The State of Cloud Security — Insights From Patrik Aldenvik, IT Security Consultant

Patrik Aldenvik Interview

This article is part of our new State of Cloud Security 2021 Series which will interview a diverse mix of cloud security experts, design-makers, and practitioners with a goal of better understanding their perspectives on the current state of and future of cloud security.

The following is an interview OpsCompass CTO, John Grange recently had with Patrik Aldenvik, IT Security Consultant, Assured. 

JG: What is the state of cloud security today?

PA: The security matureness of cloud environments is moderate but is improving with a lot of potential.The cloud is still a relatively new concept which means that both the providers and the users are less security mature compared to older technologies. As you all know more and more organizations are moving from on-premises networks to cloud services. This change in the organizations’ behavior in combination with an immature security culture, will of course result in more mistakes. Cloud providers are trying to decrease the number of mistakes by making it easier to create a secure environment. One example of this is Amazon Web Services (AWS) and their S3 service (Simple Storage Service) where several misconfigured storage buckets caused compromises. AWS responded by redesigning the GUI and made it easier for clients to understand the configuration of the service. Another example is Google Cloud Platform (GCP) which works continuously to improve the security of their services. They identified that Kubernetes is complex and recently introduced Autopilot in their service GKE (Google Kubernetes Engine) which provides a hardened cluster out of the box.

JG: What are the most common challenges organizations face when it comes to cloud security today?

PA:

– To keep up to date.

– That services are not secure by default.

– To master the double-edged sword a.k.a the control plane.

With new technologies there are always challenges and it takes time until common best practices are formed and used by most of the users. In the same time cloud providers are constantly developing new services and features, which adds to the challenge for users to keep up to date.

What I often experience is that users assume that a service in the cloud is secure by default and after a few clicks, to activate a service, you are good to go. This is of course the case for some services but far from all are secure by default. Therefore, it is always good to verify that your cloud services are setup according to best practices.

One thing with the cloud is that it is so easy. You create an account; enter the control plane part of your service and you are up and running within minutes. Be it spinning up a server, adding a user or activating logging it is easily done by using the control plane. Although compared to on-premises networks the cloud control plane is often accessible directly from the internet which makes it a double-edged sword. With access to the control plane an adversary can shut down your servers, remove all users or if you are unlucky even delete all your data and infrastructure… (heard of the Code Spaces breach in 2014?)

JG: What lessons can be learned from the biggest cloud-related breaches of 2020?

PA:

– Insiders are an actual threat.

– Compromised storage buckets continue to be a thing.

– Network access control is still important in the cloud.

Even though you want to have a working environment where everyone feels welcome and included it is important to consider insiders and apply the principle of least privilege. You would probably not expect any of the employees to want to harm the organization but when that happens you will be happy that only the needed privileges were assigned to her or him.

Even if AWS has taken measures to help customers configure their S3 (Simple Storage Service) buckets in a more secure way, data leaks and bucket compromises continue. If your organization is using a storage service, make sure that it is configured correctly.

Even though the cloud is often intended to be exposed to the internet, it is important to make sure that your private resources and services are only reachable by its intended audience. Network access control is still a very useful and effective way to decrease your risk and keep the bad people out.

JG: What are 3-5 pieces of advice for organizations looking to improve their cloud security in 2021?

PA:

– Educate your users in the platform of choice.

– Take advantage of the security mechanism that the platform provides.

– Apply the principle of least privilege.

“Knowledge is power” is also true for cloud services. Let your organization spend some time to become familiar with the service you intend to use. This is good from a security perspective and will likely also increase productivity in the long run.

Cloud security has potential and is moving in the right direction. There are often good security mechanisms offered by the cloud providers making it almost as simple to configure a password policy or activate MFA for a user as it is adding one. Take advantage of that and step your security posture up a notch by a couple of simple clicks.

Identity and access management is often hard, and companies tend to be a bit lazy in this area, giving full privileges to resources instead of only the needed privileges. This behavior increases the impact if a compromise occurs and could rather easily be avoided. If your organization does not have the resources to investigate this thoroughly there are often predefined roles, created by the cloud providers, that can be utilized to adhere to the principle of least privilege.

JG: What’s the future of cloud security?

PA:The cloud itself will be the target.

As you might have noticed the previous answers have been focused on configuration and secure defaults. Over time cloud security will mature, secure defaults will be the standard and most of the users are familiar with these environments. This will reduce the number of misconfigurations and will force adversaries to focus more on the control plane and the services themselves. Do not get me wrong: there have been vulnerabilities in these areas already but over time I believe that attacks towards them will increase.

Share the Post: