Cloud adoption is growing at a tremendous pace. In fact, a 2018 cloud computing survey by IDG highlighted this. According to its research, nine out of ten companies will have some part of their applications or infrastructure in the cloud by 2019, and this expansion was reflected in all the cloud models too (IaaS, PaaS and SaaS). VMware says that 50% of workloads will run in public clouds by 2030. So that’s today’s reality of the cloud and its impact on organizations and their workloads.
But with this greater adoption also comes an increased likelihood of cloud related breaches. The Department for Digital, Culture, Media and Sport reported in its Cyber Security Breaches Survey 2018 that businesses using cloud computing were more likely to have faced breaches than those who do not (52% v 43%).
2017 saw both Verizon and the World Wrestling Entertainment company (WWE) suffer data breaches due to a misconfiguration of an AWS S3 bucket, leading to up to 14 million customers of Verizon and three million fans of WWE having their personal data exposed. This is more Paul Hogan than Hulk Hogan when it comes to protecting our data.
Other high profile breaches include Uber storing AWS credentials in a Github repository, which were subsequently retrieved by hackers and used to access Uber’s AWS account, and a misconfigured MongoDB database exposing personal information of over 90 million Mexican voters.
These examples are mainly errors in misconfiguration or a misunderstanding of expected cloud security.
But, of course, security breaches aren't new, and I wouldn't suggest that a move to the cloud is inherently less secure than remaining on-premise. But could there be reasons why an organization is more likely to suffer a breach if they consume the cloud?
- Cloud deployments can move at a pace which traditional security finds difficult to keep up with
- Cloud applications don't always mirror their on-premise version. How can existing security controls reflect whether the applications are rehosted, replatformed or refactored in the cloud?
- A lack of cloud-specific security policies or guidelines to drive "secure by design" cloud adoption
- Finally, who’s responsible for cloud security anyway? Is it the cloud provider, the cloud consumer, or both? Does the cloud model (IaaS, PaaS or SaaS) affect the lines of responsibility?
So, the drive to cloud - whilst offering us a wealth of opportunities - is proving a real challenge to cybersecurity professionals looking to keep things as secure as possible.
How can things be improved? Well, organizations could consider a 4 As approach to cloud security, a practical methodology that NTT Security has used to help its own customers. The four As are as follows:
Assess. A common weakness in an organization's cloud deployments is the visibility of the assets and workloads that have been stood up in the cloud. How can organizations secure what they don’t have visibility of (these are the known unknowns of your cloud footprint)? Also, where is security “built-in” by the Cloud Solution Provider (CSP) themselves, and where does responsibility fall to the cloud consumer?
Analyse. This phase can identify how a cloud deployment is comparable against known, good security practices or frameworks. It can seek to ensure organizations understand where their security gaps are, evaluate the potential risks involved and make informed decisions around what controls to deploy and their priority.
Act. With a clearer picture of the security posture of a cloud deployment and visibility of assets, an organization can now look to implement the required security controls. This can start with CSP security controls and configurations, which can be used to formulate a minimum viable security template for future deployments, and can then be complemented with embedding cloud native security controls.
Assure. As deployments grow and workloads are migrated to, or built in, the cloud, this phase is about confirming that your cloud security grows with you. A cloud deployment needs to be continually monitored and any deviation from agreed security standards alerted upon. Automation is vital here to guarantee consistent and secure deployments.
By breaking down cloud security using this four As approach, organizations can benefit from increased visibility of cloud workloads and risks, a prioritised roadmap of remediation and improvement, a proactive and automated approach to consistent security and continuous monitoring and alerting to ensure regulatory compliance is maintained and gaps are secured.
...because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don't know we don't know