Previously in this series, we've identified six different cloud models and, based on the needs of a specific organization,...
five different enterprise deployment models. Organizations may have direct control over certain cloud models, enabling a straightforward approach in applying security controls; but when that level of control is lacking, an end-to-end layered model of protection is required to mitigate malicious and accidental threats.
The controls an organization considers effective on a trusted network are no longer applicable once a user moves to an untrusted network.
End-to-end cloud protection is not linear in nature or execution; rather, it is globular, with overlapping segments of controls due to the elasticity of globalized business models, disruptive computing technology and a dynamic threat landscape. Regardless of the possible threat vector, tiered protection ideally will stop an attack, or at the minimum, alert an organization's security team of an incident. There is an acute need for such measures as the cloud continues to stretch the boundaries of enterprise networks, making them practically nonexistent in their traditional form.
For an organization to achieve end-to-end security in the cloud, though, it must first take into account the sphere of access, the sphere of control and the ways security controls for cloud environments can and must be applied to adapt to those shifting spheres.
Defining the sphere of control
The ability to apply end-to-end security controls relies first on an organization's ability to understand just the sphere of access, which means understanding the types of devices that are connecting to corporate assets and the types of connections they are utilizing.
For instance, most organizations purchase laptops for their employees, but the mobility of such devices means they are not always facing the same threat profile. The use case for employees operating within a corporate network cloud environment will change when they take their laptop home and connect via a consumer-grade network or cloud service. The use case changes again when employees travel for business and connect to the corporate network from Wi-Fi hotspots in hotels and airports and at conferences.
With the bring-your-own-device movement in full tilt, enterprises can also expect employees to connect remotely via smartphones and tablets to, at a minimum, review company emails, though the rise of cloud-based applications like Salesforce.com often means employees are doing more complex tasks on mobile devices involving many more types of data. This represents yet another use case, as such devices are typically considered unmanaged. With a mobile workforce, companies should play it safe and expect each user to have at least four different use cases: at work, at home, travelling and personal mobile devices.
As employees move between different networks and clouds, their spheres of access will obviously change. The company's sphere of control also changes, meaning it must adjust the security controls in place to deal with these various spheres of access.
Based on a user's role, for example, access to specifics types of data might need to be limited when they connect via an external network. IT staff typically have 24/7/365 access to corporate networks, while temporary employees, in contrast, are often granted only limited remote access to corporate services.
Risk appetite may also influence the level of access given to an employee for certain types of information regulated by federal laws. Some organizations have determined it is best to provide sandboxed virtual desktops for accessing HIPAA-protected information. Typical configurations in this area include eliminating administrative rights for users, utilizing predefined applications, and restricting Internet access to go through an organization's firewalls and content protection technologies.
Ultimately though, the controls an organization considers effective on a trusted network are no longer applicable once a user moves to an untrusted network. For example, if the corporate firewall is not able to govern the connection, it's likely that the antivirus servers that update definition files are also inaccessible, as is the technology that controls patching. The sphere of control has changed, and once that happens, an organization's controls must follow suit to compensate for controls that are no longer applicable or effective.
Cloud security controls
The development of new cloud security controls requires a systematic approach. A simple method of control design is the near-far principle. Basically, security controls are best placed far from users when they are on trusted networks and near to users when they're on untrusted networks. So, when users are operating in untrusted cloud environments, enterprises should look to have a number of near security controls in place to prevent malicious attacks, including full-disk encryption, the enforcement of strong passwords, local antivirus and local firewall. (As an aside, cloud providers should utilize a hybrid version of this principle in which both near and far controls are considered; the provider does not control how, where and with what its customers may access cloud services.)
The cloud security controls that enterprises need to put in place aren't always so straightforward, however, because when the sphere of control changes, enterprises must prepare for a similar shift in the threat landscape. A prime example of a control that reduced the threat landscape on corporate clouds is content-filtering technology, which essentially limits the types of sites users may access and thus reduces the number of successful client-side attacks launched from compromised Web servers. However, if users move to an untrusted cloud, such as a hotel or even a home network, they may have a much greater degree of freedom when surfing the Web, bypassing the content-filtering technology in place on the corporate cloud and increasing the possibility of client-side attacks.
An underappreciated use case is the compromise of a trusted client, which, if that client is connected to the corporate cloud, brings an entirely different threat vector into a previously trusted environment. Without far controls in place, an organization is unlikely to detect a trusted client acting in a malicious manner, potentially resulting in a tarnished brand and reduced customer confidence.
Such a scenario was played out in the Operation Aurora attack in 2010, when Google's ingress controls were circumvented by a spear phishing attack. While such a breach should already be concerning, the attack turned into a full-scale compromise when the attackers were able to open covert channels and exfiltrate sensitive data. Had Google deployed at least two far controls, such as contextual access control or anomaly detection, the spear phishing attack could have been detected much sooner, and the attempt to exfiltrate data would have been detected and prevented.
Controls needed for every scenario
Whether an organization provides cloud services or purchases services from a cloud provider, it needs to understand that end-to-end cloud security controls are required to mitigate a variety of likely threats. Security teams must realize that cloud security controls must change as the sphere of access for users widens. That means mitigations and technologies must be put into place to account for both trusted and untrusted clouds, accessed via a variety of devices and networks. Without such controls, sophisticated and dedicated attackers will inevitably find a way to compromise an enterprise's cloud infrastructure.
About the author:
Ravila Helen White is the director of IT architecture for a healthcare entity. She is a CISSP, CISM, CISA, CIPP and GCIH, and a native of the Pacific Northwest.