There Is No True Cloud Security Without Comprehensive Command and Control

The most recent survey conducted by the SANS Institute (News – Alert) starts off by summarizing stunning breaches associated with sensitive data exposure based on misconfigured Amazon Simple Storage Service (S3) instances including a Verizon (News – Alert) partner who leaked the personal information of more than 14 million Verizon customers, voter data associated with the Republican party revealing private data of nearly 200 million American voters, and the exposure of the L.A. Times’ website source code.

As the public cloud grows so grows the attack surface, and the stunning survey, available here, details many new threats, while also revealing that cloud security overall is improving.

The Institute polled several hundred respondents across many industries, and findings included vulnerabilities in the approaches of technology, financial services, government and other verticals including lack of encryption, and the discovery of API management consoles which are not protected through identity access management and privileged account management policies in place (or enforced).

“Organizations are continually evolving in their use of cloud services, looking to the cloud for procurement, management and other functions,” says Dave Shackleford, SANS senior instructor and analyst. “Along with that movement, organizations are placing more and more sensitive data in the cloud and facing a variety of security concerns.”

According to the Institute’s press release, “More respondents’ organizations experienced unauthorized access to cloud environments or cloud assets by outsiders: 31% in 2019 compared with just 19% in 2017. And concern about that access has remained high, with 56% of 2019 respondents listing it as a concern. The concern for data breaches by cloud provider personnel dropped from 53% in 2017 to 44% this year, which may indicate some growth in trust in the providers. Other major concerns included inability to respond to incidents (52%), lack of visibility into what data is being processed and where (51%) and unauthorized access to data from other cloud tenants at 50%.”

What were the 2019 blockbusters?

According to the Institute:

“We saw a significant increase in unauthorized access by outsiders into cloud environments or to cloud assets; this occurred at 19% of organizations in the 2019 survey, whereas in 2017 this was experienced by only 12% of organizations.

More than 55% of respondents in 2017 stated that they were frustrated trying to get low-level logs and system information for forensics, but only 30% said as much in 2019.

ISO 27001 reports continue to be the most valuable audit reports made available by cloud providers, and more organizations are able to perform pen tests of their cloud provided environments than in the past.”

The survey also revealed which categories of sensitive information are being hosted in the cloud today, with “business intelligence topping the list at slightly more than 48%, in a virtual tie with intellectual property (48%), and with customer personal information (43%) close behind.”

Compared to 2017, business intelligence came in second, behind employee records. In 2019, employee records dropped to fifth place.

Unauthorized access to data by outsiders topped the list of concerns in 2019 at 56% (slightly lower than in 2017 but still the highest category).

“In second position, inability to respond to incidents (52%) moved up from seventh position in 2017, when 48% chose this concern. Other major concerns were lack of visibility into what data is being processed and where (51%, up from 48% in 2017) and unauthorized access to data from other cloud tenants, at 50%…” the report continued.

We asked experts in the cyber security domain about their reactions to the latest SANS survey, and here’s what they had to say:

“The attack surface of the cloud is enormous, but that attack surface can be reduced by micro-segmentation of services and a strategy of authenticate and authorize before any access, using a system that can’t be compromised simply by stolen or hijacked credentials like username / password,” said Rick Conklin, CTO of Dispersive Networks. “Micro-segmentation mitigates the risk that an adversary will be able to infiltrate the system, exfiltrate sensitive data, or crossover / pivot from a different application. The velocity of modern attacks means the cloud must be resilient and able to defend itself at machine time, and administrators must have real-time or near real-time access to events, logs, and anomalies.”

“When it comes to security, cloud services are very similar to on-prem services,” said Orhan Yildirim, Chief Operating Officer, Krontech. “Cloud computing and networking also has unique challenges, including being accessible from anywhere and by anyone. Responsibilities and boundaries can be uncertain for cloud services, and requires a clear definition of the enterprise’s responsibilities, and the cloud providers obligations and liabilities.  What is certain is that privileged “super-users” access must be carefully managed, as privileged access continues to be the most common path for cloud data breach attacks, just as it is for on-premises services. Privileged Access Management (PAM) is mission critical for any organization who keeps sensitive data in the cloud.”

 “People talk about data being the new oil,” said Don DeLoach, CEO of Rocket Wagon Venture Studios, a family of vertically aligned, IoT-focused venture studios. “I am hearing more and more the expression that trusted data is the new oxygen, and you cannot live for long without it. In fact, as we progress ever faster into a cyber-physical world, the basic existence of the myriad of systems that will permeate all of our lives will depend on a much greater level of security and trust. We see new innovation such as hardware encryption, DLT technology, and layered security models as collectively advancing the ecosystem. While it is hard to imagine the day where anything is 100% secure, we are asymptotically approaching that point. At some point in time, perhaps even now, the biggest challenge will be education and not technology.”

What all the experts agree on is this: enterprises, government organizations and agencies, and small and medium businesses must develop, manage and audit their IT processes and governance programs continually, in response to the ever-changing and expanding multi-cloud landscape.

The survey showed that “68% of organizations have cloud security and governance policies in place, which is up from 62% in 2017; 24% stated that they didn’t, and 8% weren’t sure.” We clearly have a long way to go before organizations across the board are fully protected.

Command and Control

The report focused recommendations based on weaknesses when it comes to hybrid and services models, including CASBs and encryption gateways (18% for hybrid management) and identity management solutions (22% in hybrid management from slightly more than 16% in 2017). “Many organizations may not feel wholly comfortable stating that these controls are capably implemented for the cloud yet,” the report stated.

“This concern is somewhat substantiated by the fact that only 44% of respondents stated they are leveraging cloud provider APIs in the cloud to implement security controls (a critical element of automation and cloud security maturity)—almost unchanged from 2017 (43%). For those leveraging these APIs, the most common control is configuration management (75%), followed by logging and event management (72%), and then by identity and access management in third place (59%),” the report goes on, also saying “APIs offered by the cloud provider can afford security teams much more automated and capable access to and control over cloud environments, and hopefully we’ll see increased use of these APIs in the future.”

When asked about top challenges, the collective intelligence gathered by the report indicated “a lack of real-time visibility into events and communications involved in incidents—a problem that EDR and forensics/ IR tool integration may help with significantly. Other major challenges cited include the difficulty in correlating events between on-premises and cloud environments (likely tying into the strong emphasis on SIEM and event management integration) and immature forensics and IR processes.”

The report also explores automation and orchestration approaches, DevOps, Continuous Integration, tools including Jenkins and TeamCity, audit and assessment technologies, and the NIST Cyber Security Framework (CSF).

This report is a must read for all IT, OT, security and networking professionals.

This year, the Cloud Security Alliance (CSA) weighed in on the report, sharing what it is seeing in public cloud adoption and trends.

In summing up the report, SANS Shackleford writes, “Many organizations are continually evolving in their use of cloud services, looking to the cloud for procurement, management and other functions. The cloud provides capabilities for implementing new technology strategies in IoT and cryptocurrency, too, but many respondents mentioned the need for better APIs and automation capabilities to keep pace with the rapidly changing services offered. Especially as we shift toward multicloud deployments and cloud environments that are geographically dispersed, privacy issues are likely to become more of a concern. Many security teams aren’t well versed in cloud concepts, both in design and operations areas and in DevOps/automation tools and tactics; this can be the case with container tools and technology, even more than with traditional server-oriented workloads. The perception remains that we aren’t getting many needed details about security controls and capabilities from the providers, too, which limits our comfort level with the providers overall; conversely, some expressed the opinion that cloud may afford significant improvements in security over traditional on-premises data center environments.”

While there have been positive developments, there is much to be done to improve how we secure data at rest and data in motion in and between clouds. We cannot manage what we do not measure, and this most recent report from SANS is priceless in pursuit of improvement.