This article is part of our new State of Cloud Security 2021 Series which interviews a diverse mix of cloud security experts, design-makers, and practitioners with a goal of better understanding their perspectives on the current state of and future of cloud security.
The following is an interview OpsCompass CTO, John Grange recently had with Najeeb Saud, Senior DevOps Engineer of Schellman & Company, LLC.
JG: What is the state of cloud security today?
NS: The use of cloud services has grown wildly over the past decade. Especially in the wake of the COVID-19 pandemic with companies undergoing a complete digital transformation to enable employees to work from home. Securing these cloud services has become even more imperative in day-to-day operations, and while many of the native security features of these services can be robust and effective, others may not check all the boxes leading many organizations looking for third party security tools to supplement their workforce. Tools such as static code analyzers, vulnerability management, and security information and event management (SIEM) tools for example.
JG: What are the most common challenges organizations face when it comes to cloud security today?
NS: As organizations continue to move towards more complex cloud environments, visibility into system level activity across the many environments is imperative and not always the easiest things to monitor consistently. Therefore the focus must be a healthy balance of defensive security posturing (which focuses on reactive measures, such as patching software and finding and fixing system vulnerabilities) as well as System Hardening (securing a system’s configuration and settings to reduce IT vulnerability and the possibility of being compromised) and finally, centralizing system activity in a manner where detection of any kind of attacks or anomalies can be quickly identified via SIEM logging, monitoring, or built in cloud security tools. In AWS these would be tools like Security Hub, GuardDuty, Detective, CloudTrail, etc.
JG: What lessons can be learned from the biggest cloud-related breaches of 2020?
NS: Not only did we face a viral pandemic in 2020, but many companies experienced a digital pandemic of data breaches, supply chain attacks and human engineering. The number of security breaches skyrocketed as attackers targeted the millions of remote workers who didn’t have adequate security protection or sufficient training to be able to spot bad actors. This explains why Zoom ended up hacked to the tune of 500,000 passwords. Bear in mind that these credentials were not from any breach at Zoom itself, but rather just broad collections of stolen, recycled passwords.
Companies like Whisper, a “secret-sharing” app, self-proclaimed as the “safest place on the Internet,” exposed PII, including, intimate confessions, ages, locations, and other details, and allowed anyone to access all of the information tied to anonymous “whispers” posted to the app. The attack could have come from a bad configuration by a careless employee or any number of factors, but the bottom line is that any endpoint can be an attack vector and must be monitored and follow security best practices. Access to sensitive data should only be granted to a select few within the organization and not accessible to the outside world and password complexity should be set to a high standard company-wide giving employees access to password managers like Keeper or Lastpass to keep track of them is a huge plus.
JG: What are 3-5 pieces of advice for organizations looking to improve their cloud security in 2021?
- Control your endpoints. Make sure that any public facing endpoints are safe guarded using a web application firewall and that all activity on that endpoint is monitored and scanned against OWASP top 10 risks. Lastly, don’t expose any endpoints publicly that are only being used internally if possible. A VPN can be your best friend.
- Encrypt all data at rest. This is necessary from the organization’s laptops all the way to production servers and databases. You don’t want data volumes falling into the wrong hands. By encrypting data at rest, you’re essentially converting sensitive data into another form of data. This usually happens through an algorithm that can’t be understood by a user who does not have the encryption key to decode it. Only authorized personnel will have access to these files, ensuring that your data stays secure.
- Protect your data with multi factor authentication. Simply relying on usernames and passwords as the only form of authentication leaves you vulnerable to hackers who can easily steal, copy, or share your data. The most reliable way to combat this is through multi factor authentication (MFA). This requires users to login with their credentials and combines it with a secondary authentication device they have (like their phones). Only users who successfully possess both factors will have access to company data.
- Shift security to the left. Security should be built into the organization’s continuous integration and deployment process and designed into the organization’s application at an earlier stage of the development cycle. This gives developers and security engineers the ability to detect vulnerabilities as early as possible before they go live into production.
- Alert on anomalies in monitoring and logging. Investigating attacks can be like drinking from a fire hose when sifting through monitoring metrics and logs. Having a centralized location where all the diagnosing can happen is a God send and being able to automatically detect a brute force login, for example can be even better. The standard way to rise alarms is studying standard traffic which should not rise alarms and deciding on a static threshold based on the historic standard traffic. There are also many security tools that take the guesswork out of the equation (SIEMs and other security detection services).
- Penetration test annually. Pen testing involves ethical hackers scaling planned attacks against an organization’s security infrastructure to hunt down security vulnerabilities that need to be patched up. This gives the organization a good understanding of where to focus their security efforts before attackers find them.
JG: What’s the future of cloud security?
NS: Cybersecurity will always be a moving target, which means that organizations will constantly be re-evaluating and redeploying their cybersecurity strategies. The good news is that we’re already starting to see cloud providers like AWS, Azure, GCP, etc. moving quickly to offer some very robust, native security solutions giving organizations the ability to monitor for potential attacks with several different services, including a web application firewall, network-level firewall and Denial of Service (DDoS) prevention defenses to help protect endpoints hosted on their platforms. Built-in security features of these cloud providers and indeed many other SaaS solutions will become more and more effective and useful as we go. AI will no doubt play a crucial role in the defense of attacks, both in alerting as well as blocking them, as will the continued automation and rotation of encryption keys, passwords, private keys, etc. Because let’s face it, while delivering a secure product is incredibly important, at the end of the day, organizations would much rather focus on delivering features rather than spending all of their precious time worrying about every security pothole in the road.”