Don't Lose Visibility When Moving to the Cloud
I have the great privilege of discussing information security issues with other CISOs from different backgrounds across nearly every vertical, comparing notes on the day-to-day fight. Recently, one of my peers asked me about cloud use. His company was considering a material operational move into the cloud to include valuable data. The vendor assured the company’s leadership that everything was secure. The initial cost seemed cheaper and IT Operations appeared to be more efficient than legacy on-premise execution. The vendor’s representation of “facts” put downward pressure on my peer to support the movement to cloud for his organization.
“If you lack real-time visibility then you have no opportunity to actively contest a cyber-event”
Explore Cloud Solutions with Caution
Don’t get me wrong–I see a lot of potential when it comes to cloud, but as it remains a relatively new technology, it’s up to security leaders to examine cloud migration with a skeptical eye, making sure potential security pitfalls are addressed. It starts with the right questions–questions that security leaders should be asking; that practitioners should be prepared to answer; and that cloud providers should be using to make sure their clients are protected.
To get to the root of the cloud migration concerns, I asked my colleagues series of questions based on what my teammates and I consider table-stakes to resisting threat actor exploitation, data theft and attack:
1) Do you know what you have in the cloud in terms of virtual servers, applications and data?
2) Do you know who has access to what you have from a role-based access and multi-factor authentication perspective?
3) Are vulnerabilities identified and shared with you in real-time so you may prioritize the risk?
4) Can you see when threat actors are attempting to exploit your vulnerabilities to steal your data or attack your infrastructure?
5) Do you have a mechanism to deploy counter measures to interdict threat activity and mitigate vulnerabilities? Can you respond when prevention fails?
Accountability is a Shared Responsibility
Unfortunately the answer to each question was no. When I asked if the cloud vendor would accommodate these requests for the organization and make the “contesting” visible in real-time for tactical decision making, the answer was also no. My peer realized that he was “hoping” and “guessing” that his infrastructure and data were being defended.
We began discussing what the cloud vendor represented as “security.” Items ranged from self-attestation compliance with an ISO or NIST standard to compliance regimes like PCI-the same PCI standard that couldn’t prevent recent significant breaches of several compliant retail organizations. The sense I get is that people are looking at an end state which makes things secure. The fundamental problem is that security is not an end state. Security is a process–a process of defending and contesting threat actors to disrupt the effects they wish to achieve against your organization.
Security is a Process, Not a Destination
As an example, researchers from the Worcester Polytechnic Institute recently developed a proof-of-concept attack for stealing private RSA cryptographic keys from virtual machines hosted in Amazon’s EC2 cloud infrastructure. The exploit takes advantage of a cryptographic library, and is similar to an exploit found in 2009. Make no mistake, with all technology, even our own, there will always be new vulnerabilities discovered so the question for the defender becomes: “If someone is trying to exploit this or future vulnerabilities and steal my data, can I see this and do something about it?” If you lack real-time visibility then you have no opportunity to actively contest a cyber-event. This means you will likely find out about a compromise through the press, a law enforcement victim notification, or a threat actor dump.
Cloud Adoption doesn’t Equal Cyber Risk Mitigation
My company oversees incident response engagements every day to help organizations who have been compromised, and while we do not disclose the names, I can say that we have helped in remediating breaches that have occurred in the cloud. According to one of my IR teammates, we have worked so many massive breaches in public cloud environments that we had to create a focus area specifically to address them.
To be clear, my teammates and I are big fans of cloud use and see promise in its future. There are many great technologists and security-minded people working for cloud organizations. We believe that public cloud use for organizations’ most critical operations and data has not reached a security maturity level to provide real-time visibility to organizations whose cyber threat resistance risk tolerance is very low. For Platform-as-a-Service (PaaS) providers, organizations can deploy some security instrumentation to give them visibility above the hypervisor. For Software-as-a-Service (SaaS) providers and PaaS use at the hypervisor and below, we have not found solutions that could provide visibility of our recommended minimum requirements for effectiveness. Some organizations may decide to migrate without ensuring necessary visibility to defend their critical data and services, and hoping and guessing everything is OK. For my organization and many peers I talk to, hoping and guessing are not valid courses of action.