Want to find the biggest cloud security threat? Look in the mirror [Q&A]
It seems not a day goes by without a new cloud data breach making headlines. And though the victims change, the attack details remain the same. Why do organizations keep repeating the same cloud security mistakes? And how can we break free from this vicious cycle?
We spoke to Zach Malone, security engineer at security management specialist FireMon, who discusses these issues and tells us why, to identify the biggest threat to cloud security, we need to look in the mirror.
BN: What is the most common cause of cloud breaches?
ZM: The vast majority of all the known cloud data breaches to date have been caused by configuration errors, which is a polite way of saying human error or lack of knowledge is at fault. You don’t have to look hard to find real-word examples either. Microsoft, World Wrestling Entertainment, Time Warner Cable, FedEx and Verizon are just a few high-profile examples of organizations that have been breached due to cloud misconfigurations. In fact, configuration errors have become so common in cloud-based migrations and application deployments that, many times, cybercriminals don't even bother with sophisticated attacks; they simply look for gaping holes in security defenses due to misconfigurations.
BN: How do configuration errors happen?
ZM: Typically in one of two ways. The first is misconfigured cloud-native security controls. Breaches of this nature are almost always due to the data owner’s lack of knowledge about how to use the native security controls offered on the cloud platform. Most major cloud providers have a shared security model that defines what the provider will secure and what the client is liable to secure on its own. This is typically referred to as 'Security OF the Cloud' (provider) and 'Security IN the Cloud' (client). Unfortunately, enterprises often don't fully understand where the cloud provider's responsibilities end, and theirs begin.
We also frequently see organizations misconfiguring their own enterprise security controls, which often occurs when services and applications are moved to the cloud too hastily. For instance, when moving an application to the cloud, what happens to all of the third-party integrated applications and services that used to surround and protect it (e.g., authentication, access and identity controls; content filtering; and next-gen firewalls)?
BN: How can organizations reduce the likelihood of cloud misconfigurations?
ZM: The first step is education and awareness for everyone involved in designing, implementing and administering cloud applications. After that, the best way to reduce the risk of configuration errors is to have complete consistency of security policy enforcement across environments -- or as close to 100 percent consistency as possible, with a defined plan outlining how to handle the risks created by any gaps.
The challenge then usually revolves around cloud provider offerings. Many times, cloud providers have a significantly smaller portfolio of security applications and features, leaving organizations with gaps between what is available in the cloud and what can be done on-premises. Because of this, it's important to understand the levels and types of security controls offered before selecting a cloud provider. Significant gaps in controls can pose unacceptable risks to clients.
BN: Speaking of personnel, what stakeholders need to be involved in cloud deployments and migrations?
ZM: Whether deploying a new cloud service or migrating an existing system to the cloud, security personnel, developers, business stakeholders and appropriate upper management should all be involved in security control development and implementation. Much like business continuity or disaster planning, this is the only way to ensure the proper balance between business objectives and security priorities.
When security is excluded from these processes, or someone who does not have knowledge of the pre-existing security controls and strategies takes charge of the process, it usually leads to unintended configuration errors -- which then creates situations that result in the breach headlines we see all too often. This is why it’s so important that all stakeholders are properly educated on security efforts and work together toward the common goal of reducing enterprise risk.
BN: Are there any other tips that you can share to help organizations prevent cloud breaches?
ZM: We talked about making sure security controls and policies are consistent across hybrid environments, but, as we keep moving to more dynamic environments where new technologies and development processes are implemented all the time, this can be extremely difficult, if not impossible, to do manually while maintaining proper speed of business.
One of the more fascinating developments born from this conflict is the idea of intent-based security and networking, which sets up templates and/or tags for security policy and network pathing design. This moves security away from defining each new application or server, and toward defining an application/server type, which is then applied to different applications/servers as a development team creates them.
Proper security rules are then automatically applied to these new apps and servers based on their type, and the manual process is reduced greatly. This also makes change management much easier, as changing the nature of an application or server can be handled by simply re-tagging it or swapping the template it has been assigned.
To recap, at a high level, intent-based network security layers intent onto implementation, effectively bridging the traditional gap between business and security by enabling business owners and DevOps teams to determine the business intent of applications (and the related security and compliance requirements), while, in parallel, allowing security teams to automate the response to access requests required to enforce that intent. The result is continuous compliance with enterprise security intent across any IT asset, in any computing environment. While this isn’t a reality for many organizations today, it is possible -- and it's where the industry is headed. And there’s no question that the flexibility and speed offered by cloud providers is playing an instrumental role in this movement.