Over the last several years, public cloud computing resources have developed into a flourishing IT supermarket of processing capacity, storage, applications, and a variety of automated tasks (networking, security, and system maintenance), all offered “as a service” by third-party vendors.
These and other public cloud computing services have mushroomed largely due to the economic and strategic advantages they offer their paying customers:
- Cloud computing services enable greater agility in delivering IT services to end-users. Enterprise customers can turn them on and off at will, or dynamically scale their consumption to meet seasonal or business cycle demand swings.
- Cloud services customers can also delegate responsibility for performing non-core business tasks to cloud-based service providers. Few organizations, for example, gain competitive advantage from processing their own payrolls, employee expenses, sales contact databases, employee performance management systems, or other necessary but humdrum processes.
- Likewise, cloud services customers are able to outsource many time consuming IT administrative functions, such as software maintenance, endpoint management, trouble ticketing, and end user provisioning.
- Acquiring IT services on a subscription basis also enables organizations to convert what were once complex mixes of capital investment and operational expenses into simple accounts payable line items.
Public Cloud Security Risk Factors
As with every IT undertaking, adopting public cloud-based services also introduces some significant, yet manageable security risk factors into the IT value delivery equation.
Acquiring cloud services puts buyers in the position of having to trust cloud vendors to deliver clean and secure offerings. While the overwhelming majority of service providers do a good job of keeping their offerings secure, purchasers still need to practice due diligence in regards to purchasing and managing cloud services offerings.
Many cloud service providers also have headquarters or operate facilities offshore. While an offshore presence should by no means be a deal-breaker, many buyers, and the stakeholders they serve may be subject to data patriation requirements that forbid electronic information from traveling beyond national borders or into specific countries.
In addition, buyers need to carefully consider the quality of a cloud vendor’s front-line service delivery staff. What is their general level of technical education? Do they possess certifications in competencies important to the purchaser? Might they have conflicting loyalties? Do foreign providers cynically consider cybersecurity to be a first-world problem?
Users must also consider the degree to which service providers exercise best practices in in employing IT processes and protecting data placed in their care. How robust are their preventative cybersecurity and hygiene programs? How effectively do they detect and respond to exploits? How promptly and thoroughly do they report breaches to customers and the public?
Finally, cloud vendor cybersecurity practices can inherently lack transparency compared to what a purchaser expects and receives from in-house IT programs. And even when a cloud services user becomes aware of a security issue traceable to a cloud-based service, they may not have the power to fix things not under their immediate control, and they should be familiar with escalation procedures and the details of any service level (SLA) agreements.
Specific Types of Public Cloud Security Exploits
In general, if a cybercriminal is able to successfully launch an attack at an owner-operated IT infrastructure, they can also launch one at a cloud service provider. In fact, public cloud services have become highly attractive targets for cybercriminals. For them, breaking into a cloud service is like merging onto a superhighway that can deliver their little bundles of evil far and wide, potentially impacting hundreds or thousands of organizations with a single strike. Vectoring a threat through a cloud service can also enable an adversary to bypass an organization’s native cybersecurity defenses.
The most common public cloud-borne security breaches fall into three categories:
- Account Hijacking. Account hijacking can either be an exploit in and of itself, or be used as a gateway to perform other kinds of mayhem. Here, criminals use fake identities and counterfeit credentials to break into and exploit various kinds of cloud-delivered services. The objectives of account hijacking can include accessing confidential data, stealing infrastructure-as-a-service processing and storage capacity, impersonating legitimate end users, or performing malicious hosted infrastructure management actions.
- Malware Distribution. Adversaries are increasingly able to leverage compromised cloud-based services to distribute spam emails and messages or malware. A recent report issued by Cyren Internet Security indicates that nearly 10% of all emails delivered over Microsoft Office 365 services are spam, phishing, and malware delivery vehicles. Likewise, many believe that easy malicious access to cloud services is one reason ransomware will become a billion-dollar criminal industry in 2018.
- Data Leakage. Adversaries that manage to ride in on cloud services are not only able to exploit their immediate target, but also use that cloud environment as a springboard to attack the target’s customers, employees, partners, and other stakeholders.
Steps Toward a Solution
Enterprise IT organizations can take a number of measures to increase the security of the public cloud services they consume. These include:
- Shifting to a Multi-cloud Security Posture. The ongoing transformation of enterprise IT into a portfolio of internal private and external public cloud resources shifts the security mission to one of maintaining consistent multi-cloud security. The first thing that needs to be done is to treat data and traffic from internal and external cloud sources the same way you would manage traffic from any other source. This means subjecting traffic from cloud services to the same security processes and controls that apply throughout the rest of your infrastructure.
- Cloud Service Providers Share the Burden. As their customer, you should hold public cloud service providers responsible for maintaining the highest standards of security. You should definitely include security standards and practices into the cloud vendor qualification process. Operationally, cloud service providers should also agree to incorporate security-based SLA into their contracts.
The good news is that many public cloud service providers have woken up to their responsibility to deliver secure offerings to their customers. They understand that while the general public may shrug off what seems to be a constant media drone about breaches and rumors of breaches, professional cloud services purchasers are a much more demanding audience. They insist on “clean” public cloud service providers and steer clear of sloppy ones.
Leading cloud service providers, including Amazon Web Services (AWS), Google Cloud Platform, and Microsoft Azure infrastructure-as-a-service vendors, as well as application service providers such as Google for Work, Microsoft Office 365, and Salesforce.com have also moved to establish collaborative vendor/customer security initiatives. This builds greater trust between cloud vendors and customers by building a more seamless security fabric.
- Transparent Visibility and Controls. There is much you and your organization can do to establish equivalent levels of security across externally sourced public cloud-based services and internally sourced IT processes and services. The goal here is to build and maintain a common security fabric that spans across all elements of a multi-cloud enterprise IT portfolio.
Architecturally, this kind of security fabric begins with transparent visibility and control across all elements of an enterprise’s IT infrastructure—data center, endpoint, internal cloud, external cloud, virtual, and on-premise. Visibility is both a virtue in itself and a necessary pre-condition for timely and effective threat detection and prevention.
- Network and Data Segmentation. Network and data segmentation can play a particularly important role in securing multi-cloud infrastructures. With regard to networks, software-defined wide area networks (SD-WAN) enable expedited network configuration and reconfiguration capabilities. Taking a dynamic approach to network configuration also aligns well with the services-on-demand flexibility of cloud services. Compartmentalizing services and workloads can limit damages caused by breaches, while frequently reconfiguring infrastructures makes it harder for attackers to enter, explore, and find exploitable assets within an enterprise domain.
Data segmentation involves identifying the differing types of data that are processed, stored, and trafficked in your infrastructure, and analyzing who uses it, for what purpose, what risk factors pertain to it, and how it’s protected. From there, organizations can set and enforce policies to better control data usage and protections.
- Security Awareness. User security training, awareness, and cyber hygiene practices strongly influence the success of enterprise-wide cybersecurity efforts. Since the differences between indigenously sourced and cloud-delivered services are often invisible to end users, there’s little need to differentiate user training and evangelization efforts. Still, everyone needs to know the fundamentals of not opening strange-looking email attachments, accessing non-enterprise-standard cloud services to perform work, how to spot a smelly phish, and other rules of good security hygiene.
Security awareness can also be a tool for discouraging end-user access to unauthorized “shadow cloud” services. Shadow clouds pose risks as IT and security operations may have no awareness of their use by employees and therefore lack visibility into that cloud service providers’ security bona fides, much less what kinds of data employees may be exposing to these service providers. One of the last things any CIO or CSO wants to happen is to find themselves reporting a breach that resulted from some activity for which they had no prior knowledge.
Riding the Cloud with the Right Security
Cloud adoption is expanding rapidly. Within the next few years, it is expected that 92% of workloads will be processed by cloud data centers. And with many enterprises relying on a multi-cloud approach, ensuring that the right security controls and policies are in place for each cloud environment, as well as for data transmission and communications between each of those cloud environments, will be critical.
Digital transformation is being driven by executive mandates to accelerate the business, whether through new revenues, improved service delivery, or increased efficiencies. This mandate directly transforms cybersecurity into a strategic business enabler. Public cloud services are at the center of what is taking place. But without the right security architecture and controls in place, this essential business transformation will be inhibited or even stopped.
For more information on cloud security, check out our guide, “Defining Security for Today’s Cloud Environments.”