Securing the cloud: new data points the way
Reports show major differences in risk among public, private and hybrid cloud deployments. Here is advice on the tools, information and organisational structure needed to execute a successful cloud security strategy.
30 June 2020 | 0
The march toward the cloud for data and services has many companies rethinking their approach to cybersecurity. Do they need a new cloud security strategy? Recent surveys have shed light on how security strategies are changing, and more important, how they should change.
Placing more IT infrastructure in the cloud is in some ways more secure than having it in house. For instance, you can be reasonably sure that the system is running the latest version with the proper patches in place. Cloud service providers are also building in new capabilities such as using machine language for anomaly detection. However, it also presents new risks, some of which is the result of misunderstanding how to manage cloud security.
It is important to know how a company’s cloud IT strategy – whether it is hybrid, private hosted, or public – affects its cyber security strategy and the tactical execution of that strategy.
What sensitive data is in the cloud?
In October 2018, McAfee released its Cloud Adoption and Risk Report 2019. That research showed that sharing of sensitive data over the cloud increases by 53% over the previous year – a huge jump. Of all files in the cloud, 21% contain sensitive data, McAfee found, and 48% of those files are eventually shared.
That sensitive data includes company confidential data (27%), email data (20%), password-protected data (17%), personally identifiable information (PII) (16%), payment data (12%) and personal health data (9%). The risk associated with confidential data in the cloud is growing, as companies are trusting it to the cloud more. Twenty-eight per cent more confidential data was placed on the cloud over the previous year, according to McAfee.
With so much sensitive data in the cloud and being shared via the cloud, theft by hacking is not the only risk. McAfee found that enterprises have an average of 14 misconfigured infrastructure-as-a-service (IaaS) instances running, resulting in an average of 2,200 misconfiguration incidents a month where data is exposed to the public.
What is the cloud security risk?
Data from cloud security provider Alert Logic shows the nature and volume of risk for each form of cloud environment as compared to an on-premises data centre. For 18 months, the company analysed 147 petabytes of data from more than 3,800 customers to quantify and categorise security incidents. During that time, it identified more than 2.2 million true positive security incidents. Key findings include:
- Hybrid cloud environments experienced the highest average number of incidents per customer at 977, followed by hosted private cloud (684), on-premises data centre (612), and public cloud (405).
- By far, the most common type of incident was a web application attack (75%), followed by brute force attack (16%), recon (5%), and server-side ransomware (2%).
- The most common vectors for web application attacks were SQL (47.74%), Joomla (26.11%), Apache Struts (10.11%), and Magento (6.98%).
- WordPress was the most common brute force target at 41%, followed by MS SQL at 19%.
Whether it is a public, private or hybrid cloud environment, web application threats are dominant. What is different among them is the level of risk you face. “As defenders, at Alert Logic our ability to effectively protect public cloud is higher as well, because we see a better signal-to-noise ratio and chase fewer noisy attacks,” says Misha Govshteyn, co-founder of Alert Logic. “When we see security incidents in public cloud environments, we know we have to pay attention, because they are generally quieter.”
The data shows that some platforms are more vulnerable than others. “This increases your attack surface despite your best efforts,” says Govshteyn. As an example he notes that “despite popular belief,” the LAMP stack has been much more vulnerable than the Microsoft-based application stack. He also sees PHP applications as a hotspot.
“Content management systems, especially WordPress, Joomla and Django, are used as platforms for web applications far more than most people realise and have numerous vulnerabilities,” says Govshteyn. “It’s possible to keep these systems secure, but only if you understand what web frameworks and platforms your development teams tend to use. Most security people barely pay attention to these details, and make decisions based on bad assumptions.”
To minimise the impact from cloud threats, Alert Logic has three primary recommendations:
- Rely on application whitelisting and block access to unknown programs. This includes doing risk vs. value assessments for each app used in the organisation.
- Understand your own patching process and prioritise deployment of patches.
- Restrict administrative and access privileges based on current user duties. This will require keeping privileges for both applications and operating systems up to date.
How the cloud is compromised
Threat actors are always refining the techniques they use to attack the cloud. In June 2020, IBM Security reported on data from its X-Force IRIS incident response activity showing the most common ways cloud environments are compromised. In many cases, attackers used a combination of the following techniques, according to the report.
Exploiting cloud applications
Remote exploitation of cloud applications was the infection vector 45% of the time, according to the IBM researchers. They attributed the popularity of this vector to a lack of cloud maturity at some organisations and the prevalence of shadow IT, which can the attack surface.
Many of the issues associated with cloud applications are not well catalogued, according to the report, in part because cloud product vulnerabilities were outside the scope of traditional CVEs until this year. Without public disclosure of vulnerabilities, it’s difficult for security teams to assess risk and take the proper precautions.
Misconfigured cloud environments
Misconfigured cloud servers allowed attackers to access more than 1 billion records in 2019, according to the IBM’s 2020 X-Force Threat Intelligence Index. That does not count data that was exposed but not stolen.
Once an attacker compromises one cloud environment, they might use that trusted connection to move laterally to other clouds to access data or plant malware. This attack can be difficult to detect because the threat actors can hide their activity within regular operational activity. “This cross-cloud compromise can be especially insidious, as cloud environments, especially large public clouds, often have high volumes of communication and can make this type of infection more difficult to detect,” said the authors of IBM’s cloud threat report.
IBM found that some threat actors tried to gain privileged access by accessing the underlying cloud hardware. With the swimming upstream approach, attackers first compromise the cloud environment to gain access to the host. From there, they try to access the management system to move among client environments.
As with cross-cloud compromise, swimming upstream attacks can be difficult to detect because they look like legitimate administration activity. The report’s authors cited the Perfect 10.0 Microsoft flaw as an example of how attackers might exploit a vulnerability to carry out a swimming upstream attack.
How to secure the cloud
According to a survey by market researcher VansonBourne and sponsored by network monitoring solutions provider Gigamon, 73% of respondents expect the majority of their application workloads to be in the public or private cloud. Yet, 35% of those respondents expect to handle network security in “exactly the same manner” as they do for their on-premises operations. The remainder, while reluctant to change, believe they have no choice but to change their security strategy for the cloud.
Granted, not every company is migrating sensitive or critical data to the cloud, so for them there is less reason to change strategy. However, most companies are migrating critical and proprietary company information (56%) or marketing assets (53%). Forty-seven percent expect to have personally identifiable information in the cloud, which has implications due to new privacy regulations such as GDPR.
Companies should focus on three main areas for their cloud security strategy, according to Govshteyn:
- Tools. The security tools you deploy in cloud environments must be native to the cloud and able to protect web applications and cloud workloads. “Security technologies formulated for endpoint protection are focused on a set of attack vectors not commonly seen in the cloud, and are ill equipped to deal with OWASP Top 10 threats, which constitute 75% of all cloud attacks,” says Govshteyn. He notes that endpoint threats target web browsers and client software, while infrastructure threats target servers and application frameworks.
- Architecture. Define your architecture around the security and management benefits offered by the cloud, not the same architecture you use in your traditional data centres. “We now have data showing that pure public environments allow enterprises to experience lower incident rates, but this is only achievable if you use cloud capabilities to design more secure infrastructure,” says Govshteyn. He recommends that you isolate each application or micro-service in its own virtual private cloud, which reduces the blast radius of any intrusion. “Major breaches such as Yahoo began with trivial web applications as the initial entry vector, so the least important applications often become your biggest problem.” Also, don’t patch vulnerabilities in your cloud deployments. Instead, deploy new cloud infrastructure running the most recent code and decommission your old infrastructure. “You can only do this if you automate your deployments, but you will gain the level of control over your infrastructure you could never achieve in traditional data centres,” says Govshteyn.
- Connection points. Identify points where your cloud deployments are interconnected to traditional data centres running legacy code. “Those are likely to be your biggest source of problems, as we see a clear trend that hybrid cloud deployments tend to see most security incidents,” he says.
Not everything about a company’s existing security strategy has to change for the cloud. “Using the same security strategy–for example, deep content inspection for forensics and threat detection–for cloud as on-premises is not a bad idea by itself. Companies pursuing this are typically looking for consistency between their security architectures to limit gaps in their security posture,” says Tom Clavel, senior manager of product marketing at Gigamon.
“The challenge is how they get access to the network traffic for this kind of inspection,” Clavel adds. “While this data is readily available on-premises using a variety of ways, it is unavailable in the cloud. Plus, even if they get access to the traffic, backhauling the firehose of information to the on-premises tools for inspection, without the intelligence is extremely expensive and counter-productive.”
The cloud’s visibility issues
One complaint that the VansonBourne respondents had was that the cloud can create blindspots within the security landscape. Overall, half said the cloud can “hide” information that enables them to identify threats. They also said that with the cloud, they are also missing information on what is being encrypted (48%), insecure applications or traffic (47%), or SSL/TLS certificate validity (35%).
A survey conducted by the Cloud Security Alliance (CSA) from December 2018 to February 2019 showed that cloud environments are becoming more complex, leading to more visibility issues. Of all respondents, 66% said their organisations used multiple clouds while 55% worked in a hybrid cloud environment. Thirty-six percent had both multi-cloud and hybrid cloud environments.
Nearly three-quarters of the CSA survey respondents that used the cloud reported a lack of expertise hampered their ability to manage security on the cloud. For example, most respondents who reported a cloud outage did not know the cause. CSA speculated that this was due to visibility issues and lack of security expertise.
It’s not just data that security teams have limited visibility into. Sixty-seven percent of the VansonBourne respondents said that network blindspots were a hindrance to them protecting their organisation. To gain better visibility, Clavel recommends that you first identify how you want to organise and implement your security posture. “Is it all within the cloud or extended from on-premises to the cloud? In both cases, make sure pervasive visibility to your application’s network traffic is central to your security strategy. The more you see, the more you can secure,” he says.
“To address the visibility needs, identify a way to acquire, aggregate and optimise the network traffic to your security tools, whether they are an intrusion detection system (IDS), security information and event management (SIEM), forensics, data loss prevention (DLP), advanced threat detection (ATD), or to all of them concurrently,” Clavel adds. “Finally, add SecOps procedures to automate visibility and security against detected threats even as your cloud footprint grows.”
Regulatory compliance a concern for the cloud
These blindspots and low information visibility could create privacy and other regulatory compliance issues. Sixty-six percent of VansonBourne respondents say lack of visibility will make GDPR compliance difficult.
The CSA survey also addressed compliance issues, particularly around ownership of security and compliance. Only 16% said they had a dedicated cloud security team, while 79% said IT was responsible for cloud security.
Most respondents (57%) were concerned about regulatory compliance regarding cloud services, and the report’s authors noted that there is ambiguity over how organisations leverage cloud platforms for compliance. That would seem to be an argument for giving ownership cloud security and compliance to a specialised group that understands the technology and requirements.
Will machine learning help?
Cloud service providers are working to improve customers’ ability to identify and address potential threats. Amazon Web Services (AWS), for example, announced two services in 2017 that rely on machine learning to protect customer assets.
In August, AWS announced its Macie service, focused mainly on PCI, HIPAA, and GDPR compliance. It trains on the users’ content in Amazon S3 buckets and alerts customers when it detects suspicious activity. AWS GuardDuty, announced in November, uses machine learning to analyse AWS CloudTrail, VPC Flow Logs, and AWS DNS logs. Like Macie, GuardDuty focuses on anomaly detection to alert customers to suspicious activity.
The effectiveness of machine learning depends on models, which consist of an algorithm and training data. The model is only as good as the data it’s trained on; any event that falls outside the data in the model will likely not be detected by a service like Macie or GuardDuty.
That said, a cloud security provider like AWS will have a much richer data set to work with than any individual customer would. AWS has visibility across its entire network, making it much easier to train its machine learning model on what is normal and what might be malicious. However, customers need to understand that machine learning will not detect threats that fall outside the training data in the machine learning model. They cannot rely on service like Macie and GuardDuty alone.
Who owns cloud security?
Given what’s at stake, it’s no surprise that 62% of respondents expressed a desire for their security operations centres (SOCs) to control network traffic and data to ensure adequate protection in a cloud environment. Half of them would settle for awareness of network traffic and data.
Gaining control or even full visibility might be a challenge for many organisations due to the structure of the groups that manage the cloud environment. While security operations are responsible for cloud security at 69% of the respondents’ organisations, cloud operations (54%) or network operations are also involved. This has resulted in confusion over who is taking the lead for cloud security and how teams should collaborate. In fact, 48% of respondents said that lack of collaboration among teams is the biggest roadblock to identifying and reporting a breach.
“Often, companies split responsibilities among the network, security and cloud,” says Clavel. “Each have distinct budgets, distinct ownership, and even distinct tools to manage these areas. Gaining visibility into the cloud to secure it requires breaking down the communication walls among these three organisations. The same security tools that are deployed on-premise will be able to also secure the cloud – so cloud and security teams need to communicate.”
What type of person should take point on the organisation’s cloud security? It will need to be someone or a team with the right skills and ability to commit long term. “Find the person or the team able to move toward the new cloud security paradigms fastest, and allow them to build your security strategy for the next three to five years,” says Govshteyn.
“In the last few years, this tends to be the IT operations team or an enterprise security team, but there is always an architect-level individual contributor or dedicated cloud security team at the core of this effort. This new breed of security professional can write code, spend more than 80% of their time automating their jobs, and view the development teams as their peers, rather than adversaries,” says Govshteyn, adding that at technology companies security is sometimes a function of the engineering team.
Although boards of directors are taking great interest in security these days, they won’t help at the ground level. “In reality, much of the critical decision making when it comes to cloud security today comes from technologists able to keep up with rapid pace of change in public cloud,” he says.
Further complicating the task of securing the cloud for more than half (53%) of the respondents is the fact that their organisations have not implemented a cloud strategy or framework. While nearly all those organisations plan to do so in the future, it’s not clear who is leading that initiative.
“Security and monitoring tools will also be able to leverage the same security delivery platform for more flexibility – so network, security and cloud need to also agree to share the responsibility of the security delivery platform,” says Clavel. “Companies that consolidate their security and monitoring activities – as part of the SOC – or at least to establish common budgets and shared ownership of a security delivery platform, are rewarded with better flexibility, faster decision making, and consistent security across on-premises and cloud deployments.”
IDG News Service