By Elisa Cassi | Cyber Product and Services Manager at Nettitude
Cloud Technology is set to benefit organisations through a range of unique opportunities in terms of agility, resiliency, economy, enhanced workforce productivity. Whilst the adoption of cloud technology does not necessarily pose an inherent cybersecurity risk over on-premise models, existing problems in the applications being moved are likely to be amplified if key emerging risks and newly discovered attack techniques and vulnerabilities are not identified and properly managed. This is particularly relevant for certain deployment models, such as “lift and shift” due to the fact that issues that were risk accepted because of security control present in the on premise environment do not necessarily translate to acceptable risks in the cloud environment.
We see that cloud service providers are prioritising efforts and resources to secure their infrastructure platforms and are in fact enabling improved security. In this blog the opportunities coming from cloud adoption are discussed, and in particular the key differentiators of cloud security are outlined.
From a cybersecurity perspective, the transition to cloud-based architectures and the underpinning adoption of DevOps culture has led to a number of changes in the traditional attack surface of an organisation. While the objectives and motivations of attackers remain the same, the Techniques, Tactics and Procedures (TTPs) employed by malicious actors have changed. To secure cloud environments, we need to explore these changes and adapt security management and threat detection approaches accordingly.
Traditional cybersecurity risks evolve as the cloud adoption scales up. Regardless of the implementation models (on-prem or cloud), risks are controlled through technologies and processes, and transferred or shared through cyber insurance. Deciding which risk controls to implement and what secure practice to adopt is driven by regulation or legislation, market dynamics, awareness and change in mindset. The adoption of the cloud brings a new perspective on the following aspects in particular:
As cloud security is a shared responsibility, many organisations are unclear on how the division of duties between the business and the third-party works across a number of areas - including security. The big questions is “who is responsible for what?”. Regulators have specified that while responsibility for discrete areas may be outsourced, overall accountability for compliance of the solution cannot be delegated. It is clear that cloud vendors focus on the security of the cloud infrastructure (physical infrastructure but also compute, storage, networking resources) and application owners are responsible for protecting applications, the OS, supporting infrastructure, and other assets running in the cloud.
Another big question… “Who is the owner of the data that is placed in the cloud?” When transitioning assets and operations to the cloud, due to the shared responsibility model, organisations have reduced visibility and control on their data and have sometimes struggled to demonstrate compliance with regulatory standards without possessing the level of control previously held with on-premise models. The main areas of contention are:
Clear guidance and standard policy are still lacking across region and industry-specific regulatory jurisdictions despite the fact that regulators have committed to enabling cloud adoption. There is some uncertainty around aspects like:
There are no simple answers to these questions that are valid in all jurisdictions as ramifications of cloud computing are complex, and fast changing. In general, standards such as ISO 27017, ISO 27018, and NIST 800-53 provide some clarity.
The wide offer of services from major cloud providers means that organisations need to find new ways to communicate requirements effectively and in general manage the relationships. Challenges around vendor management arise around the division of responsibility between service provider and customer, the lack of standardisation of cloud service offerings across providers, the inconsistent naming conventions, etc.
For cloud adopters, the traditional network perimeter no longer exists and access control becomes a question of identity-based access management. Instead of guarding entry and exit points to their network, cloud adopters verify the identity of the users consuming the services.
With a perimeter defence approach (typical of the on-premise model), once a malicious actor gain access, the risk of broader compromise is much greater, as multi-factor authentication is usually only applied at the perimeter and there is less separation between internal systems and applications.
In Cloud deployments, Cloud Identity Access Management (IAM) solutions permit the implementation of segregation of privileges. Additionally, micro segmentation of services can be applied to reduce an attacker’s ability move laterally between hosts, by implementing isolation of network segments/containers.
Actually, one of the great benefits of cloud computing is the intrinsic isolation of the cloud environment that allows to reduce the chance of lateral movements for an attacker.
Cloud adoption changes fundamental assumptions in how to perform threat detection and event monitoring. In on-prem environments, the most reliable telemetry has historically come from endpoints. Typically, a combination of endpoint detection/response products and perimeter defences generate event data that is fed into a SIEM. The SIEM then generates alerts and triggers automated response to known bad activity. In the cloud, the core detection focus has moved from the end points towards the management plane. For management plane we mean the collection of APIs (Application Programming Interface) that allow an administrator to integrate applications and other workloads into the cloud. Attackers are likely to use these APIs to perform actions that move them closer to their targets therefore it is fundamental that organisations examine the security aspects of their APIs. Are these secure enough to successfully integrate 3rd party applications? Do they support proper authentication and do they fit well with the IAM in use?
In terms of SIEM, the major cloud providers have worked toward providing integrated SIEMs and attack detection systems, so that users with limited resources can leverage the providers' offerings instead (ie: AWS GuardDuty works as an IDS for AWS accounts and resources, and Azure Sentinel works as a SIEM for the Azure platform).
Visibility of resources and their security configuration is key for all type of deployments. IT managers responsible for on-prem deployments rely on network visibility tools to stay aware of everything within and moving through their network. This can prove a challenging task as networks become more dynamic, with third parties gaining access for maintenance purposes and supply chain adding to the complexity. Failing to keep track of where assets are deployed and on which software version they are running could easily lead to having unpatched devices or outdated versions of software running across the estate. Many Cloud providers have introduced dashboards such as Security Center (Azure) and Cloud Security Command Center (GCP) which provide comprehensive visibility into all aspects of the environment.
To learn more about all these topics and understand how Nettitude can help you test your cloud provider’s resilience, check our Cloud Penetration Testing page.