This article is part of our new State of Cloud Security 2021 Series which will interview a diverse mix of cloud security experts, design-makers, and practitioners with a goal of better understanding their perspectives on the current state of and future of cloud security.
The following is an interview OpsCompass CTO, John Grange recently had with Alex Haslach, IT Security Manager.
JG: What is the state of cloud security today?
AH: Cloud security is in a state of flux today. Many organizations are transitioning from a traditional on-premises enterprise computing environment towards a hybrid or cloud-first computing model. In addition, COVID-19 has forced organizations to confront an abrupt shift to remote work for most of their staff. During this unprecedented era, these circumstances have only increased the challenges businesses wrestle with to maintain an effective cloud security posture while continuing to support operations and deliver value to their customers.
JG: What are the most common challenges organizations face when it comes to cloud security today?
AH: Data Governance and Loss Prevention are particularly challenging in a distributed, cloud-first business environment. Staff are routinely forced to choose between getting work done and following corporate policies around which devices and applications to use. Businesses also make compromises to facilitate productivity, which can increase their risks. Sensitive data ends up stored in untrusted locations and transmitted over insecure connections, each time potentially causing a security breach.
Maintaining security boundaries can be nearly impossible when you have no enterprise network segmented behind a firewall. When all endpoints are accessing your systems and data from the Internet, VPNs quickly become overwhelmed with traffic. All clients are essentially connecting from what must be presumed to be hostile and untrusted networks, with weak or nonexistent security controls. Traditional endpoint protection solutions are less effective in a distributed work model, and detection/response is similarly hindered.
Proliferation of unmanaged SaaS applications and IaaS/PaaS cloud computing services is inevitable when organizations make a rapid shift towards the cloud. Each department or team may have different third-party SaaS applications for the same purpose, and multiple cloud computing accounts across multiple service providers is a common scenario. Controlling access to these applications and cloud environments without a cloud native IAM solution properly configured is difficult, if not impossible.
JG: What lessons can be learned from the biggest cloud-related breaches of 2020?
AH: Email phishing remains the single largest threat facing businesses today. Cyber criminals and other threat actors primarily rely on this tactic to gain an initial foothold in an organization. Social engineering attacks such as phishing are up 63% over the previous year, and they will continue to increase while this remains an effective tactic.
Ransomware is still the preferred method for making money from cybercrime, but over the past year it has become far more severe. Ransom demands are increasing with organizations being demanded to pay on average over half a million dollars to unlock their data and systems, plus the attackers will steal sensitive data and threaten to release it publicly if demands are not met. Sensitive data is also routinely monetized through dark web sales for the purposes of fraud.
Improperly configured access to cloud resources can allow even unsophisticated attackers to cause a serious security breach. The public nature of cloud providers means that even a single misconfigured instance can expose gigabytes of data to anyone who happens to stumble upon it. Opportunistic attackers will continuously scan for any such misconfigurations and when found will quickly exfiltrate the exposed data.
JG: What are 3-5 pieces of advice for organizations looking to improve their cloud security in 2021?
AH: Securing access to non-public cloud resources such as S3 buckets and other cloud data repositories is an absolute must. Many of the biggest cloud-related breaches could have been prevented by requiring proper authentication for cloud storage instances. Restrict privileged access to cloud assets to only those employees who truly require it. Monitor successful as well as failed access attempts and identify deviations from normal patterns to proactively detect unauthorized access. Regularly review user accounts and permissions and remove those that are not essential.
Multi-factor Authentication provides a cheap and effective level of preventative control against account hijacking risks. Employees are increasingly familiar with the technology through their personal experiences with online banking and email service providers. In addition, newer “passwordless” methods of authentication increase organizations’ resistance to phishing and password guessing credential theft attacks.
Backup, recovery, and continuity planning cannot be ignored for cloud computing workloads. Just because an application is distributed among multiple availability zones globally does not make it immune to intentional sabotage. Backups should be maintained separately from workloads and access segmented such that if the cloud compute environment is compromised that the integrity of the backups will not be impacted. Being able to restore effectively after a cloud compromise could mean the difference between a small operational hiccup and a business closing its doors forever.
JG: What is the future of cloud security?
AH: Businesses must become comfortable operating in a distributed, zero-trust environment. No longer can they depend on end user computing and datacenter operations being protected by a perimeter firewall, nor can they afford to transition slowly to this new model of cloud-first operations. The essentials like access control, threat detection/response, disaster recovery, and business continuity planning remain the core pillars of any organization’s security program, especially in the cloud. However, the specific methods of implementing these controls will necessarily change to remain effective. Significant technical expertise must be fostered by businesses in cloud security engineering and DevOps among IT practitioners to facilitate these changes. While initially costly and sometimes disruptive, eventually businesses will realize value created by this historic change to cloud computing through increased productivity, decreased legacy IT costs, worker flexibility, and organizational agility.