Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/18/2015
10:30 AM
Amrit Williams
Amrit Williams
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Visibility: The Key To Security In The Cloud

You can't secure what you can't see. These five best practices will shed some light on how to protect your data from the ground up.

Moving to the cloud can help organizations accelerate IT delivery and drive business agility. But it can also open up gaping security holes, leaving a company exposed to cyberattack. This means any organization operating in the cloud now must answer these questions: “What cloud servers are being attacked and how will I know?”

Unfortunately, the answers aren’t easy to get. Traditional security tools, like firewalls and intrusion detection systems, work great within an organization’s four walls but they don’t help much when it comes to the cloud. The elastic, dynamic nature of virtual infrastructures makes it extraordinarily difficult for security teams to see what’s happening in the cloud. And without that visibility, it’s impossible for them to enforce consistent policies, detect vulnerabilities, and react quickly to abnormal behavior.

Want help from your cloud provider? That only takes you part of the way. Cloud providers typically don’t protect anything above the hypervisor layer, so security is mainly your responsibility. Say you want to spin up a Windows 2000 server in the cloud, or Red Hat Linux. Security for those instances is your job, not the cloud vendor’s.

It’s called the “shared responsibility” model—and it’s advertised loud and clear by all cloud providers. Amazon Web Services puts it this way: “While AWS manages security of the cloud, security in the cloud is the responsibility of the customer. Customers retain control of what security they choose to implement to protect their own content, platform, applications, systems and networks, no differently than they would for applications in an on-site datacenter.”

Seems straightforward enough. But many customers are still confused. They think that because Amazon has all these great tools for protecting them up to the hypervisor that they’re then completely secure. What they don’t realize is that the security of the cloud instances they choose to spin up will always be their responsibility. Whether you’re operating in the public cloud or in a traditional datacenter, there are still critical control objectives you need to maintain, including data protection and threat management.

The consequences of weak cloud security can be dramatic. I recall the story of a business called Code Spaces that was forced to shut down after a hacker gained full access to its network, which was hosted in the cloud. The hacker demanded a ransom, which Code Space refused to pay. The hacker then deleted all of Code Space’s critical data, effectively destroying the company.

This is the quandary of protecting yourself in the cloud: you can’t secure what you can’t see. Thus gaining real-time visibility is paramount, especially for organizations looking to leverage the many different advantages of cloud infrastructure. And the situation becomes more complex as the organization uses more clouds—public, private, or hybrid—and combines them with its internal datacenters, which aren’t going away anytime soon.

So how do you get visibility in the cloud and ensure that you’re secure? You can start by understanding that security is your responsibility, then adhering to these five best practices.

1.  Continuous visibility. Know what’s going on with your infrastructure, applications, data, and users at all times. Given the automated, elastic, on-demand nature of modern virtual infrastructure, achieving this visibility can be a challenge. But by knowing what you’ve got and what it’s doing at all times, you can limit your attack surface and mitigate risk.

2.  Exposure management. This means adding context to your visibility. Once you gain visibility and transparency, you can successfully eliminate the obvious vulnerabilities that are known to exist within your networks, such as out-of-date workstations and mobile devices.

3.  Strong access control. In fact, weak access control has been responsible for a number of high-profile breaches recently, including the notorious Ashley Madison hack. The Ashley Madison CEO himself has said that the perpetrator of the hack was an insider, probably a third-party contractor, who was granted way more access than necessary. So make sure you have the appropriate access management and privilege monitoring in place. And make sure you are continuously monitoring user activity to ensure there are no deviations from your corporate policies.

4.  Data protection. This is another essential. It means protecting data at rest and data in motion, and also implementing technologies like data loss prevention (DLP) to ensure that, if compromised, your data can’t be sent outside your network.

5.  Compromise management. You must accept the fact that even the most stringent security practices can’t prevent all breaches all the time. They will happen. So prepare to mitigate them when they do. Put processes and technologies in place that enable you to react quickly and subdue security breaches before they get out of control. Create an action plan before breaches happen, and then follow it as soon as a breach is detected.

If you can’t quickly and accurately see what’s going on across your entire infrastructure at all times, you run the risk of not knowing when you’re being attacked or compromised and reacting too late. It’s no use showing up with a hose after your network has been burned to the ground. You need continuous visibility, backed up with comprehensive security functions. These are critical steps toward improving your security posture, especially when you’re dealing with the dynamic, elastic nature of modern cloud computing environments.

Amrit Williams has over 20 years of experience in information security and is currently the chief technology officer of CloudPassage. Amrit has held a variety of engineering, management and consulting positions prior to joining CloudPassage. Previously, Williams was the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
9/21/2015 | 10:42:25 AM
CASB
Your five best practices are best encapsulated by a Cloud App Security Broker. It will help you identify shadow IT as well as authorized apps and define policies for your ecosystem. You can do this based on app or an even better practice by action (Save, Upload, Share, etc)
Enrico Fontan
50%
50%
Enrico Fontan,
User Rank: Strategist
9/21/2015 | 3:09:42 AM
IT cannot outsource accountability
I agree with your tips. Compromise management, that's a good point to start.

Looking at "Code spaces" issue we can understand something about role-based access control and business continuity.

First a company with a cloud provider based infrastructure should have several accounts to manage segregation of duties and protect data (backup administrators, VMs administrators, ...). With such segregation, a possible attack to cloud instance administrator panel can be mitigated.

And what about the backup 3-2-1 rule? Three backup copies, two different media whit one offsite.

Company IT has to look at several IT security aspects because IT has always the accountability for everything. It's not possible to outsource it.
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16772
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
CVE-2019-9464
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
CVE-2019-2220
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
CVE-2019-2221
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
CVE-2019-2222
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...