These are extraordinary times and in the haste to migrate to the cloud, organizations may be losing sight of security protocols, cautioned Ranulf Green, head of assurance USA for Context Information Security, a US-based cyber security consultant business.
The principal risk organizations face is “rushing an implementation, and therefore, bypassing their usual due diligence in favor of connecting employees who are virtually stranded without in-office access,’’ said Green, who was the guest on this week’s episode of Task Force 7 Radio, with host George Rettas, the president and CEO of Task Force 7 Radio, and Task Force 7 Technologies.
This typically affects teams within a large organization that “have the ability to ignore a wider organizational audit on what systems to use in favor of using their own shadow IT,’’ Green said.
One type of risk would be exposing company data through security configured services, he said, “for example, where a collaboration service has a share function that defaults anyone with an account on the platform, rather than just within that company.”
Additionally, cloud-based platforms have an increased attack surface, compared to legacy systems that were previously accessible only within the organization, like an on-premises email system, Green noted. “Attackers will have improved knowledge of those systems, and how it’s [easy to] break into them,’’ he said. They will potentially also have knowledge of existing exploits that can be applied across multiple businesses simultaneously, he said. “And you definitely don’t want to be on that list of targets.”
More Secure In The Cloud?
In response to a question from Rettas about what due diligence a company should do, Green said there are normally two approaches they should take.
“The first approach is to perform a configuration review against service providers,’’ he said. “This can ensure you’re hitting best practices — but by no means assures that you can’t be hacked. And secondly, you might also consider performing offensive security testing for suppliers who aren’t trusted, or suppliers who you do trust.” In either case, make sure you have their consent first, he said.
User error, Green said, is also a prime cause of cloud breaches.
Rettas asked if transitioning to the cloud makes applications and workloads more secure than using them on-premises?
Green said that’s the “million dollar question. “I would say yes. But there’s a million reasons why it might not be” as well.
Heavily regulated industries like financial services tend to take things more slowly, he said and are very careful about testing before migrating.
“Tech companies tend to be a little bit more free and easy with how they implement things, and they tend to move their systems into the cloud, not necessarily with the testing beforehand, but testing after,’’ Green said. “I think as long as you get the testing done, eventually, in terms of security, you’re going to be okay.”
Rettas asked if cloud service providers are “getting better at notifying customers when there’s a problem?” Green replied that they are getting better at notifying customers if there’s been a breach.
“They are being forced to do so, not just by regulation compliance, but also because there … are other services available to find out if an account has been compromised. So it’s important for the [cloud provider] to get ahead of it.”
After the notification of a breach, however, Green noted that he’s not sure whether cloud providers are improving their processes.
On-prem Vs. Cloud Infrastructure
The discussion then shifted to what some of the security benefits are for cloud versus on-prem infrastructures?
Green said that he is “a massive cloud convert, particularly AWS, which is not necessarily better, but it’s just the one I happen know more about.” He favors moving “everything to the cloud,” he said, because an organization can deploy complex architectures with minimal costs and conduct testing of “infinite iterations of a configuration before settling on the solution.”
This is good for when someone is conducting security testing of a particular solution, because it’s easier to change the architecture, he said. “For example, imagine you’ve gone and bought 10 firewalls for your new system, and you decide that they’re actually not what you need … and you’ve got to then send them back. It’s going to cost you a lot of money and take time as well.”
Cloud systems are generally well-documented, and have feature-rich security controls, both provided by the cloud provider and their third-parties, Green said. There are also well-defined industry best practices on how to deploy things better, he said.
“So in general, I would say that if you do move to cloud in the right way, and also make sure that you consider security when you’re doing the migration, you will be better off.”
Rettas asked Green to discuss the most important things to secure first once the decision has been made to architect a cloud environment.
Green replied that you want to secure everything. “When it comes to security, it’s normally the downfall of any CEO, to be honest with you” to take a “sampling approach,” he said.
He advised enabling multi-factor authentication for all users and locking down public-facing systems and assets that have public IP addresses attached to them. Green also suggested that security teams enforce network segregation by using multiple accounts for different business units, but also virtual networks within the cloud account.
Security In A Hybrid Cloud
Rettas asked Green to define a hybrid cloud environment and to discuss what type of security impact would companies have if they choose to use a hybrid cloud model?
“Hybrid cloud is an amalgamation of on-premises [systems], with one or more cloud providers. And I’ve seen the hybrid cloud term being used for different things. For example, all cloud, but using different cloud providers, or on-prem versus cloud providers,’’ Green replied.
The security impact remains the same, regardless of whether you use a hybrid cloud model or single cloud provider, he said. “Generally speaking, in a hybrid cloud environment, permanent connectivity between the cloud providers and the internal networks is established using some kind of VPN solution, or some other connectivity.”
In response to a follow-up question from Rettas about whether hybrid clouds add more complexity to the security posture of an organization than on-premises, Green said it definitely does.
Instead of a singular focus on just on-premises security, in a hybrid cloud environment involving systems that are on-prem and cloud, “you’ve still got all of the same security issues and concerns, that you had with your just on-prem,’’ he said. “And now you’re adding all the concerns of cloud. And they are different concerns.”
Green said with most companies, especially large ones, they likely will keep some systems on-premises and not move everything to the cloud.
New Attack Surface
The two also discussed the top issues with cloud-based applications. “Cloud-based applications have all the same vulnerabilities as traditional applications,’’ Green said, with two main differences.
“The first is that cloud-based applications can more easily use external cloud-based components to perform certain tasks such as authentication, load balancing, and data storage. And this can reduce the risk, by reducing the amount of custom code needed to run the actual application.”
However, he added, this introduces a new attack surface and the potential for insecurely configured cloud services. “You have to consider the application code and the service it run, on in the same security sphere.”
In response to a question from Rettas about whether cloud-based supply chain attacks differ on-premises supply chain attacks, Green said they differ.
“Supply chain attacks can take the form of an external component, which communicates with backend cloud components,’’ he said. “So that might be different because you didn’t implement that before, and when you migrate to the cloud, you add in all these new things,” including tools and code that might have been developed outside the organization, he said.
So in a cloud environment, use of third-party components is amplified, he said. “Not by necessity, but by the availability and easy connectivity for those deployments.”
The ‘Task Force 7 Radio’ recap is a weekly feature on the Cyber Security Hub.
To listen to this and past episodes, click here.