Exploring how and why cloud security issues arise as a result of poor security, Tim Woods looks to how this can lead to a bigger problem in the long run.
For many organisations, the cloud is viewed as a commodity – there to help them get applications up and running quickly and efficiently. This is not disputed, but what usually happens when a business goes to the cloud with this consumer mentality is that security tends to be assumed.
Securing the cloud with intelligent policy assurance
We all know how the saying goes about assumptions; and with the cloud, this is no different. In fact, 100% of data exposures in the cloud can be traced back to misconfigurations of security controls stemming from assumptions made about the level of security.
Many of today’s successful cloud attacks are traced back to there being a lack of security assurance in the security configuration. This is clear evidence that we, as an industry, are not putting the same amount of policy concern to the cloud that we once did with traditional on-premise type solutions. To avoid this from happening, intelligent policy assurance needs to come into play so that organisations can better analyse their security posture and keep it intact for when they adopt cloud services. However, this is easier said than done.
At the minute, there are competing forces that organisations and security personnel fight against. The mad dash to get to the cloud has not helped. We saw the same thing happen 25 years ago when the first computers were connected together over the network. The security issues brought about by this interconnectivity gave birth to the firewall and subsequently security policy management, which was vital. Unfortunately, because of the amorphous nature of cloud software, security configurations have not come to the fore the way they would have done a quarter of a century ago. With most cloud breaches due to misconfiguration, a policy management solution must be adopted in order to establish a baseline security policy indicator for what is allowed and what is not.
Elements of the blame can be pointed to the fact that security controls are being left to application owners, who are now responsible for something they are not skilled to carry out. This could be attributed to a consumer mindset being brought into the enterprise which represents a totally different paradigm than any security manager of yesteryear is accustomed to. However, in today’s technological age, most people are using cloud services from household consumer brands that are cloud-centric like Google, DropBox etc. So, the idea that those using these products could be transferring the same lack of security awareness in business shouldn’t be all that surprising. It doesn’t help that 80% believe security is on the shoulders of the cloud provider – again another example of a consumer mentality that needs to be addressed by security. Instead of resisting this and having non-security professionals within the business by-pass the security team outright, the security department needs to roll with the times and find a way to satisfy these business demands, while preserving security.
Hackers are winning…for now
We all know today’s hackers are ruthless, trained to cause untold destruction at any sign in a lapse of security – some of you reading may have already experienced the wrath. They are not resting, constantly trying to find a new angle to attack from. When one hole is plugged, another pops up. Security best efforts are being put forward to tackle the glaring issues, but there is a lack of time and availability of skilled security resources, that is only being amplified in the cloud – at a time when cloud providers need to assure their customers of security more than ever before. The only way this can be achieved is if all the configurations are set and the organisation has complete visibility into all the data and where it is stored. Remember, you can have all the tools in the world, but if they are not configured properly, then the risk of being breached is escalated.
Take a page out of GPDR
The precedence set by GDPR demands security by design and default which really drills home the necessity of security. Before decisions are made, to remain compliant, security must be taken into consideration as it is now a component of the design process. The mentality that security should be in existence from the beginning has to be transferred when enterprises are set to move to the cloud. With GDPR, there is a Data Impact Assessment that organisations can use to vet flaws or security gaps that surrounded the data protection scheme in place. Failure to do so means fines could be incurred and when a breach happens, the damage financially and reputationally can be detrimental to that organisation. So why shouldn’t there be a similar policy implemented for the cloud where a baseline of rules that should be followed can ensure that the security in place is appropriate?
One possible answer could be for organisations to strive to achieve total configuration assurance. As we all know, it can be extremely difficult to reach complete security parity; yet, if security teams are doing everything in their power in an attempt to achieve 100% security, then they can be assured they are putting the enterprise in good stead. With regards to protecting business assets, a minimum set of security standards needs to be followed. A simple policy to put in place could be to protect certain assets no matter they are. In layman’s terms: the security needs to follow the asset, always, whether the asset is on-premise or in the cloud.
Light at the end of the cloud
If a change is to be made in the way cloud security is observed, then a cloud security policy assessment needs to be introduced for enterprises. This will require the security controls to be continually vetted, audited and compliance-led; and, most of all, part of a lifecycle management system. In this way, the controls will be monitored and checked for security every day, week, month and year to ensure nothing will be out of date or compromised. It also requires organisations and their IT security teams to take responsibility for the security configurations within their cloud deployments. This is not easily done with manual efforts and necessitates having individuals with the right skill set to manage the controls. To truly get on top of policy management leading to assurance, organisations should leverage automation to make sure human error and unnecessary complexity don’t creep into the security posture over time.
Moving forward, there is a reason to feel encouraged and the future is looking bright for cloud security. The reason for such optimism is down to the fact we have seen this movie before and the tools are there at the security team’s disposal. We are learning from every cloud deployment, sometimes the hard way, but the remedy has been identified as introducing cloud security assurances through properly managed policies. This is what the industry needs to get it across the finishing line ahead of the bad guys.