8 minute read
CLOUD SECURITY
Top threats to cloud computing a ‘marked change’ in traditional security concerns
Traditional security concerns around the cloud – including data loss and denial of service – are being over-shadowed by fears of inadequate security controls as consumers become increasingly cloud-savvy.
Advertisement
That’s according to the recently released Top Threats to Cloud Computing: The Pandemic 11 by the global Cloud Security Alliance (CSA). The report, the sixth in its Top Threats to Cloud Computing series, found that many of the more than 700 respondents’ major fears had moved from data loss and denial of service (DoS) to concerns around control plane weaknesses, metastructure and applistructure, and limited cloud visibility.
Debuting cloud threats
A weak cloud control plane refers to inadequate or insufficient security controls, explains the CSA, such as a lack of two-factor authentication and the ability to enforce its usage. Metastructure refers to the mechanisms that provide the interface between the infrastructure and other layers; applistructure describes applications deployed in the cloud and the services used to build them.
“Collectively, these security issues are a call-to-action for developing and enhancing cloud security awareness, configuration, and identity management,” says Jon-Michael C. Brook, co-chair Top Threats Working Group, and one of the paper’s lead authors. “As cloud business models and security tactics evolve, there is an even greater need to address security issues that are situated higher up the technology stack and are the result of senior management decisions.”
In order of significance, with previous rankings in brackets alongside where applicable, the Pandemic 11’s findings are:
• Insufficient identity, credential, access, and key management (#4) • Insecure interfaces and APIs (application programming interface) (#7)
• Misconfiguration and inadequate change control (#2)
• Lack of cloud security architecture and strategy (#3)
• Insecure software development
• Unsecure third-party resources
• System vulnerabilities
• Accidental cloud data disclosure/ disclosure
• Misconfiguration and exploitation of serverless and container workloads
• Organised crime/hackers/APT
• Cloud storage data exfiltration
The perfect hiding place
“The cloud – with its complexity – is the perfect place for attackers to hide, and an ideal launchpad for attacks,” says John Yeoh, Global Vice President of Research, Cloud Security Alliance. “Add to that the fact that insider threats make it more challenging to protect organisations from data loss and it becomes clear that more industry attention and research is required.”
One of the significant differences between traditional IT and cloud service applications is that the former is customercontrolled, while the latter is “never fully shipped off to the customer,” says the CSA, — likely one of the reasons that weak control planes are a growing source of concern. In traditional IT environments, applications and security features are designed with the customer as the main user, and hosted on-premise. Customers have full visibility and control over their IT setups and are also responsible for their own security, with their IT providers providing updates and patches when necessary. The cloud, however, is a public environment, where resources are hosted on the premises of the service provider, explains software company Cleo.
New opportunities, new threats
Says Dale Norris of Top Threats to Cloud Computing: The Pandemic 11 report sponsor, ExtraHop: “The cloud spurs innovation, but it also expands the attack surface, introducing new opportunities for advanced threats to succeed.”
In his blog Gain PCAP and Forensics in Google Cloud, Norris warns of third-party risk and threats to software supply chains, “where PCAP (packet capture) is essential for understanding the scope of what happened. For defenders, access to packets in cloud environments for IR (integrated research) and deep forensic investigation has historically been difficult.”
“Traditional approaches to PCAP in the cloud require adding friction-causing agents or packet forwarders,” he says. “And even then, investigators and incident responders usually have to swivel between tools to analyse those packets. Given those problems, security teams often turn to logs as a solution, but they offer limited insights and lead to trialand-error analysis that slows down investigations.”
“Whether it’s determining the scope of an incident or remediating it, cloud security teams need streamlined processes that get them to forensic evidence faster. And that necessary speed goes beyond being able to access information in a single tool. Investigators and incident responders need the right information, and they need to be able to find it quickly. With access to packets, detections, and transaction records that are indexed and searchable in a single cloud-native platform, investigators and analysts can filter by metric, transaction, user, and more. Streamlined workflows allow security teams to quickly get the forensic context they need, enabling them to significantly reduce mean time to resolution/remediation (MTTR) for incidents in cloud environments. That faster response also helps security teams take the fight against ransomware to the cloud.”
Other challenges
“While many organisations were already moving to the cloud, the Covid-19 pandemic accelerated this transition,” says Check Point. “As a result, over 98 percent of organisations use some form of cloud-based infrastructure, and over three-quarters (76 percent) have multicloud deployments composed of services from two or more cloud providers. These cloud environments host critical business applications and store sensitive company and customer data.”Aside from cloud security per se, especially in ‘complex, multi-cloud environments’, companies are facing a raft of other major challenges, according to Check Point’s report The biggest cloud security challenges 2022. These include:
• Lack of qualified staff
• Compliance on the back of an everexpanding regulatory landscape
• Lack of security visibility on lower infrastructure levels
• Difficulty in identifying misconfigurations
• Setting consistent security policies
• Cloud security automation
• Automated security enforcement
The need for speed
In its five-step guide to cloud security, Commvault says that companies reported far higher cloud usage in 2021 than they’d initially planned. “Many of those companies are now assessing these changes to determine how they can optimise and better manage their hybrid cloud environment, including the growing need to safeguard data, no matter where it lives. Whenever disruption occurs, the longer your organisation takes to react to it or adapt to it, the more growth and revenue you’ll miss out on. As data management trends tip toward as-aservice delivery, a SaaS (software as a service) -delivered solution can empower your company’s digital transformation.”
Creating a migration strategy
Moving away from a traditional infrastructure to a cloud-based one is a major undertaking, says Andrew Cruise, MD of VMware Cloud provider Routed, and it gets even more daunting when faced with the various options available on the market today. His advice is to create a solid cloud migration strategy, based on the following:
1. Outline your environment
In broad terms, there are two types of cloud environments: development, and enterprise or business, he says. “Devops is exciting, amazing, cutting-edge. The business usage, less so, because it involves migrating physical workloads to the cloud. Don’t confuse need-to-have with nice-to-have and spend money on something that seems very attractive, but that you won’t really need or use.”
2. Do an audit of your operations
“Cloud doesn’t necessarily replace all previous options but is an add-on in the hybrid world of today. Do an audit of your company’s operations and decide what needs to be moved to the cloud.
Some operations might not be suited to cloud for compliance reasons, for example, (and) you need to factor in your company’s unique variables for each operation, like cost, complexity, and compliance.” Then, decide what needs to move to which type of cloud. “Different apps and operations belong in different places,” he explains. “It’s unlikely that every cloud provider is fit-for-purpose for every app, and you need to choose the right environment for the right app. Picking a single platform because you want to keep things simple can mean suffering performance or commercial problems down the line. It introduces complexity to your final solution, yes, but each set of workloads will be in an ideal place.”
3. Start small
This is particularly important for SMEs, says Cruise. “If you move too much to cloud too quickly, it can lead to failed migrations and operational paralysis. Break your operations down into bite-sized pieces and move them one at a time.” What you decide to move first depends on your needs, he continues.
“Some migrations, like email or backups, are relatively simple and low risk, which might make sense for some companies. For others, moving to virtual machines is the smarter choice.”
4. Find the right management tools
A single management platform that does all the above, and does it well, does not exist, says Cruise. “Rather look for specialist management tools: if cost management is your priority or challenge, look for tools that manage costs across a range of cloud platforms.
If you want to visualise your usage across multiple clouds, look for a product that gives you that kind of UI (user interface).”
Sources: Cloud Security Alliance
www.cloudsecurityalliance.org
ExtraHop
www.extrahop.com
Cleo
www.cleo.com
CheckPoint
www.checkpoint.com
Commvault
www.commvault.com
Routed
www.routed.co.za