Cloud has no status quo Thinking differently about cloud security White Paper
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Cloud has no status quoThinking differently about cloud security
White Paper
2
Australian organisations are among the highest adopters of cloud in the world and this report, Cloud has no status quo: Thinking differently about cloud security highlights a number of important areas Australian security and business leaders must tackle in 2018 and beyond.
A challenge many organisations face is managing the way IT services are delivered and secured when new technology options become available. In the case of cloud, simply applying traditional information security techniques not only prevents the organisation from innovating, but can also expose it to new kinds of vulnerabilities.
This report identifies these risks and offers practical advice to mitigate the risk of a breach of cloud-based information. It covers how cloud is different to traditional security; how to better identify cloud challenges; and methods for using the cloud to improve an overall security posture.
It also examines how cloud services engagements can be quite different to premises-based product and service delivery, and why security and business leaders must prepare for any associated risks when dealing with cloud providers.
Welcome to the new world of cloud securityCloud computing is delivering an immense amount of value to Australian organisations. The ability to procure services rapidly, and as required, is transforming IT and business service delivery and security practices must adapt with this new level of agility.
In some cases, cloud security is similar to what organisations are used to with in-house IT, but in many cases, is vastly different. Cloud introduces new technologies, processes and risks which cannot be managed using traditional approaches.
The new-versus-old paradigm shift forces CIOs and security professionals to rethink traditional means of information security and data protection. On-premises security teams are used to many controls and processes which cannot be “copied and pasted” into the cloud. A new level of understanding and different practices are required to keep data secure outside the company walls.
A lack of understanding, or certainty, of the differences between traditional and cloud security is leading to a significant capability gap as more applications are hosted off-premise without appropriate controls. A cloud subscriber’s lack of planning and security controls also helps attackers benefit from the new challenges cloud services present. Knowing about cloud security will also help the organisation adopt new services with confidence, further improving the value it can derive from cloud.
Cloud security differs significantly from traditional on-premises methodologies. Fundamentally, cloud offers a range of technologies not easily available on-premises, and security professionals must investigate new ways to take advantage of them.
IntroductionTable of contents
Introduction 2Welcome to the new world of cloud security 2Understanding the challenges to make the changes 3Cloud access control and process risks 5Cloud brings new security capabilities 6Keeping aware of engagements and dependencies 8Conclusion 9About the author 9
White Paper
Letting go of control for convenience
To ensure cloud security success you need to know what you can control and how new approaches can be applied to mitigating unnecessary exposure.
All staff need to tackle cloud security challenges with a different mindset. Rather than dwelling on the restrictions of cloud technologies, organisations can leverage the capabilities unlocked by cloud to achieve their security objectives. By exploiting these advantages, security requirements can be implemented faster, simpler and cheaper than the equivalent on-premises solutions.
The most fundamental difference between cloud and in-house IT is a lot less, or no control over the infrastructure. It is not physically possible to replicate the existing network security controls deployed inside the organisation if the cloud provider does not allow the same level of access. In cloud workload environments there is no physical network. Virtual cloud instances and software defined networking are simulated, therefore, removing the ability to “tap into the wire” when using cloud platforms.
To implement network security controls in the cloud, organisations need to identify new ways to protect data communications using only what the cloud provider allows. If networks, computer hardware and operating systems have been removed from the IT inventory, you have to resign yourself to not having low-level access to systems in the cloud. This is a plus for not having to manage the components, but when it comes to system and network threat detection, the security controls are transferred to the provider.
Understanding the challenges to make the changesTo understand the changes your organisation needs to undertake to secure cloud data, start by assessing the nature of the challenges each cloud service presents.
The term “cloud services” can be broadly categorised into three levels with the following security considerations:
• IaaS: Infrastructure-as-a-Service where you subscribe to virtual servers and storage. IaaS still requires operating system-level updates, patches and data protection activities like encryption.
• PaaS: Platform-as-a-Service where a hosted stack is used to develop applications. The focus here is on code security and the security implications when the application is deployed into production.
• SaaS: Software-as-a-Service is a hosted application with no access to the system or databases. SaaS application security centres on protecting the data itself and having a migration strategy if an alternative application is desired.
Depending on what you are using, cloud security can require traditional approaches such as upgrades or patching, or new approaches such as the secure integration of a microservice. As an example of a change in approach, a traditional technique of encrypting a database might not be possible for a cloud application, but a different method is to encrypt the data before it is transferred over the Internet.
“As more workloads move to the cloud, organisations will shift security spending toward two emerging areas — target application security to ensure code is secure and well-written, and cloud service providers (CSPs) for increased transparency.”
Source: 10 Security Predictions for 2018, DXC Technology
3
White Paper
4
White Paper
The chain of impact
Due to its multi-tenanted architecture, cloud security challenges can easily extend beyond what your organisation manages. In-house teams might be doing a fantastic job of defending an on-premises application, but when you are using cloud you are trusting a third-party with your data and how well the provider secures it.
The recent attack on HR SaaS application PageUp was a striking example of the impact of cloud security. An ABC report1 identified numerous large Australian companies, from banks to airlines, using PageUp for HR and recruitment.
In Australia, the Notifiable Data Breaches (NDB) scheme2 came into effect in February 2018. Any government agency or organisation with existing personal information security obligations under the Australian Privacy Act 1988 is now obliged to notify individuals whose personal information is involved in a data breach. If a cloud provider is breached it can result in a ripple effect where not only your organisation’s data is breached but also your customers’ data, which, in the PageUp case, could be personally identifying information like an address or tax file number. And such a breach might be notifiable under the NDB.
PageUp is just one of more than 28,000 cloud-based applications which have been identified and had risk factors measured against. A PageUp-scale breach is possible with other popular cloud applications such as Workday, Salesforce, Concur and GitHub. While it might not be possible to prevent a PageUp-style breach, enterprises have options for gathering immediate information on how cloud apps are being consumed in the organisation and therefore the potential impact to customers.
A common misconception is relying on cloud log data to improve security. For example, ingesting Office 365 logs into an existing reporting system may not result in much breach visibility. By doing this, businesses are defaulting back to traditional comfort zones without knowing such methods cannot add any benefit and often make things more complicated. A more appropriate approach is to be mindful of what is being put into the cloud in first place, including what to do if data is breached.
Cloud’s risk management conundrum
The convenience of easily provisioning a new service to meet a business requirement is one of the many benefits of cloud. This rapid provisioning has the downside of a potentially more fragmented ecosystem of applications and services. Traditional risk management depends on the ability to identify and classify potential disruption to a project or the wider business. And this becomes exponentially more difficult as the number of cloud services within an organisation increases.
Cloud discovery exercises within mid-market organisations have yielded between 500 to 1500 cloud applications, which, in some cases, can be nearly as many cloud applications as there are people in the organisation. Teams often realise there is some data “over here and over there” and understanding a risk profile, and hence exposure, is difficult when there is a need to collect information from hundreds of locations.
With some cloud services being more deeply integrated than others, benchmarking cloud risk is extremely challenging compared with the same exercise for an on-site architecture where most of the data is in the organisation’s servers and data centres.
With such a high variance of data in the cloud, a risk manager’s job can quickly turn into a nightmare. Many cloud applications actually claim ownership of the data once
1 http://www.abc.net.au/news/2018-06-06/what-to-do-job-seeker-privacy-breach/9842474
2 https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme
5
White Paper
it is uploaded to the platform and there are few controls in place to prevent your data being used for the benefit of the cloud provider, such as marketing intelligence. This is quite a significant oversight that is not widely talked about when it comes to application selection.
Cloud access control and process risksTraditional security techniques tend to focus on defending the company’s network and applications from the inside looking out. Cloud not only redefines the concept of a “perimeter”, but it also brings a new level of risk when it comes to insider threats.
Mitigating insider threats traditionally involved extensive background checks and a spectrum of monitoring tools and access control techniques. More recently, big data analytics tools have come to the fore as a method for tracking suspicious, or inadvertently strange, activity by staff.
As noted, cloud services do not allow access to many parts of the service stack, and this means traditional insider threat monitoring might not be possible. This, coupled with ease of provisioning and de-provisioning of services by individuals, makes lack of people controls one of the highest business risks when it comes to cloud.
It is very important to educate staff of the risks total control over cloud services brings. Even without any malicious intent, someone can disrupt a business with just a simple change of a cloud service setting. With devices such as notebooks, multiple layers of security tools and redundancy processes can be implement in a layered security approach to minimise the impact of human error. However, in the cloud the smallest human error can have a catastrophic outcome, including from data protection standpoint.
In the cloud era it is incumbent upon IT and business leaders to institute better internal processes around who can create accounts for cloud services and how the services will be managed. Before anything is subscribed to for the company, make sure the account is designed for business use and find out what options you have for managing the service with multiple staff.
Even a rudimentary “workflow” system can mean the difference between a functioning cloud service and staff, or customers, flooding the IT support line. If one staff member initiates a change, it should be verified by other team members and tactical options like two-factor authentication should be employed if available. This doesn’t necessarily need to be intrusive to the user experience and the technology is available for services to only ask for two-factor authentication when it is warranted.
It is important to understand the weight administrator accounts can carry with a cloud service, and the best possible way to handle them is with a federated authentication system within the organisation. For example, there have been cases where an individual has mistakenly shut down the wrong cloud account, deleting years of development work. A command which deletes an account instead of unsubscribing from it can effectively destroy the company’s “data centre”.
Determine if a master account for a service is linked to an employee’s email and how it was procured. It is not uncommon for a business unit (e.g. HR or finance department) to do a trial of an application to determine its suitability. If the application is then sanctioned for use across the unit or organisation, it is possible the person who created the trial remains in charge of the production account.
“Enterprises should make corporate procurement, IT and security processes as frictionless as possible to discourage the use of unauthorised cloud resources by the business and to ensure consistent security policies and reporting,”
Source: 10 Security Predictions for 2018, DXC Technology
6
White Paper
Process risks can appear quickly as not enough separation of duties exist with cloud. More options are developing, but in most cases, subscribers are tasked with establishing their own risk mitigation processes. And managing who is in charge of what is a vital starting point.
Seek service continuity
Organisations face the risk of very high operating costs if single accounts are not properly managed. Cloud enables infrastructure to be provisioned almost instantly with a script. If, for example, when more elastic resources are automatically provisioned at 8% capacity instead of 80% (due to a human error) the organisation could face a massive spike in its cloud bill. The reverse can hold true if an individual’s account is used to procure cloud and a renewal payment is missed resulting in the suspension or termination of the service. Yet another example of non-malicious activity posing a significant business risk.
To avoid the risks associated with personal accounts, in most cases you want a business account to be managed by the right team and stakeholders. Staff take leave and can move on from the organisation. With a business account there will be someone to take over and avert disruption.
With cloud authentication and access management so powerful, every privilege must be accounted for. On the positive side, the API capability of widely embraced cloud technology has made access, and the associated privilege, easy to use. ID and access management is now universally accessible in cloud and the deployment time is much quicker than doing the same with on-premises clients and servers.
The human error and inside threat risks have a much bigger impact with cloud services so be aware of your access control processes. It really is about education so start with communicating to staff why it is important.
Cloud brings new security capabilitiesAs with any new technology or process, cloud presents new types of security risks. To best prepare for these risks, a new way of thinking about security is needed. However, security and business leaders can use cloud technologies and methods to improve their organisation’s security capability. Cloud brings new capabilities for improving security and data protection, and these capabilities tend to be much more agile than traditional methods.
Avoiding a catastrophe with cloud
As noted in the previous section, it is possible to disrupt cloud operations – and by extension the entire business – if access and commands are not properly managed. Conversely, cloud offers many benefits when it comes to protecting business information from being destroyed. On-premises offices and server rooms are prone to all kinds of risks – from fires and floods to power and electricity problems. Generally, these risks are mitigated in the cloud where the providers are constantly building dedicated facilities designed to keep data safe.
Cloud also offers many options for rapid disaster recovery. The ability to use separate networks on demand affords a new level of isolation not seen in a company network, and if something goes wrong you can rebuild and environment quickly. With cloud your downtime can be measured in minutes instead of traditional DR which can take days or weeks to restore depending on the complexity of the architecture.
“Best practices for APIs include utilising Transport Layer Security (TLS); authenticating subjects securely; and relying on established standards for authentication and encryption,”
Source: 10 Security Predictions for 2018, DXC Technology
7
White Paper
It is a new approach to think of the services you are building in the cloud as being “disposable”. It only takes minutes to deploy environments in the cloud and this should be used to your advantage. An example of this is with the notorious risk of ransomware. On-premises servers and clients are facing an uphill battle to defend against, and then restore from, a malware attack. With cloud, if ransomware does strike, an entire environment can be re-built in minutes, negating any long-term impact.
Secure infrastructure as code
Another emerging area where cloud improves security is with infrastructure as code. Infrastructure as code is a technique where cloud infrastructure resources (such as servers, storage capacity and network services) are provisioned automatically with software. Cloud APIs now allow infrastructure to be automated using scripts – a long way from the days of setting up physical machines. With infrastructure services available like a “recipe book”, developers are the new network engineers and administrators and reliability and security can be an integral part of the DevOps build process.
In one case, the head of security at an Australian bank was expressing dismay at the development team’s practice of pushing code into production three times a day for Internet banking and trading applications. The security team had no way of auditing the code at the same pace so a new approach of securing the code as it developed was required. This is a common challenge, but the solution is apparent – cloud is shifting security into the hands of developers as it accelerates processes and the security team becomes an advisor, or ambassador, to the development team.
With development teams fixing bugs all day, if a security problem is in code it can be mitigated sooner. Companies can expect a big shift in security productivity with DevSecOps methodologies. When working with newly established cultures like DevOps, you need to become more accepting of the paradigm shift and help staff do it right. New ideas for automating processes will appear and a traditional approach won’t work in the cloud.
New tactical options are available
The wide adoption of cloud has spurred the development of new technology and services which can help improve the overall security posture of an organisation, not just cloud services. Everything from Internet “clean feeds” to tokenisation tools are available, either as a cloud service or designed to be used with cloud. A new generation of cloud access security broker (CASB) service providers now offer support for security between your organisation and the cloud. As mentioned, the PageUp breached exposed the long tail of risk for cloud customers and, in turn, their end customers. A CASB can help mitigate and deal with security incidents like this where a customer might not know what to do or say in the event of a breach.
A cloud security tool might not necessarily play a role during a cyber breach, but CASB technology allows a service provider to see if something in the cloud is heavily utilised and how much data has been uploaded to an application. In the case of a HR application a CASB can identify personal information such as employee IDs, ABNs and tax file numbers. This allows the organisation to start its own investigation to determine how exposed it might be when using an application like PageUp.
“Enterprises should focus on application security, promote DevSecOps development practices and invest in training and data handling,”
Source: 10 Security Predictions for 2018, DXC Technology
8
White Paper
Even if your organisation has not yet adopted cloud services in a significant way, it is good practice to start thinking about the new technology and process options to improve your security standing and prepare for the future.
Keeping aware of engagements and dependenciesIn addition to technical and operational changes, cloud adoption is also different to traditional security when it comes to commercial engagements and dependencies. This is not strictly an IT security risk, but a business continuity and agility risk the business faces when ceding control of critical services.
Contractual and operational disruption is often overlooked or poorly considered before moving to cloud and every security and business leader should be aware of the risks.
Some of the engagement risks of cloud include:
• Account suspension or termination: It is possible for an account to be temporarily or permanently closed by a provider, even if the reason is not your fault. For example, a malware attack on services you use could result in those services being taken offline.
• Lock-in: Are you developing a dependence on one provider’s technology and processes? This can seem innocuous at the start, but as your cloud use matures, will the business be faced with a lengthy and expensive migration if you ever needed to change cloud providers?
• Data sovereignty: With more data being “born in the cloud” is the provider asserting any rights over your data? A dispute here could make moving to another service even more problematic.
Key takeaways
• It is important to know what your rights and obligations are when evaluating a cloud provider and it is equally important to know how a provider is likely to respond in the event of a suspected problem.
• Services have been taken offline by the “suspend now, ask questions later” policies of clouds. This can easily translate to lost revenue and reputation if the service is customer-facing.
• Establish an enterprise-level relationship with the cloud provider to ensure there is mutual understanding of the importance of your services. And establish a process for dealing with an event which is likely to disrupt services. Malware can strike at any time and result in “suspicious activity” as seen by the provider.
• In the on-premises world an attack can be detrimental, but, for better or worse, you can decide to keep services running while remediation activities are performed.
• To help avoid cloud lock-in, develop a plan for moving from one provider to another and review how well supported your services are across the industry. Generally, IaaS is more standard and PaaS and SaaS are more unique to the provider.
• Like backups and data protection, having a cloud engagement strategy will be important when you need it most. Information security is all about protecting your organisation’s data and reputation, and contractual exposure can result in the same business impact as a targeted attack.
“Cloud services users should modify supplier contracts to ensure that expectations for architectural design blueprints and security controls — such as compliance and audit APIs, and event log exports — continue to be relevant”
Source: 10 Security Predictions for 2018, DXC Technology
ConclusionCloud brings many business benefits, but it can also introduce new risks if it is not managed well. It is important for all security and business leaders to understand the differences between traditional technologies and approaches and those for cloud. New cloud risks must be identified and mitigated and a new range of options are available for using cloud to deal with the risks in addition to improving processes.
The rapidity of cloud services calls for new thinking and traditional approaches will fail to deal with future threats and leave the organisation even more exposed. Organisations that take advantage of what cloud security offers have a good opportunity to improve their overall security posture, not just for individual services.
Cloud is undeniably the future of how the world will operate and with such rapid cloud adoption it’s the ideal time to get cloud security right.
www.dxc.technology
White Paper
About DXC Technology
DXC Technology (DXC: NYSE) is the world’s leading independent, end-to-end IT services company, serving nearly 6,000 private and public-sector clients from a diverse array of industries across 70 countries. The company’s technology independence, global talent and extensive partner network deliver transformative digital offerings and solutions that help clients harness the power of innovation to thrive on change. DXC Technology is recognized among the best corporate citizens globally. For more information, visit www.dxc.technology.
© 2018 DXC Technology Company. All rights reserved. MD_8705a-19. August 2018
About the author
Ryan Broadfoot is DXC Technology’s Cloud Security Leader, Australia and New Zealand region. He is a seasoned security expert and has provided security consulting to Fortune 100 companies in Asia-Pacific and around the world. He has also led and delivered various special government security projects.
Previously, Mr Broadfoot was CSC’s StrikeForce Leader, Australia and New Zealand. As the leader of CSC Security StrikeForce, he led a team of top-tier penetration testers to help organisations evaluate and improve their cybersecurity defences against emerging threats. Ryan takes great pleasure in notifying organisations of the flaws in their processes and systems to open the opportunity for learning and growth, and to help organisations be prepared for when a security attack occurs.
Related Documents
