Cloud Security and Risk Mitigation

The cloud certainly offers its advantages, yet as with any large-scale deployment, the cloud can offer some unforeseen challenges.  The concept of the cloud just being “someone else’s data center” has always been a cringe moment for me because this assumes release of security responsibility since ‘someone else will take care of it’. 

Yes, cloud systems, networks and applications are not physically located within your control, but security responsibility and risk mitigation are.  Cloud infrastructure providers allow a great deal of control in terms of how you set up that environment, what you put in your environment, how you protect your data and how you monitor that environment.  Managing risk throughout that environment and providing alignment with your existing security framework is what is most important.

Privacy and Risk

With GDPR and the “sister” policies in the U.S. as seen with Arizona, Colorado, California and others, organizations are faced with increased requirements when it comes to protecting data in the cloud.  And it is not as simple as deploying Data loss prevention (DLP) in a data center since the data center has now become fragmented.  You now have a bunch of services, systems and infrastructures that are no longer owned by you, but still require visibility and control. 

Cloud services and infrastructures that share or exchange information also become difficult to manage: who owns the SLAs? Is there a single pane of glass that monitors everything?  DevOps has forced corporations to go as far as implementing micro-segmentation and adjusting processes around firewall rule change management.  Furthermore, serverless computing has provided organizations with a means to cut costs and speed productivity by allowing developers to run code without having to worry about infrastructures and platforms.  Without having a handle on virtual private clouds and workload deployments, however, things can quickly spin out of control and you start to see data leaking from one environment just as you’ve achieved a comfortable level of security in another. 

Mitigation

Several steps can be taken to help mitigate risk to an organization’s data in the cloud.

1. Design to align. First and foremost, align your cloud environment with cybersecurity frameworks. Often organizations move to the cloud so rapidly that the security controls historically applied to their on-premise data centers, which have evolved and hardened over time, do not migrate effectively, or map directly to the cloud.  Furthermore, an organization may relax the security microscope on widely used SaaS applications.  But even with these legitimate business applications, without the right visibility and control, data may end up being leaked.  Aligning cloud provider technology with cybersecurity frameworks and business operating procedures provides for a  highly secure, optimized and more productive implementation of a cloud platform, giving better results and a successful deployment.  Moreover, being able to do this while implementing the cloud technology can help demonstrate measurable security improvement to the business by giving a “before” and “after” implementation picture.
2. Make yourself at home. Cloud systems and networks should be treated the way you treat your LAN and Data Center.  Amazon’s Shared Responsibility Model, for example, outlines where Amazon’s security responsibility ends, and your security responsibility begins.  While threats at the compute layer exist, as we’ve seen with Meltdown, Foreshadow and Spectre, recent cloud data breaches have shown a breakdown in an organization’s security responsibility area, namely operating system security, data encryption and access control.  If your organization has standards that govern the configuration of servers, vulnerability management, patching, IAM, encryption, segmentation, firewall rules, application development and monitoring, see to it that those standards are applied to cloud services and are audited regularly.  Routine assessments of cloud infrastructure architectures by a third party can be done just as effectively as a review of your LAN & WAN for best security practices.
3. Stop the “sneaking out at night”.  Not too long ago, you would see organizations struggle with employees setting up unsecured wireless access points in an attempt to gain more flexibility and efficiency with their everyday job.  The nickname is “shadow IT” where business units avoid getting IT and security involved in what they’re doing so they can move faster. Fast forward to today - wireless controllers providing rogue detection and Intrusion Prevention Systems (IPS) capabilities have helped reign in that activity.  With the cloud, employees are setting up cloud storage accounts, serverless computing environments and virtual private networks as needed to circumvent lengthy and cumbersome change control procedures, cut costs and gain similar flexibility and efficiency.   By rearchitecting legacy networks, re-adjusting decades old processes and procedures, implementing cloud proxy or CASB technology, and coupling that with strong endpoint security controls and an effective awareness campaign, an organization can provide that level of flexibility and efficiency, but still provide for data protection. 
4. Keep a close watch.  The Cybersecurity Operations Center (CSOC) should no longer be concerned with just the local network and data centers.  The operational monitoring procedures, threat hunting, intelligence, and incident response that the SOC uses also apply to cloud environments where the organization’s data resides. Monitoring SaaS applications where corporate data may reside is challenging but can be done using effective endpoint security coupled with the monitoring of cloud access solutions (CASB, Proxy, and others).  For a serverless environment, depending on your CSOC requirements, this may mean the application of third-party monitoring platforms or solutions above and beyond what cloud providers offer.  In all cases, event logging and triggers need to feed back to the CSOC to be correlated with local event data, analytics and threat intelligence.

With all the cloud services available, and new services being offered daily, it is no wonder companies struggle to manage risk.  Shifting from a culture of “do whatever it takes to get the job done” to “do what is right for the business” takes a lot of coordinated effort and time but is rooted in security becoming a business enabler rather than continuing to be in the business of ‘no’.  Organizations must include security in technology decisions if security is to continue to protect the business, and security must understand the needs of the business and changes in technology in order to be that enabler.  To help to  prevent people from seeking their own solutions to technology problems, IT and security teams must evolve their assets and functions to accommodate that speed and convenience or find themselves constantly trying to keep up.