ra2 studio - Fotolia

RSA: Beware of ransomware attacks in the cloud

RSA Security's Rashmi Knowles spoke with SearchCloudSecurity about how new ransomware attacks are targeting cloud service providers and what enterprises can do about it.

For cloud security, it may well be the best of times and the worst of times, according to RSA Security's Rashmi Knowles.

For Knowles, chief security architect of RSA's EMEA region, the cloud offers more enterprise security benefits than traditional on-premises IT, yet the rise in cloud threats, including targeted ransomware attacks, is a growing concern. In fact, while she's seen growing adoption of cloud services across the various countries in her region, as well as a better handle on shadow cloud services, Knowles said various types of cloud service providers are being hit directly with ransomware attacks.

Knowles spoke with SearchCloudSecurity at RSA Conference 2016 in San Francisco about addressing new and old cloud threats, how to defend against ransomware, and the security benefits of using enterprise cloud services. Here is part one of the interview with Knowles:

You cover a very large and diverse region. What level of cloud adoption do you see across EMEA? And do they have the same concerns about cloud visibility?  

Rashmi Knowles: In terms of cloud adoption, it's incredible because all the data that you see says security is the number one threat that stops people adopting cloud. That's what research shows. But the reality is very different, because I think the ROI for moving to the cloud is so powerful that companies are moving data to the cloud because it makes so much sense.

And if you're using a cloud service provider, then obviously they have a level of security, and again, it depends on the type of data. Now, when I talk to customers I typically advise them that if it's really sensitive data, then you keep it in-house, and then for everything else, you can move stuff to the cloud. So you end up with a hybrid environment, but at least you're managing; you're keeping your most valuable stuff to yourself and you're protecting that, and then you're using the economies of scale of the public cloud.

Do you feel like the cloud is a better alternative for enterprises from a security perspective?

Knowles: If you're adopting that hybrid cloud environment, then it gives you all the benefits of the cloud and actually, personally, I think security is much stronger in the cloud, because there's lots of different ways that you can manage security. So, if you look at a virtual environment for example, there are security capabilities that you can run at a hypervisor-level across your whole cloud environment, rather than having to do malware updates on individual machines or something like that. So it actually makes it a lot easier to run it, run your security controls there. And it also means you might need the traditional security tools; if you think about something like DLP, even though you've got a virtual cloud environment, the data doesn't move from machine to machine. So, if you're running DLP, you're not going to see anything.

One of our local councils in the UK had a ransomware attack, and they were reduced to pen and paper for a whole week. They had no access to any of their data, including their phones.
Rashmi Knowleschief security architect, RSA Security

I think you probably think about it differently, and you configure that differently. I think if you are a larger organization, then that hybrid cloud environment is probably the best of both worlds because you're getting the benefits of using cloud but actually you're keeping your data to yourself. Now, for SMEs, it's a completely different game, right, because I think for SMEs, they don't have the resources in-house. By adopting the cloud it actually makes them a lot more secure even if the cloud service provider doesn't meet all their requirements, and doesn't necessarily tick all their boxes. It's actually a lot more than they could do in-house. It makes a lot of sense for them to adopt a lot of the cloud-based services, because they don't know any better.

But do those companies worry about, "What are my employees doing with the cloud, and are they accidentally exposing the data, or are they exposing the credentials?"

Knowles: Shadow IT is huge, and I think again, the mindset is changing. A CISO would typically say "no" when you went to him and said, "We want to deploy a cloud service to do some number crunching," or just stand up a new app or whatever it is, I think that mindset is changing to, "Yes, you can do it." Because at least if you know that they're doing it, then you, from a security perspective, have visibility and you can understand your risk, and therefore you can manage that risk.

I think a lot of companies use cloud services. ... Look at something like buying an Amazon service, for example. Put it on a credit card. You just need it for a month because you've got a new project coming up. You don't have enough resources in-house to do it, so you buy some number-crunching power. You do that, and you have your service up and running, and you launch it, and then you obviously stop using that cloud service. So I think shadow IT used to be a much bigger problem than it is now. I think the biggest risk to cloud service providers is the whole ransomware thing, because we've seen some examples of that where we've had cloud service providers being told "We've got all your data."

So they're being hit directly with ransomware attacks?

Knowles: Yes, they're being hit directly. The [cybercriminals] are attacking the cloud service provider and saying, "You have 1,000 customers, and we have control of all the data of your 1,000 customers. And if you don't pay us, we'll delete it," or whatever it is. From a cloud perspective, I think if you're working with a cloud service provider that's probably the bigger threat.

I'm assuming the real, enterprise-ready cloud services are falling victim to this. Are we talking about lower-level cloud apps or maybe consumer-level services?

Knowles: No, it's the same. I'm not saying any names. There's one particular cloud provider, and actually they're active in the U.S. as well, and they've had a number of attempts in Europe for ransomware. So I think that's probably something that we will see. And increasingly, I think ransomware's becoming more common. Not just for cloud but for everything else. You see that in the press.

And think about the ROIs. If you're a hacker, you can go to various sites, you download a logo, you download your ransomware message, whatever that is, [and] you create your malware probably on a managed service. Probably costs you $7 to $10, maybe. That's your ROI. So for $10, if you're smart enough to infiltrate a cloud service provider, you could get a few million dollars.

Looking at where organizations are today with their various levels of maturity, both in the infosec enterprise security and cloud adoption, do you feel like there is one specific type of threat that's emerged as the most pressing that companies are worried about, whether they're in financial services or another vertical, whether they're in the European Union or the Middle East?

Knowles: I guess the scariest one is ransomware. I think that's the one that we're beginning to see a lot of in various guises obviously on the consumer level as well but I mean all the way down to somebody as big as a cloud service provider. And recently we've had some interesting ones. One of our local councils in the UK had a ransomware attack, and they were reduced to pen and paper for a whole week. They had no access to any of their data, including their phones. All the council services, everything for a whole week was all shut down. And then the debate about whether you actually pay for the ransomware is an interesting one as well, because a lot of people are saying, "Well, if you pay, then it sets a precedent and you'll see more and more of those types of attacks." But then what choice do you have if you are a cloud service provider and you're held to ransom? All your data's been encrypted and you've got 1,000 clients. What are you going to do? You're going to pay them.

I think it'll be interesting to see how that plays out in the next year or so if we see any big examples of that, where it's happened and it's made public. Because the other thing is that I think ransomware is something that people will keep quiet. I think it's something that organizations will probably not want to make public. Obviously, if it's government or healthcare you're going to know about it.

And I think the smart ones also have good backup and recovery capability. So, if you're a service provider, and you're consistently backing up that environment somewhere very safe, then if you are held to ransom, hopefully they'll only attack one of your sites, and you can say, "It's fine. We're not going to pay, because we've got that [backed up]."

Next Steps

RSA President Amit Yoran talks cloud security strategy.

Read more on ransomware attacks against hospitals.

Find out how Armor Defense has revamped secure cloud hosting.

Dig Deeper on Cloud Network Security Trends and Tactics