Principle Logic, LLC
Published: 01 May 2019
With developments around artificial intelligence, the need for managing the internet of things, and newer offerings such as device as a service, enterprises continue to push forward into the cloud. And rightly so. The cloud as we've known it over the past decade has evolved to make modern computing both simpler and, in many cases, much more cost-effective. Cloud services can help minimize security risks as well. The Cloud Security Alliance has made a huge contribution to this space. Additional standards and best practices have been put forth by NIST and the Center for Internet Security. Security vendors such as Tenable and Cloud Conformity also help provide insight and guidance on making the cloud experience as resilient to attack as possible. It all makes sense.
At first glance, it appears that all is well in terms of cloud security. The resources, the services and the products are well established. Everyone now knows about the cloud and what it can offer. Still, something's amiss.
I work with many cloud service providers and cloud end users. Cloud security challenges are everywhere; vulnerabilities are present, and threats are lurking, ready to pounce. The business risks are as tangible as ever, and the breaches are still occurring. Why is this? Is it because the cloud is the new target? Maybe -- that's where more and more business assets are residing. Is it because cloud vendors aren't investing in the proper levels of security to protect their customers' assets? Perhaps -- cloud providers are under a lot of pressure to add new services and maximize uptime. It's the same traditional business model that everyone has struggled with for decades: time to market now, security later. It's just a challenge present in the cloud now rather than being on premises.
There are lots of moving parts that facilitate today's cloud security challenges, but there's one that really stands out to me. It's not a lack of standards. It's not a lack of policies and procedures. It's not a lack of technical controls. It's much more complex, and it's something that comes with hair on top: people.
All the systems in the world and all the information they can possibly store can be moved to the cloud, and guess what? We're still going to witness the expected oversights, the unsurprising incidents and the same predictable breaches as before. Because even in cloud, the human factors in cybersecurity remain. Perhaps, in the cloud, they're even greater. Sure, in certain cases, it's better to use someone else's environment that's scrutinized by many others than to go it alone. Regardless of the specific service -- such as cloud-based web applications, cloud-based products such as secure web gateways, or merely platform as a service or infrastructure as a service -- the risks are there whether or not anyone knows about them or is willing to admit it.
Even in the commoditized cloud environments that are presumed to be secure, network hosts, web applications and web service endpoints can be attacked by practically anyone on the internet. And you, the end user, may never know about it -- especially if your cloud vendors don't have the proper visibility and control needed for detection and response.
I often see cloud vendors tout their strong level of security, yet it's often no more than TLS and firewall protection with no controls where it often counts the most: Layer 7. There are also the cloud security challenges connected with internally accessible systems. These cloud systems may have limited access and a smaller network footprint, but they can still be at risk to threats such as malicious insiders and malware. Yet the paperwork is in place, and the boxes have been checked. Bystander apathy, whereby everyone's sitting around the table waiting for the other guy to do something, rules the day. Uninformed decisions are being made or nothing gets done at all. Business moves on, and the assumption is that all is well in cloud land … as far as they know.
Time passes and the cloud-related security risks continue to build.
To overcome cloud security challenges, you need to remember this: Just because you're not in control doesn't mean you're not responsible. There's no amount of paperwork -- i.e., service-level agreements or contracts, policies and incident response plans -- that can protect your business against a cloud-related breach. It's easy to assume that cloud vendors are doing all the right things all the time, but I can assure you they're not. You absolutely can't afford to overlook this side of cloud security. Don't let politics, misguided priorities or indecision affect your cloud security posture. They will if you let them, but you do have a choice. Based on what I see in my security assessment work, a lot of cloud vendors have the proper oversight and are doing what's necessary to keep their environments in check. But many others, not so much.
It's better to be on the proactive side of this equation than the reactive. If permitted, test your cloud environments yourself. At least ask your vendors for a copy of their latest security audit and security assessment reports. The latter one is key because it's much easier to have a clean service organization control audit report than it is to have a clean vulnerability and penetration testing report. I can assure you that your cloud environment security maturity level is not as robust as you think it is or your vendors claim it to be. Trust but verify. Ask the tough questions. Beef up controls where possible and reasonable. If you want to successfully tackle cloud security challenges, that's really the only defensible approach.