Cloud Security Management Is Flawed
Even in progressive organizations, network-based defense practices still linger and can lead to a flawed cloud strategy.
Join the DZone community and get the full member experience.Join For Free
The network model for security fails in the cloud. While the old on-prem model made sense in the earlier days of computing, the rapidly expanding suite of cloud providers, along with their infinite combinations of settings and services, now places an extraordinary burden on security teams to become cloud-centric. An enterprise that doesn't fully understand its role in securing its data in the public cloud is taking unnecessary risks with its outdated security strategies.
In the traditional data center, the network provided a secure boundary for the organization. The network was carved up into zones and trusts were established within and between zones. Security architectures were established and tools deployed based on this strategy, which largely involved monitoring the traffic flows and enforcing controls where the zones met. But in the cloud, this approach is no longer relevant. Time and again, in breach after breach, headline after headline, the modern attack cycle, particularly in the cloud, starts with identity. Attackers seek access to the identity, then pivot between resources, discovering credentials and other identities that give them more and more access to get what they want.
Now organizations must think about what identities they control, what those identities can be used for, and what they can access. Because the network isn’t a safe point anymore - it is no longer the perimeter. Identities are the new perimeter.
There needs to be access considerations around anyone, and anything, which interacts with the cloud. Organizations need to understand how access works, what impact the multitude of tools and people interacting with the cloud can have on their configuration posture, and how it changes over time.
Manage the Right Perimeter. If you are still managing an old network perimeter, you're putting your company at risk, so stop. Your organization must address the real perimeter —your person and non-person identities - through identity and data security tools.
Identifying the Risks of the Cloud. Identity, resource, and service misconfigurations are one of the primary challenges cloud users face, which has led to significant data breaches. As we’ve seen, even the most sophisticated and well-funded organizations have had issues. Organizations can minimize risks by first identifying the risks leading to unauthorized identities as well as excessive privileges. It is essential for data owners and cloud operations, security, and audit teams to recognize these risks to maximize their control management, security, and governance of data within their public cloud environments, like AWS, Azure, GCP, and Kubernetes.
Identity Issues. It has become effortless to create identities, both person and non-person, within the cloud. These identities may be provided with access rights that were not originally intended or by accident. They may remain invisible and untrackable to data owners. These roles may contain special administrative privileges, such as to enumerate and extract data (as was the case with many of the more well-known data breaches), which leads to the exposure of your data
Data Exposures are Inadequate Indicators. Transparent cloud data storage alone is insufficient in risk assessment strategies. While data owners may trust their DevOps teams to manage the storage of data objects, this does not reveal the full extent of accessibility and privileges of external parties. Cloud users must remain privy to the micro-movements in their data channels to ensure foolproof security. It is necessary to be fully aware of where their data truly exists, which Identities have access to it, how it is being accessed and where it might be moving to/from.
Monitor for Drift. One of the most basic mistakes an organization can make in cloud security is not continuously monitoring your data and identities. The most successful “attacks” are mistakes - misconfigurations, human errors, like leaving data exposed to the internet. As a starting point, you need to establish a set of cloud security controls to implement, and set the baseline. From there you must continuously monitor that baseline and alert on any deviations. It is these deviations that will be your downfall.
Get Visibility. Most organizations are running blind to the true risks in their cloud;. With respect to identities, you need to know, at all times, the full inventory of identities, their effective - end-to-end - permissions, what those identities are doing and what data they can or are accessing. With respect to your data, you need to know at all times, where all of your data is, what it is (through classification) and which Identities have access to your data and what they are doing with it. If you can’t do all of that, and be honest with yourself, then you are running with some critical blind spots.
Coordination Issues. The outdated paradigm of sending security alerts to a single team to triage and manage simply isn’t feasible. In the cloud operating model, the environment is simultaneously being used by disparate groups of specialists, which include audit, DevOps, cloud, and security staff. Here the outdated paradigm simply breaks down. The solution is to get the issues to the team(s) that created them as they are in the best position to address them as soon as possible. This solution ensures that problems are addressed in both an appropriate and timely manner. Or as I like to say; at the speed and scale of the cloud.
Fix the Employee Skills Gap. Many developers are not inherently security experts, so many of those who have security responsibilities need to be better trained in best practices. Or, organizations that don’t want to add more duties to existing dev teams’ plates probably need a new type of operations person that combines operations with security (DevSecOps). With a widening skills gap haunting CISOs, companies cannot afford to keep putting off their employee’s professional development programs. Failure to upskill staff means they don’t have the skills and knowledge necessary to secure today’s organization.
Things You Can Do Today to Improve Your Enterprise Strategy
Unlike the data center days, with sandboxed data management infrastructure, the cloud involves multiple accounts, trust relationships, and permission inheritances that make it extremely challenging for data owners to keep close tabs on it. Here are four areas you can use to improve your strategy.
Get to and maintain Least Privilege. Get a solution with advanced analytics to continuously monitor every identity to determine its effective permissions; what it can do and what data it can access. Through this, detailed graphs are created and continuously updated to visualize all the Identity to data relationships, resulting in a highly systematic structure for easy identification and management of common data threats such as separation of duties, toxic combinations, and privilege escalations. Continuously audit ensure that the least privileged state is maintained and any deviation is immediately alerted on
Lockdown Crown Jewel Data. Find, classify, and de-risk the most valuable data in your environment. The "blast radiuses" of potential security concerns are reduced with the auto-elimination of excessive data access rights. Look for a solution that can lock down precious data and continuously monitor it with a built-in alarm system that triggers in the event of sudden and unexpected activity.
Shift Left by Integrating Teams. Data owners need to establish an effective system from the get-go. Configure alerts according to their given context and deliver them to the respective teams to facilitate the swiftest response using intelligent workflows.
Prevent and Remediate Issues. Prevent data risk before they cause damage. Treat remediation and prevention bots like a person. A spotted issue will be escalated to the right team or bot (the team tracks and audits). This results in a high-performance compliance structure for your public cloud. Put prevention rules in place across your cloud and make sure the rules are continuously met. Fix risks that are found in the environment before they become incidents.
An enterprise that doesn't fully understand its role in securing its identities and data in the public cloud is taking unnecessary risks with outdated strategies that, as we see on a weekly basis, leads to disastrous consequences.
Opinions expressed by DZone contributors are their own.