Your It Is Transforming, Is Your Security Keeping Up?
A 2018 Cloud Computing Survey by IDG revealed that 9 out of 10 companies have at least one application or a portion of their computing infrastructure in the cloud and the rest expected to follow by 2021. Enterprises increased their annual cloud focused spending from $1.62M in 2016 to $2.2M by end of 2018. Further, technology dependent organizations in the Services, High-Tech and Financial sectors are planning to migrate all of their applications to the cloud. “Organizations are no longer questioning the need for cloud migration, rather they are now debating how best to leverage the new generation of cloud services and enabling multi-cloud architectures.”
To help us understand this major shift from Datacenter based Applications and its associated storage to cloud platforms, we need to take a look at the business needs that are driving this change. There are three main reasons
1) Businesses are focusing on core functions and shifting away from owning and managing common IT services. They can capitalize on economies of scale realized by 3rd parties in managing data hosting infrastructure and get specialized care for their applications in this new model.
2) Business are taking advantage of global opportunities and adapting to changing market conditions, driving the need for quick deployment and scalability. Business opportunities can be transient where first and quick to market can be a difference maker, and
3) Privacy requirements are dictating the identification, segregation and storage of citizen data within country borders. Privacy laws are being enacted globally and in a constant state of flux. Global businesses are beginning to segregate and host data locally in an attempt to preempt any challenges they face once these privacy drafts become laws.
These three imperatives point to Cloud service providers (IaaS) and the application vendors that capitalize on the cloud platforms (SaaS) as the solution. They enable business leaders to take advantage of business opportunities wherever they may be, by providing fast deployment, scalability, resiliency and local storage. Further, the business is also able to quickly shift focus without worrying about sunk cost and large switching costs. Business leaders relish consistency, stability and flexibility that the IaaS and SaaS platforms provide them and will absolutely and resolutely capitalize on this capability.
Cloud migration is well underway and Security Teams needs to understand the risks and secure this new landscape. The first question to ask is, if compute is heading to the cloud, where are your security tools? Are your security controls shackled to the data center? Are they cloud ready, allowing you the same flexibility and scalability the business desires. What are the main concerns with exposure to the public cloud and what should you do to address them? Cloud security is a shared responsibility. This statement may be cliché now, but organizations failing to recognize this is the root cause of many of the intrusions and data losses we hear about. In a shared environment the cloud providers have very low tolerance for intrusions, data loss and comingling of data that they have made every effort to provide us, the data owners, with capabilities for visibility and control into our respective environments. It is a business imperative for them, along with scalability, resiliency and automation. At the same time, data owners are relieved from managing the network layer, virtualization layer, the operating systems and the applications instead, focusing us on the Authentication, Authorization and continuous monitoring aspects of data security. There are two models we should consider and security team engagements differ depending on the deployed model. 1) IaaS model, where the customer is responsible for deploying and securing the OS and Applications 2) SaaS model, a cloud based turnkey application solution, where the customer brings their data along with their security policies and standards to a shared environment.
In the IaaS model, Cloud Account Authentication and Authorization are the first mitigation points. For security teams, exposing the infrastructure and controls to the open internet is something to get used to. Cloud providers have strong Authentication control mechanisms that can help mitigate this risk. Cloud Account access can be 2FA’d and User Account Authorization can be controlled and monitored by the InfoSec teams. Both native solutions and 3rd party tools enable security teams with control over these security requirements and further enable them to continuously monitor, alert and mitigate the risk when policies and standards are violated. The same controls capability we exert at the enterprise perimeter with our statefull firewall’s, exist for the cloud environments as well. We are able to control our IP exposures and decide which sources, ports and protocols are allowed to talk to our cloud gateways. We can further segregate the environment and reduce the intrusion “blast-radius” by segmenting the networks using security rules and or route tables. Further, to provide us the ability to scale and automate actions in our workloads, API keys can be used for authenticated access without the need for hands-on-keyboard. This helps establish a secure infrastructure baseline to now deploy your apps and layer the app-layer defenses. Of course, being in the cloud exposes your apps to DoS and Application specific attacks. There are native capabilities established by the cloud provider that can be used to mitigate the risk, or we can deploy cloud delivered, 3rd party solutions that are purpose-built for your servers in the IaaS environment. Your layered defenses should focus on whitelisting inbound, outbound and intra subnet traffic, at the same time have the visibility and control on all remote interactions with your service frontend. Security teams should also consider insider threat, as well as the use of compromised credentials, and address the risk using an anomaly detection tool or behavior tool. This area is rather nascent and is still being developed for the cloud environments.
As the cloud migration heats up, a large number of enterprise applications are now delivered via the SaaS model. Enterprise customers with a “cloud-first” strategy are consistently and continuously requesting their on-premise providers to enable a cloud native solution, for reasons we explained earlier. Applications that are new to the market are natively developed and delivered via the cloud. This allows them to get to market fast, scale quickly as their customer base expands and update and upgrade capabilities efficiently to their entire customer base. Subscribing to a SaaS solution enables the customer to focus on data integrity, availability and confidentiality and leave the infrastructure management to the App vendor. In this scenario, understanding the SaaS environment’s security posture and managing user authorizations within the App, plays a pivotal role in securing the data sets. Evaluating your data hosting requirements against the data center’s Tier classification and uptime standards can ensure your organization’s standards and policies are extended into the SaaS environment. Additionally, a vendor security assessment can ensure that security controls are in place to protect the SaaS infrastructure, usually in the form of an annual SOC 2 Type 2 security assessment. This ensures standards based control regarding physical security of the data center as well as security of the lower infrastructure layers of the SaaS provider. That leaves us with managing the authentication, authorization and monitoring of data being stored. Since we are now in the Application Layer, we are reliant on the capabilities of the application. We can assess these capabilities against the organizations standards during the vendor Security Assessment to ensure the application can support Role based access control (RBAC), two-factor based authentication, SSO based authorization and application event logging and monitoring. Deploying a cloud-based proxy (CASB) to deliver traffic flow can provide more granular policy enforcement over the organization’s traffic destined for the SaaS application gateway.
Cloud transformation is inevitable. Businesses relish the flexibility, scalability and the financial unlock offered by cloud platforms. Security Teams are business enablers and as such must align with their organizations long term business objectives. They must understand the risks, deploy available controls and work with the cloud providers to develop additional mitigations, to best support the business’s IT transformational strategy.