Is the Cloud Moving Too Fast for Security?

In February 2017, a vulnerability in Slack was discovered which had the potential to expose the data of the company’s reported four million daily active users. Another breach in February on CloudFlare, a content delivery network, leaked sensitive customer data stored by millions of websites powered by the company. On March 7, the Wikileaks CIA Vault 7 exposed 8,761 documents on alleged agency hacking operations. On June 19, Deep Root Analytics, a conservative data firm, misconfigured an Amazon S3 Server that housed information on 198 million U.S. voters. On July 12, Verizon had the same issue and announced a misconfigured Amazon S3 data repository at a third-party vendor that exposed the data of more than 14 million U.S. customers.

That’s at least five-major cloud application and infrastructure data breach incidents for 2017, and we’re only in July. Add in the number of ransomeware and other attacks during the first half of this year and it’s clear the cloud has a real security problem.

By now, most everyone recognizes the benefits of the cloud; bringing new applications and infrastructure online quickly and scaling it to meet ever changing business demands. Although highly valuable for the business side, when security teams lose control over how and where new services are implemented, the network is at risk and subsequently, so is their data. The balance of allowing businesses to move at the speed of the cloud and maintain the needed security controls is becoming increasingly difficult. With the spike in data exposures and breaches, it shows that security teams are struggling to secure cloud use.

The Slack breach is a great example at the application-level. Slack is simple to use and implement, which has driven the application’s record-breaking growth. Departments, teams, and small groups can easily spin up Slack without IT approval or support, and instances of the application can spread quickly across an organization. Although Slack patched the vulnerability identified in February before any known exposure occurred, if it were hacked, the attacker could have had full access and control over four million user accounts.

In the Verizon situation, a lack of control at the infrastructure level is what caused so many of their customers to be exposed this month. When servers can be brought online so easily and configured remotely by third-party partners, the right security protocols can be missed or ignored.

As more businesses move to the cloud and as cloud services continue to grow, organizations must establish a unified set of cloud security and governance controls for business-critical SaaS applications and IaaS resources. In most cases, cloud providers will have stronger security than any individual company can maintain and manage on-premise. However, each new service comes with it’s own security capabilities, which can increase risks because of feature gaps or human error during configuration. Adding additional encryption and policy controls independently of the vendor, is a proven way for organizations to fully entrust their data to a cloud provider without giving up complete control over who can access it while also making sure employees are compliant when using SaaS applications. These controls allow businesses to move at the speed of the cloud without placing their data at risk.

The reality is that threats are increasing in frequency and severity. The people behind attacks are far more sophisticated and their intentions far more sinister. We, as individuals and businesses, entrust a mind-boggling amount of data to the cloud but there doesn’t exist today a way to entirely prevent hackers from getting through the door at the service, infrastructure or software provider. Remaining in control of your data that traverses all the cloud services that you use is the safest thing you can do to protect your business. Because, in the end, if they can’t read it or use it, is data really data?

Doug Lane, Vice President/Product Marketing, Vaultive

[Cloud Security Alliance Blog]

Cyborg’ Society Necessitates Governance, Compliance and Security Vigilance

Today’s security professionals face a daunting reality as the attack surface swells and cyber criminals prey upon the speed at which new devices are hurried to market.

“As soon as we put out a device, there’s going to be somebody who starts tinkering with it and finding vulnerabilities,” said Kimberlee Ann Brannock, senior security advisor with HP. “That’s just a fact.”

Brannock, an ISACA member, presented this week at Black Hat USA on how organizations can leverage governance, compliance and security to protect themselves. She said a comprehensive, multilayered approach is especially critical given powerful trends such as accelerated innovation and globalization. “I’m a huge proponent of defense in layers, security in layers,” Brannock said. “One-dimensional does not work.”

Sound governance and security programs also help drive compliance, she said.

“When you have all of these different layers and all of these different strategies, and you bring all of those together, one of the amazing things is you start to develop security intelligence,” Brannock said. “And then because you’re documenting your processes, you’re documenting your procedures, you’re doing your assessments, you’re getting the evidence from that, that helps you to demonstrate compliance as well.”

Brannock recommended three actions enterprises should take to mitigate their risk:

  1. Focus on end-to-end security. Include security in considerations when evaluating potential IoT product purchases, such as printers. (The presentation began with a video featuring an organization having its network compromised through a malware attack on an insecure printer).
  2. Deploy strong administration tools. Avoid using system defaults for user names and password purchases. “It is amazing how many sophisticated organizations that have spent millions of dollars on their infrastructure, on their end points and their devices, they have the default settings,” Brannock said.
  3. Do not share access. Account access should not be shared with anyone, and secure password practices should be emphasized with those who do have access.

Brannock also encouraged organizations to adopt applicable cyber security frameworks, conduct thorough risk assessments and be mindful of firmware security in their devices.

“Every device that we can think of is hackable in one way or another,” Brannock said. “As security professionals, as IT professionals, we need to be aware, and we need to get the conversation started about it.”

When organizations put governance policies and procedures in place, Brannock said it is important to avoid shrugging off shortcomings that might surface.

“As an organization, you want to tell people what you’re wanting to accomplish and why, and how to do it,” Brannock said. “But you also want to make them accountable … so there has to be consequences.”

Brannock shared industry statistics about the mounting use of data and devices on an everyday basis, leading to a corresponding spike in security threats.

“We are plugged in all the time,” Brannock said. “We carry around a device all the time. We are cyborgs – whether we acknowledge it or not, we are. So, with this digital and physical world colliding, we need to be at the ready to address it from a security standpoint.”

[ISACA Now Blog]

English
Exit mobile version