execute the basics well,” Wilson says. “There must be qualities, parameters, and metrics measured continuously in a structured process formally assigned to someone within the organization.” Another example of sticking to the basics, Wilson points out, is the ability to monitor cloud-native log events effectively. Major providers such as Amazon, Microsoft, and Google make available tremendous capabilities for audit and visibility through a variety of tools that come as part of their services.
Get it all in writing. Enterprises must ensure that their service provider gives them proper documentation and holds the certifications they require, according to Bruce Beam, (ISC)² director of infrastructure and security. “Once this has been established,” he adds, “you can implement the automated roadmap to keep security consistent and make sure it remotes to a common location or dashboard.”
Plan for changing load-balancing. Organizations should plan on cloud workloads having a very different infrastructure, according to William Rials, professor for Tulane University’s School of Professional Advancement (SoPA). “We are not going to have a single cloud world or a single hypervisor world,” he says. “Organization’s automated cloud security should not be dependent on any single cloud service provider.” The automated cloud security plan should focus on open standards as much as possible to achieve maximum compatibility, he says. — KEH