You are here

Why you should shift your cloud security strategy up stack

public://pictures/John-Mello-Journalist.png
John P. Mello Jr., Freelance writer

Traditional security concerns about the cloud—denial of service, shared technology vulnerabilities, and cloud service provider data loss and system vulnerabilities—appear to be waning in importance among security practitioners. Now, concerns about issues higher up in the security stack that are influenced by senior management decisions are taking their place.

That's what the Cloud Security Alliance revealed in its annual Top Threats to Cloud Computing report for 2019. Based on a survey of 241 industry experts on security issues in the cloud industry, the report rates the top risks and vulnerabilities facing cloud environments and highlights 11 that were top-of-mind for the security experts surveyed.

It found that traditional concerns that ranked in the top tier as recently as last year were ranked so low that they didn't even merit mentioning in this year's report.

New, highly rated items in the "Egregious Eleven" are more nuanced and suggest a maturation of consumers' understanding of the cloud, the report said. These issues are specific to the cloud and indicate a technology landscape where consumers are actively considering cloud migration.

The new focus: potential control plane weaknesses, metastructure and applistructure failures, and limited cloud service visibility. That's why you need to shift your game up the stack.

[ Get on top of access with TechBeacon's guide to identity governance, and see the IGA leaders. Plus: Learn how to secure and manage cloud-based Linux resources with Active Directory in this Webinar. ]

It's hard to beat a cloud service provider

Jon-Michael Brook, co-chair of the Cloud Security Alliance working group that put the report together, said that the latest "Egregious Eleven" shows a decrease in concern over issues associated with cloud service providers (CSPs)—and an increase in worry over shared responsibilities for the stack.

For many organizations, the processes and procedures that providers such as AWS or Azure follow and their operational product offerings are impossible to duplicate in-house. "The government hired Microsoft and Amazon for community cloud implementations because they are that effective," he said.

By 2020, he added, Gartner estimates that for anyone using an established infrastructure-as-a-service provider, more than 95% of breaches and other problems will be due to consumer errors instead of problems with the CSP.

"Sure, everyone was afraid in the early days, but the cloud providers have pretty well demonstrated their abilities to exceed security controls most on-premises alternatives provide," said Jay Bretzmann, research director for cybersecurity products at IDC.

Michelle McLean, vice president of product and corporate marketing at StackRox, a maker of a security platform for containers and Kubernetes, explained that as adoption has grown over the years, CSPs have had more time to build additional security services.

Don't assume too much

With more adoption has come deeper customer understanding that cloud providers have far more resources to invest in securing their infrastructure, McLean said. "However, this thinking can sometimes lead customers to assume they no longer have any responsibility for security, so complacency and assuming the cloud providers have it all covered can be a risk."

Greater concern about problems higher in the cloud security stack is also a sign that consumers need to rethink their cloud strategy. "In the past, too many people were attempting to accomplish cloud security with a 'lift-and-shift' mode," said Brian Bernstein, a systems engineer at Lacework, a cloud security solutions provider.

"A real shifting of mindset must happen to address the much more critical threats to a cloud platform," he said.

IDC's Bretzmann added: "Simple lifting-and-shifting and replicating your existing controls within the cloud might also mean that you're missing out on advantages like managed services, where the provider maintains all of the underlying infrastructure security."

[ GDPR, CCPA and privacy. TechBeacon's new guide rounds up what your team needs to know. Plus: Get the Best Practices for GDPR and CCPA Compliance white paper. ]

Strategy affects security

Businesses are beginning to recognize the significant impact that management decisions about cloud strategy and implementation can have on cloud security.

"Cloud-native design patterns leverage features simply not available in a traditional IT setting," the CSA's Brook said. "A lack of strategy can contribute to the organization's technical debt and opens security issues for things that just don't translate."

Products rolled out to the cloud inappropriately will increase the overall operating budget, he said. "The cloud only decreases costs when it's rolled out appropriately."

He noted that companies can adopt a cloud strategy without fully understanding the risks. For example, a move to the cloud might jeopardize standards compliance. An organization may think its CSP is responsible for compliance training when it's not. Training then becomes a strategy decision for the business.

"If you administer or manage by tick-box—that is, you see a logo which says, 'We are compliant with X' and then don't investigate further—you are setting yourself up for failure," said Trevor Pott, Product Marketing Director at Juniper Networks, a network security and performance company. 

Don't move too quickly

In its rush to migrate, a business may move too many applications to the cloud too fast. "Moving too fast means teams don't have the time to understand how best to use the security offerings available from a cloud provider," said StackRox's McLean.

"Moving too many applications at once also increases risk," she said. Each application requires its own set of services, depending on how it operates, and teams might try to apply one security architecture across the board "that doesn't actually fit the breadth of applications."

Also, McLean said, the shared responsibility model "very much applies to security. Companies need to understand that while the cloud providers are responsible for tasks such as patching the underlying infrastructure, the customer is still responsible for application-layer security."

Organizations can't protect what they don't understand, Lacework's Bernstein explained. "If you have a well-established strategy, then you can start to understand what your risks are and what problems you need to solve for," he said. "Without this, you are just randomly picking controls and putting them in place for the sake of saying you have controls in place."

When migrating to the cloud, it's too easy to look exclusively at the business benefits, said Laurence Pitt, Global Security Strategy Directory at Juniper Networks. "There should always be a full evaluation of the business benefits and security risks, as they relate to the specific services," he said.

Where benefits are high and risks are low—such as an Internet-facing web server for public documents—then it makes sense to migrate, Pitt said. "But if a high risk is identified, then a move should not occur until steps have been identified to reduce that risk to a level that falls within the risk tolerance of the business."

Keep it clean

Implementation decisions also affect cloud security.

Cloud deployment needs to be done in a very clean way to make it secure, said Thomas Hatch, CTO and co-founder of SaltStack, a provider of intelligent IT automation software. 

"Many organizations don't get this right," he said. "There are many security settings and access settings that are presented in cloud infrastructures that need to be properly configured and managed."

"Make sure that you keep it simple. Try not to over-engineer access controls, and make it easy for employees to get their work done," he advised. "If it is hard to get work done, employees will break security practices" before they will risk not doing their jobs.

Misconfiguring cloud resources and encryption are prime candidates for errors in an implementation strategy. "There are plenty of examples where organizations have left their storage buckets publicly accessible. To me, that's the quintessential example of misconfiguration," said Tim Erlin, vice president of product management and strategy at Tripwire, a cybersecurity threat detection and prevention company.

In the same vein, he said, "It's usually not the encryption algorithm that's the problem. It's often the encryption implementation that causes a vulnerability."

Security teams' failure to understand how workloads are implemented is another way strategy can lead to security problems. For example, a network-based intrusion detection tool may be implemented without the knowledge that a majority of your workloads are deployed in containers.

"A typical network scanning tool will not see any of the communications going directly from container to container," Lacework's Bernstein said. "This results in a giant blind spot."

A call to action

In its recent report, the Cloud Security Alliance offers a new perspective on cloud security—one that shifts from the traditional concerns of vulnerabilities and malware, and tilts toward configuration and authentication.

These security issues "are a call to action for developing and enhancing cloud security awareness, configuration, and identity management," the report said.

[ Explore TechBeacon's guide to SecOps challenges and opportunities. Plus: Download the 2019 State of Security Operations report. ]