“I am safe in the cloud.” Debunked

“I am safe in the cloud.” Debunked

 Cloud computing services from public Cloud Service Providers (CSP) are an incredibly useful tool for businesses of all sizes. As an example, businesses can get access to top-of-the-line computing and storage resources without the massive capital expenses of buying, installing, and upgrading hardware within the organization. All these items are applicable as you continue your cloud journey to help your organization deploy services quickly and cost effectively.

 

Unfortunately, there are several myths surrounding cloud security and cloud data security that might prevent IT teams from enabling their cloud journey safely and securely. I have listed a large group of common cloud security myths and to help explain the truth behind running and securing cloud solution.

 

Myth #1: All clouds have the same security

A common misconception about the cloud security, not all cloud services have the same security, even within the same cloud provider (AWS cloud security, Azure cloud security, Rackspace, etc). In addition, CSPs offer a variety of additional cloud security options often at an additional charge.

 

It is important to both verify what security measures the CSP offers as standard AND what options are available so you can get a clear understanding of what is being utilized and offered for your cloud environment before entering into a service agreement.

 

Myth #2: Cloud Is less secure than on-premises infrastructure

This is an interesting myth as I feel it can go both ways: CSPs can more easily invest in strong security because it relates to their core business, creating a stronger infrastructure OR CSPs invest in core security capabilities and it is up to the customer to create a stronger security suite that is specific to their unique requirements or regulatory compliance mandates. The market leading CSPs invest billions of dollars a year in security of their platforms which customers don’t have the budgets to support as it relates to their on premises environments.

 

I lean towards cloud services providing core security functions and it is up to each customer to add additional security capabilities. It is simply cost and resource prohibitive to provide and operate in-depth security equally for all customers. In addition, the potential impact of equal security for all customers could introduce mass impact in the event of exposed service provider critical vulnerabilities and increased activities via bad actor return on effort value.

 

Myth #3: Data In the cloud isn’t as secure as on premises infrastructure.

“Cloud providers implement cloud-based data encryption and privacy measures to ensure every user’s data is safely stored.”

 

This is always not the case. There are some specialized providers (AWS cloud security, Azure cloud security, Palo Alto Cortex / Prisma, zScaler, etc.) who offer secure VPN access, encrypted data at rest and data loss prevention service built into their platform while others offer this as an ala carte service that must be enabled. In addition, select cloud providers are certified by a number of global and regional regulations, so you know that your data will still meet compliance requirements but must be identified up front, so cloud provider security assumptions do not come back after a breach has occurred.

 

Myth #4: Single-tenant clouds are ALWAYS more secure than multi-tenant clouds

In general, public cloud environments are by nature multitenant environments, sharing network, service, storage and application resources. This is how they can offer a wide variety of best-in-class service at reduced rates when compared to a company implementing and operating the same solution on premises or in a colocation environment. This might seem dangerous at first, as it sounds like other users might have access to their data.

In reality, CSPs partition the network traffic, data and application management to keep information restricted to the user that uploads it. And while the benefits can often outweigh the risks, it is prudent to research all aspects of the user access, data path and security controls associated with the cloud provider’s multi-tenant service to ensure they meet your specific organizational security policies and controls.

 

Myth #5: You cannot meet compliance requirements in the cloud

Compliance with industry-specific regulations is a huge concern for many businesses. However, the belief that compliance requirements cannot be met on the cloud is a FALSE one. In fact, using the cloud can help make meeting certain compliance standards easier, assuming you have the accredited/compliant CSP and corresponding services.

 

Many CSPs offer security framework compliance (NIST, HIPAA, PCI, etc.) built into their service offerings and map select service to a specific portion of security controls, simplifying compliance efforts.

 

Meeting compliance standards in the cloud depends on the capabilities of the CSP, which is another reason to carefully review your CSP and be specific in your review work before signing an agreement or assuming your CSP will offer compliance-based services.

 

Myth 6: Cloud workloads can be Secured with our existing security tools.

It might be tempting to assume your on premises security tools will handle security for your cloud solutions, but this often isn’t always the case. Some on premises security tools do support integration with cloud solutions, but if typically requires a dedicated cloud security tool set to fully secure production-class cloud services.

 

Examples of dedicated cloud security tools would cover DevSecOps & application promotion to production (including open-source vulnerability management); access management both for workload and container-based applications; configuration management; real-time security event monitoring; data access and data leak prevention; all capability functional in a multi cloud and hybrid cloud environment.

 

While many companies have the expectation “security will be easier in the cloud”, the reality of securing their cloud workloads is often a far more complicated process than businesses expect due to the unique security challenges that cloud environments create.

 

Lastly due to the nature of cloud workloads are permanently connected to the internet, and lack the protection of a physical perimeter, they’re exposed to anyone who can garner the correct access credentials.

 

Myth 7: Access control isn’t a problem in the cloud.

Cloud computing introduces multiple changes to traditional internal system management practices related to identity and access management (IDAM). The cloud can be accessed from virtually anywhere which can open the floodgates for a security threat wanting to get into your cloud deployment.

 

Often CSP networks contain different service providers’ environment in which a single user can access different kinds of services at the same time while each service is from a different service provider and with different security levels.

 

As a common practice it is recommended that you maintain access control over your cloud environment to protect your data and prevent unauthorized users from entering your system. One way to address cloud access concerns is via an Identity Management (IdM) platform which can perform cloud security specific functions like, administration, discovery, maintenance, policy enforcement, management, information exchange and authentication. IdM systems are the efficient mechanisms to reduce risks associated with cloud environment.

 

As a working example, a login from an employee’s device is detected in the middle of the night at the same time, there may be an attempt from that same device, seemingly in a different time zone, to access sensitive data from your on premises data centers. A unified security system knows the risky behavior patterns to watch for and automatically hinders both actions. If these incidents were detected in two separate systems, that action never takes place and data is lost.

 

What you can do

1. When considering a new or reviewing your current a cloud solution, both you and the CSP are responsible for specific aspects of cloud security. Your CSP needs to protect the systems their solution is stored on, and your business is responsible for ensuring that only safe data is processed through the cloud solution. Solutions providers will outline specific responsibilities for both themselves and your business in their service level agreement (SLA).

2. Limit access to data, revoking access for employees and businesses with whom you’ve ended the business relationship, is usually something that your organization will have to manage internally.
3. Ensure you have clear compliance requirements when reviewing your CSP options, be specific in your review work before signing an agreement or assuming your CSP will offer compliance-based services.
4. Take into consideration that there are cloud-based compliance services you can layer on top of your current or planned CSP to provide a more complete compliance service and reporting structure. This combination approach will allow you to leverage each CSP for their strength and often yield the tight CSP service for the role vs. an all in one CSP service that may limit flexibility or cost savings.
5. Cloud services and workloads which are misconfigured are one of the top areas of concern enabling security threats, often resulting in a security breach yielding devastating outcomes. Ensure you have solid processes or cloud-based security tools to monitor and enforce proper configuration management, production use, continuous change management (drift detection and remediation), as well as continuous compliance.

6. Many client-grade antivirus (AV) and endpoint detection & response (EDR) technologies fail to include exploit prevention and memory protection; they are better at generating false positives than actually securing workloads in the cloud. Moreover, as a large percentage of cloud workloads are run on Linux servers, customers need to be aware when choosing the right solution and supported security solutions. Ultimately, providing real in-depth protection for cloud workloads requires a proactive approach to cloud security combined with a lightweight, set it and forget it solution.
 

7. Many cloud providers (AWS cloud security, Azure cloud security, Palo Alto Cortex / Prisma, zScaler, etc.) CSPs offer access control capabilities out of the box; these vendors allow you to set authentication policies across your entire cloud infrastructure and monitoring services to determine who is accessing your data, when they do so, and where they access it from.

 

One of the most important cloud security decisions you can make as you continue your cloud journey is to clearly identify your organizational cloud security requirements (governance) and matrix-compare which CSP has the processes, services, tools and expertise required to secure, not just support, your cloud environment, workloads and service-based outcomes on an ongoing 24×7 basis.

 

For more information please contact

Robert Allende

Robert Allende

Robert is the Cyber & Risk Management Security Practice Lead at Red River. You can reach him at r.allende@redriver.com

 

References:

 

 

Managed SD-WAN: The Future of Distributed Workforces