By Elisa Cassi | Cyber Product and Services Manager at Nettitude
Cloud Technology is set to benefit organisations through a range of unique opportunities in terms of agility, resiliency, economy, enhanced workforce productivity. Whilst the adoption of cloud technology does not necessarily pose an inherent cybersecurity risk over on-premise models, existing problems in the applications being moved are likely to be amplified if key emerging risks and newly discovered attack techniques and vulnerabilities are not identified and properly managed. This is particularly relevant for certain deployment models, such as “lift and shift” due to the fact that issues that were risk accepted because of security control present in the on premise environment do not necessarily translate to acceptable risks in the cloud environment.
We see that cloud service providers are prioritising efforts and resources to secure their infrastructure platforms and are in fact enabling improved security. In this blog the opportunities coming from cloud adoption are discussed, and in particular the key differentiators of cloud security are outlined.
Cloud Security: changes to cybersecurity introduced by the Cloud
From a cybersecurity perspective, the transition to cloud-based architectures and the underpinning adoption of DevOps culture has led to a number of changes in the traditional attack surface of an organisation. While the objectives and motivations of attackers remain the same, the Techniques, Tactics and Procedures (TTPs) employed by malicious actors have changed. To secure cloud environments, we need to explore these changes and adapt security management and threat detection approaches accordingly.
1. Key emerging risks
Traditional cybersecurity risks evolve as the cloud adoption scales up. Regardless of the implementation models (on-prem or cloud), risks are controlled through technologies and processes, and transferred or shared through cyber insurance. Deciding which risk controls to implement and what secure practice to adopt is driven by regulation or legislation, market dynamics, awareness and change in mindset. The adoption of the cloud brings a new perspective on the following aspects in particular:
Ownership and responsibility
As cloud security is a shared responsibility, many organisations are unclear on how the division of duties between the business and the third-party works across a number of areas - including security. The big questions is “who is responsible for what?”. Regulators have specified that while responsibility for discrete areas may be outsourced, overall accountability for compliance of the solution cannot be delegated. It is clear that cloud vendors focus on the security of the cloud infrastructure (physical infrastructure but also compute, storage, networking resources) and application owners are responsible for protecting applications, the OS, supporting infrastructure, and other assets running in the cloud.
Cloud data security
Another big question… “Who is the owner of the data that is placed in the cloud?” When transitioning assets and operations to the cloud, due to the shared responsibility model, organisations have reduced visibility and control on their data and have sometimes struggled to demonstrate compliance with regulatory standards without possessing the level of control previously held with on-premise models. The main areas of contention are:
- Data residency, to maintain compliance with certain national and international standards
- Data protection, to ensure that appropriate safeguards are implemented to control access to personal information and that, in particular if using the public cloud, data belonging to other entities are sufficiently separated
- Data deletion, to ensure that information, when deleted by the user, are entirely removed from the dispersed storage infrastructure.
Legal frameworks and liability
Clear guidance and standard policy are still lacking across region and industry-specific regulatory jurisdictions despite the fact that regulators have committed to enabling cloud adoption. There is some uncertainty around aspects like:
- In the case of data loss in the cloud, who is responsible and what are the potential sanctions?
- Are there any kind of binding norms in context of warranties that may be relevant for cloud computing?
- What will happen in the case of insolvency or bankruptcy of the cloud provider?
- Are there any limitation of liability that may be relevant for cloud computing?
There are no simple answers to these questions that are valid in all jurisdictions as ramifications of cloud computing are complex, and fast changing. In general, standards such as ISO 27017, ISO 27018, and NIST 800-53 provide some clarity.
The wide offer of services from major cloud providers means that organisations need to find new ways to communicate requirements effectively and in general manage the relationships. Challenges around vendor management arise around the division of responsibility between service provider and customer, the lack of standardisation of cloud service offerings across providers, the inconsistent naming conventions, etc.
2. New Opportunities
Perimeter Defence vs Identity-based Security Management
For cloud adopters, the traditional network perimeter no longer exists and access control becomes a question of identity-based access management. Instead of guarding entry and exit points to their network, cloud adopters verify the identity of the users consuming the services.
With a perimeter defence approach (typical of the on-premise model), once a malicious actor gain access, the risk of broader compromise is much greater, as multi-factor authentication is usually only applied at the perimeter and there is less separation between internal systems and applications.
In Cloud deployments, Cloud Identity Access Management (IAM) solutions permit the implementation of segregation of privileges. Additionally, micro segmentation of services can be applied to reduce an attacker’s ability move laterally between hosts, by implementing isolation of network segments/containers.
Actually, one of the great benefits of cloud computing is the intrinsic isolation of the cloud environment that allows to reduce the chance of lateral movements for an attacker.
Security Monitoring and Threat Detection
Cloud adoption changes fundamental assumptions in how to perform threat detection and event monitoring. In on-prem environments, the most reliable telemetry has historically come from endpoints. Typically, a combination of endpoint detection/response products and perimeter defences generate event data that is fed into a SIEM. The SIEM then generates alerts and triggers automated response to known bad activity. In the cloud, the core detection focus has moved from the end points towards the management plane. For management plane we mean the collection of APIs (Application Programming Interface) that allow an administrator to integrate applications and other workloads into the cloud. Attackers are likely to use these APIs to perform actions that move them closer to their targets therefore it is fundamental that organisations examine the security aspects of their APIs. Are these secure enough to successfully integrate 3rd party applications? Do they support proper authentication and do they fit well with the IAM in use?
In terms of SIEM, the major cloud providers have worked toward providing integrated SIEMs and attack detection systems, so that users with limited resources can leverage the providers' offerings instead (ie: AWS GuardDuty works as an IDS for AWS accounts and resources, and Azure Sentinel works as a SIEM for the Azure platform).
Asset Inventory and Visibility
Visibility of resources and their security configuration is key for all type of deployments. IT managers responsible for on-prem deployments rely on network visibility tools to stay aware of everything within and moving through their network. This can prove a challenging task as networks become more dynamic, with third parties gaining access for maintenance purposes and supply chain adding to the complexity. Failing to keep track of where assets are deployed and on which software version they are running could easily lead to having unpatched devices or outdated versions of software running across the estate. Many Cloud providers have introduced dashboards such as Security Center (Azure) and Cloud Security Command Center (GCP) which provide comprehensive visibility into all aspects of the environment.
To learn more about all these topics and understand how Nettitude can help you test your cloud provider’s resilience, check our Cloud Penetration Testing page.