8 minute read
Insights
by Secon
You’re going “cloud first.” Have you made sure it’s secure?
by Andrew Gogarty, Chief Security Evangelist
Advertisement
What does “cloud first” actually mean?
A growing numbers of organisations are now exploiting the benefits of moving to the cloud and for many of these, this was accelerated to ensure business continuity as a result of the pandemic.
But before we consider the implications on resilience and security, let’s break down what’s typically in scope when organisations are adopting a “cloud first” strategy. The NCSC has broken down cloud into three main areas:
• Infrastructure as a Service (IaaS)
• Platform as a Service (PaaS)
• Software as a Service (SaaS)
For more detail about the associated risks of each of these areas, click here.
To further simplify and consolidate things for the purpose of this article, lets break cloud into two distinctive areas:
Workloads - Infrastructure moving to the cloud, e.g. servers, in-house applications, and databases (IaaS and PaaS)
Applications - Cloud applications “as a service,” e.g. Salesforce, O365, and ServiceNow (SaaS)
Both areas help with operational efficiencies, but the security fundamentals remain the same: you have data required to operate your organisation, and you have people/applications/services that require access to that data.
When moving to the cloud, security is still incumbent on the owners of the data in the cloud
Source: The National Cyber Security Centre (www.ncsc.gov.uk)
As with securing on-premise environments, to ensure effective resilience against cyber attacks, you need visibility and control over the security of data and the access to that data.
According to a recent report by Gartner, it is estimated that through to 2023, at least 99% of cloud security failures will be the customer’s fault. The report goes onto the outline two of the main causes of cloud security breaches:
Misconfiguration: “50% of enterprises will unknowingly and mistakenly have exposed some IaaS storage services, network segments, applications or APIs directly to the public internet.”
Access: “75% of security failures will result from inadequate management of identities, access, and privileges.”
A key driver fuelling these causes is ultimately a lack of visibility of cloud usage within organisations. Without visibility it is impossible to ensure you have effective controls in place.
The flexibility of cloud enables anyone in an organisation with web access and a credit to sign up for a cloud platform or application that has not been sanctioned by the organisation. This represents a real challenge for security teams in securing data and is often referred to as shadow IT.
How to address the problem
As with most cyber security challenges, the solution requires a combination of policy, tooling, process, and people to ensure consistency of visibility and control across all cloud applications and cloud workloads, both ones sanctioned by the organisation and shadow IT.
This article aims to serve as a guidance to improving cloud security maturity, but it needs to be noted that for this approach to be effective, it needs to be incorporated into a wider security plan that addresses other cyber security best practices such as end user device security and email security. A holistic approach to cloud is required that starts with a well-defined cloud security strategy that should look to encompass the following:
• Understanding what your critical data is and where it is stored.
• Understanding who and what services have access to the data and how it’s being accessed.
• Defining your security, compliance and regulatory requirements for storing and processing data.
• Rationalising on the right set of controls for complete visibility and control to meet requirements.
• Establishing a security baseline for all your cloud environments.
• Establishing a target state and roadmap to serve as a benchmark to ensure ongoing governance.
• Monitoring 24x7 to be able to identify and respond to anomalous activity.
According to the NCSC, regardless of the type of service being consumed, the following recommendations should be conisdered:
• SaaS offerings should be centrally managed and users given the correct level of access.
• SaaS offerings should be accessed using up-to-date and regularly patched software.
• Devices accessing the SaaS offering should be configured in line with the NCSC EUD Guidance.
• User accounts on the service should be suspended when no longer required.
• Audit logs should be monitored and any suspicious activity investigated.
• SaaS providers publish their security claims in a publicly accessible and easy-to-find location.
• Establishing a target state and roadmap to serve as a benchmark to ensure ongoing governance.
• Monitoring 24x7 to be able to identify and respond to anomalous activity.
The diagram below shows the key areas for consideration if you want to realise centralised visibility and control over cloud applications to reduce the risk of a cloud data breach.
Cloud workloads (IaaS and PaaS)
According to Gartner, “By 2021, 50% of enterprises will unknowingly and mistakenly have some IaaS storage services, network segments, applications or APIs directly exposed to the public internet, up from 25% at year-end 2018. In their report, 5 Things You Must Absolutely Get Right for Secure IaaS and PaaS, Gartner outlines the following guiding principles to consider when security cloud workloads: proper use of identity and access management permissions, importance of data encryption, application of zero-trust network access to reduce risk exposure, implementation of cloud security posture management tools, and the ability to capture, log and analyse cloud data.
The diagram on the opposite page outlines the key areas for consideration to realise centralised visibility and control over cloud workloads to reduce the risk of a cloud data breach.
Cloud Applications
(SaaS - e.g. Salesforce, Workday)
1. Cloud web security gateway
1a. Do you have persistent visibility and control over ALL your users’ web access and traffic?
1b. If YES, does this include remote users, even when not connected to the network via a VPN?
2. Cloud access security broker
2a. Do you have the ability to prevent users from inputting or uploading sensitive data into cloud applications not sanctioned by the business (shadow IT)?
2b. Do you have full visibility and control over who can access sensitive data in your cloud applications?
2c. In the event of a breach, would you be able to prove (with evidence) that no sensitive or PII data had been accessed as a result of the breach?
3. Access (user and device) into cloud applications
3a. Do you have persistent visibility and control to ensure secure access across ALL in-house hosted applications and third party cloud applications?
3b. Are you confident that you are preventing unauthorised access to your environment, both on-premise and in the cloud?
4. Monitoring
4a. Do you monitor all cloud activity 24x7 for suspicious activity? e.g. a user downloading more data than they usually would to undertake their role?
4b. In the event of a suspected breach, are you confident that you will quickly have the data points required to contain and investigate the entirety of the breach?
Cloud Workloads
(e.g. AWS, Azure)
1. Cloud posture and security management
1a. Do you have visibility over what cloud workload assets you have and that they have definitely been configured securely, without misconfigurations? (e.g. default passwords, exposed services, etc.)
1b. Can you demonstrate that your cloud workloads meet your relevant compliance standards? (e.g. GDPR, PCI, etc.)
2. Cloud workload segmentation
2a. Do you have full visibility and control over east to west network communications with your cloud workload environments?
2b. Can you ensure any new applications deployed to your cloud workloads are appropriately segmented to prevent the risk of lateral movement in the event of a breach?
3. Cloud SecOps
3a. Do you continuously ensure your server workloads have critical and security patches deployed and do you have the ability to demonstrate that to the business or any third parties should it be requested?
3b. Do you monitor your cloud workloads 24x7 for threats to enable you to respond quickly to any threats that could have a negative impact on your organisation?
4. Securing the workloads
4a. Are you protecting your cloud workloads with antivirus, firewalls, and IPS?
4b. Have you locked down your cloud workloads to ensure only the desired applications intended for that workload can run/ execute?
5. Access (user and device) into cloud workloads
5a. Do you have persistent visibility and control to ensure secure access across all cloud workloads?
5b. Do you ensure only trusted and secure devices are used to access your cloud workloads?
Conclusion
The core principles of cyber security with cloud are no different to the principles of how you secured your on-premises data centres. The ever-growing cloud landscape just adds a layer of complexity around where your data resides and how it is accessed.
You need to ensure that you have visibility and control over all access to the environments. The good news is that achieving visibility and control in the cloud is achievable with the right combination of people, process and technology.
No matter what stage you are at on your cloud journey, Secon Cyber has the expertise and experience to assist you in making your cloud journey more secure and resilient against today’s and tomorrow’s cyber threats. If you’d like to discuss how we can help you, click below to book an initial, free consultation with me.
