Cloud Security: A CISO Guide
Expanding Security Perimeter Increases Need For Third-Party Risk Management And Cyber Due Diligence
Enterprise Security Strategy Evolving With Cloud Computing
More and more enterprises are migrating to the cloud, taking their data and applications – or parts of them – to this computing platform. There are a number of cloud computing setups – from public and private to multi and hybrid. The amount of variations coupled with the abundance of cloud use throughout the enterprise, leaves a level of complexity for IT departments to monitor cloud services, while keeping them secure. This imperative was further emphasized in our mid-year Cyber Security Market Snapshot, which showed cloud topping the list of enterprise cyber threat concerns.
As the technology continues to evolve, so too should the strategies CISOs and enterprises develop in order to remain secure. Cyber Security Hub has examined the ins and outs of today’s hybrid cloud setups so enterprises can better understand the technology and vulnerabilities, in order to develop the right security strategy for cloud to fit their needs.
While it seems as though cloud computing hasn’t been around for very long, the concepts have been around for many years (cited around the 1950s), having gradually evolved over time to what we know it as today. Throughout those years, it took various shapes — virtual machines in the 70s, virtualized private network connections in the 90s, etc. — but the speed of maturity more recently is perhaps why we deem it a 21st century technology.
In fact, according to research firm Wikibon, cloud spending in 2012 generated $26 billion. In 2015, the year the report was released, spending rose to $80 billion. Now, Wikibon forecasts public spending on cloud services to reach approximately $522 billion by 2026.
Cloud Services Introduce New Security Challenges
Cloud brings more processing power, more storage and access to data at anytime, anywhere — but if security is still catching up to the growing investment in this technology, there are many risks and vulnerabilities involved just as with any other piece of technology on the market. Although not an all-encompassing list, some of those risks include:
- Security and data privacy: Even though cloud services providers may have best practices and industry certifications embedded in their programs, there are always risks with storing important data and files with external or third-parties.
- Vulnerability to attack: Since all cloud components are online, there are always vulnerabilities involved. And since it is a public service, oftentimes anyone can be set up without having any security skills involved.
- Switching cloud vendors: Many enterprises may find that they need to switch cloud vendors from time-to-time, which brings along risks during migration. Differences in platforms (and security policies) could lead to data leaks or gaps in the process.
For attackers, having user data and sensitive company information in one place presents a goldmine. The tools for finding weaknesses in a cloud platform are very similar to those needed to penetrate enterprise security defenses (such as querying servers and systems that need patching or have known vulnerabilities). This concern has not been lost on security leaders.
Cloud Tops List Of Most Worrisome Threats
In a recent Cyber Security Hub survey, 85.5% of respondents said that cloud will pose more of a threat the rest of 2019. As such, there seems to be two points of view on securing the cloud environment. The first is ‘cloud is not safe,’ taken verbatim from the open-ended question at the end of our survey. Another response referenced the First American Financial Corp. title breach (May 2019), due to a ‘misconfigured server security (TBD).’ The respondent added that it was ‘possibly a cloud security configuration issue due to lack of expertise or process.’
This segues into the second point of view on protecting assets and information in the cloud, which is perhaps summed up best by Randall “Fritz” Frietzsche, CISO and Privacy Officer for Denver Health who says, “There is no cloud … there’s only someone else’s computer.”
“There is no cloud … there’s only someone else’s computer.”
— Randall “Fritz” Frietzsche, CISO and Privacy Officer for Denver Health
In other words, when you’re talking about cyber security, whether it’s on a network or in the cloud, you still need to first start with the basics. You still have to look at risk assessments and vulnerabilities; however, the difference is in the structure. The infrastructure of cloud security may look different versus traditional network security, but the strategy still begins with the CISO and security teams, and has to extend to wherever the data sits in the cloud. Due diligence on sharing compliance and how to assess risk, all with a solid and clear contract with the third party, are essential to protecting the enterprise (no matter the endpoint).
According to Doug Cahill, Group Director and Senior Analyst for ESG, awareness on this (among other threats he lists is key): “Employees need to be regularly reminded about the appropriate and vigilant use of email, the web, and cloud apps and how they relate to spear phishing attacks, bogus impersonation emails or data loss.”
See Related: Cyber Security Mid-Year Snapshot 2019
Extending The Enterprise Security Perimeter
When firewalls were deployed to bolster an enterprise’s security, it was the right rationale: isolate threats, act against them and make the inner-workings of the enterprise flow as smoothly as possible. Yet, security has evolved in recent years – to the point where “insiders” gain elevated access to critical systems/data, or privileged users fall victim to various phishing offensives to crack the proverbial code into the crown jewels. The advent of cloud computing has forced security professionals to approach perimeter defense from a different angle.
So, enter a model that has steadily transformed enterprise security: Zero Trust. Brought on with specific technologies (IAM and PAM included), along with intense focus in analytics and encryption, governance, etc., Zero Trust involves the idea that nothing should be trusted, and everything should be validated before being granted access to the network.
Giacomo Collini, Director of Information Security for King.com (developers of the Candy Crush franchise), previously told the Cyber Security Hub that Zero Trust is “key to enable companies to transition to a pure-cloud environment.” Implementation, he said, requires “a holistic approach” and it “does not admit mistakes.”
Has the perimeter, and a layered approach, vanished in one fell swoop, then? Not according to Collini. “Layered controls still make sense but they must be carefully designed to avoid unnecessary complexity, loss of focus and hidden cracks,” he said.
Russell Walker, CISO for the Mississippi Secretary of State, told Cyber Security Hub that “the perimeter in the traditional sense has disappeared. The network itself is no longer a static environment we can put barriers around, have a guard at the gate and say, ‘Now we are protected.’”
Because of cloud computing, Walker said, “you cannot provide security using a model that was designed for a much more static and enclosed environment.” A change in the security perimeter requires organizations to involve the security team to assess the capabilities of external partners and establish oversight and testing that ensures a like-minded security posture to the organization.
Many breaches occurring today are applications that reside in the cloud. We often hear the cause is a misconfiguration on the customer side. So, what can be done to aid in identifying these misconfigurations? Hosting the right discussions within the organization and having the proper considerations will reduce the risk and misconfigurations when moving data and applications to the cloud.
Take the time to become familiar with the shared responsibility model for your provider before adapting a cloud solution. Both Amazon AWS and Microsoft Azure publish their shared responsibility models online. Understanding the shared responsibility model aids in identifying the proper configurations to reduce risk and operate in a more secure environment.
According to CSA Top Threats to Cloud Computing The Egregious 11, “Misconfiguration occurs when computing assets are set up incorrectly, often leaving them vulnerable to malicious activity.”
There are solutions that automate the governance of cloud misconfigurations and those focused on remediation. Exploring these options benefit your organization and should be considered when designing your cloud strategy.
Adapting your organization to the cloud does not remove the requirement for a security leader nor a security team. It requires that team to evolve and adapt if it is not already an experienced cloud platform security supporter.
Risk Management And Cloud InfoSec In Third-Party Relationships (TPRM)
Businesses have been given a revised charter – call it digital transformation, an innovation culture, or simply enterprise change – to create long-term value, competitive advantage, and derive new cost savings for shareholders. To meet these objectives, organizations are increasingly reliant on third-party vendors, suppliers, and cloud service providers to scale efforts beyond current personnel headcount.
Third-party partnership has been accelerating in terms of how enterprises do business today. This is especially true as enterprises must be compliant with various federal and state regulations. Data mismanagement is no longer a reflection of the enterprise security perimeter, but extending to include data sharing over cloud technologies and third-party services. Enterprises must address the growing requirements in data sharing and risk monitoring. Initial approaches to third-party risk management must evolve beyond data collection and drive change in vendor behaviors.
“The common cloud service providers are behemoth companies that have take-it-or-leave-it contracts that are not up for re-drafting or negotiation. This brings up a contractual legal issue of ‘unfair bargaining power’ that companies may want to consult their attorney about before subjecting themselves to such a cloud contract.”
— Jamal Hartenstein, IT Security Program Manager, KAI Partners
One way that organizations are managing the new risk associated with the risk of a cloud-based data breach is to take out a cyber liability insurance policy. Cyber insurance is a type of insurance policy in case of a malicious attack, a data breach or other cyber incident. Variability exists for cyber insurance policies to address specific industry sector needs, such as financial services, healthcare or retail.
Within cyber liability insurance, two types of policies are available addressing different types of expenses from a data breach: first-person and third-person. “While the primary goal of cyber liability coverage is to protect the business, it can also extend to the clients who interact with the business,” wrote Forbes contributor Bill Hardekopf in a recent article.
Understanding The True Cost Of A Data Breach
The cost of a data breach in the U.S. is $242 per exposed record, according to the latest annual Ponemon Institute. The impact to the organization, however, goes years beyond the incident. The expenses related to rebuilding trust or brand reputation as well as government fines from mishandling data are excluded from the per record damages.
“The costs of incident response, root cause analysis, and penalties are just the tip of the iceberg,” says Jamal Hartenstein, IT Security Program Manager for KAI Partners. “The lasting damages that have measurable monetary losses are the intangible ones impacting brand and reputation.”
When financial services provider Capital One disclosed that upwards of 100 million individuals were impacted by a data breach, the root cause was described as a firewall vulnerability exploited in a Capital One web application that interfaced with its AWS cloud. The company estimated its 2019 losses from this data breach to be in the $100-150 million range, below the average in the Ponemon research.
Governments are also moving quickly in an effort to penalize organizations that compromise personal data. The European Union (EU), which recently implemented a data protection law to fine companies for data mismanagement, is expected to levy Bulgaria’s tax agency up to $22.5 million over the breach of PII for more than 4 million Bulgarian citizens. Stateside, New York has expanded its data breach laws and requires businesses to implement data security programs. The SHIELD (Stop Hacks and Improve Electronic Data Security) Act broadens the definition of PII and adds new requirements for breach disclosures. Businesses collecting PII about New York residents must implement security measures and develop employee awareness programs among other administrative safeguards to ensure cyber hygiene.
“Those that cite concerns about the security of public cloud services as the reason for not using them are either required to operate in an air gapped environment, or, quite frankly, are oblivious to the fact that their business units have done an end-run around them to the cloud.”
— Doug Cahill, Senior Analyst and Group Director, ESG
While 100% security is not a practical objective, getting back to the fundamentals of understanding data movement, identifying sensitive PII and company data, and enforcing third-party risk management (even in the cloud) cannot be overstated as a reminder to “get the house in order” with the number of mega-breaches occurring.
See Related: Top 5 Cyber Security Breaches Of 2019 So Far
The Opportunity For Automating Cloud Security
With data sets containing billions of entries being stored in the cloud, the ability to analyze the information quickly surpasses the human capability. Securing personally identifiable information (PII) and sensitive company data in the cloud is a similar challenge. Data analytics are increasingly taking advantage of the new-found compute capacity of the cloud by utilizing machine learning (ML) to synthesize data and develop insights. Could a similar approach to automation be used for protecting the cloud?
The power of artificial intelligence (AI) and ML comes from training an algorithm to classify information from large data sets. This understanding leads to several security applications where ML can provide value to cloud data:
- Changes in user behavior (insider threats) and unauthorized access (compromised credentials)
- Malformed data from IoT and edge device ingest
- Anomaly detection using correlation and contextual analysis
- Reduce data leakage from cloud service users moving data outside of the cloud
- Identifying malware and malicious email
- Detect altered or hacked data
- Performing penetration testing (misconfigurations)
Cognitive computing technologies such as AI and ML are helping CIOs and CISOs make better decisions faster.
The democratization of compute processing and data storage through cloud services has enabled data-first commercial and consumer services as well as new business models. With organizations shifting resources and data repositories to operate in the cloud, the security perimeter is no longer constrained to the physical enterprise campus. In addition, the use of cloud increases reliance on third-party relationships, which subsequently increases the risk for the organization.