How improving security management can help protect the cloud [Q&A]
Cloud misconfigurations are one of the major causes of data breaches and the problem has become worse thanks to the dash for remote working.
While cloud is undoubtedly the right choice for businesses looking to expand their infrastructure to keep pace with DevOps demands and embrace support for remote working, many enterprises are falling short of providing adequate Cloud Security Posture Management (CSPM).
We spoke to Sergio Loureiro, cloud security director at Outpost24, to find out more about how organizations can deploy CSPM to prevent losing data from unsecured cloud estates.
BN: What is cloud misconfiguration and what are the consequences of a poorly configured cloud environment?
SL: Cloud misconfigurations arise when security settings are not defined, implemented, and default values are maintained. Usually, this means the configuration settings do not comply with the industry security standards (CIS benchmarks) which are critical to maintaining cloud security and reduce risk of data breach. Misconfigurations normally happen when a system or database administrator does not properly configure the security framework of the cloud according to cloud security best practice leading to dangerous open pathways for hackers to get in and plant malware and steal your data.
Misconfigurations often occur due to a variety of security missteps, typically human error (Gartner reports 99 percent of cloud security failure comes from the user) because of under skilled staff and shadow IT when embracing new technologies away from the parameters of traditional security models and network security controls. Other areas where security falls short is the lack of data and asset visibility that comes with unparalleled speed of change, scale and scope, making it difficult to govern and monitor without automation.
Often seen as an easy target for hackers, cloud misconfigurations are typically detected using automated tools bought from the Dark Web. These tools are used to scan the internet looking for vulnerabilities and identifying misconfigurations to exploit and can lead to costly data leakage issues like the 2019 Teletext exposure of 530,000 data files, caused by an insecurely configured Amazon Web Service (AWS) web server.
BN: How can companies implement security controls to prevent cloud misconfigurations?
SL: Cloud security controlling and monitoring needs to be addressed head on, when considering migrating to cloud and understanding the gaps in the shared responsibility model. It's essential for security and IT teams to collaborate and plan to ensure clouds aren't launched with improper configuration and default settings and understanding what's covered and what's not with your Cloud Service Providers from a security perspective. Think of it as the Cloud Service Provider acting as the house to store your valuables but it's your responsibility to put locks and alarms on your doors to protect the contents.
There must be adequate security emphasis on misconfigurations, versus traditional vulnerabilities which can be monitored and patched with little impact on operations. Gartner named Cloud Security Posture Management (CSPM) as one of the key areas in their Top 10 Security Projects for 2020-2021 and using CSPM solutions effectively can be an invaluable tool in preventing misconfigurations. Implementing automated CSPM will ensure continuous cloud configuration assessment across even the most diverse infrastructures and multi-cloud, checking against the industry benchmark like CIS to prevent security policy violation and leaving you non-compliant and open to cyber-attack.
BN: Does the same security best practice apply for multi and hybrid clouds?
SL: Utilizing multi-clouds brings additional security complexities and increases the likelihood of misconfigurations occurring from human error and the risks posed by a lack of security across multiple complex environments is heightened. With different cloud set ups and policies in play, it's important to have a homogeneous security view across all clouds you're using. Continuous Cloud Security Posture Management will ensure you have adequate security controls in place to spot the smallest irregularities across multiple cloud environments, including AWS, Microsoft Azure, Google Cloud Platform, Docker and Kubernetes which is not just beneficial from an ongoing security perspective but reduces your risk of data breach.
To ensure your CSPM can support your current and future cloud model we recommend the following checklist:
- Continuously assesses cloud and multi-cloud environments for misconfigurations
- A centralized user interface to detect and manage cloud vulnerabilities for effective remediation and provide a single view of cloud risks
- Automated security monitoring against CIS benchmarks for all major cloud service providers
- Classify and detect your cloud assets to check configuration and control cloud security
BN: Is additional cloud security (on top of that available from CSPs) a worthwhile investment?
SL: Yes, it's essential for enterprises at all stages of their cloud maturity journey to consider and build in cloud security controls at all stages. The shared responsibility model means security isn’t guaranteed and needs supplementing with security controls for compliance checking, reducing the threat of data leakage later. Hackers are always evolving and adapting their techniques to find an easy way in and unfortunately this is the case as the number of cloud breaches increases globally and it’s important for organizations to step up and ensure they take back the control.
Highlighted in the Gartner Top 10 Security Projects for 2020-2021, it's important for businesses to invest and implement cloud security controls and best practice across different IaaS and PaaS providers. With some reluctance from IT teams to adopt cloud, stemming from security challenges there are cloud security solutions out there which can eliminate these stresses, providing greater visibility of cloud risk and continuous monitoring for cloud weaknesses, ensuring you can identify and fix vulnerabilities more effectively for a secure cloud infrastructure.
While security tools from Cloud Providers do help when organizations are migrating and doing the first cloud risk assessments, the tools will be limited in hybrid and multi-cloud environments. Therefore it is more efficient for IT teams to use one tool which consolidates and homogenizes results across multi-cloud, rather than learn and jump between different tools in order to figure out the risk of different cloud deployments.
BN: What's the best way to successfully integrate security and cloud?
SL: Don't delay, give cloud the respect it deserves and align your security strategy to cover everything from network, applications, wireless and cloud infrastructures. Through automated and continuous CSPM tooling businesses can feel confident they have the security tools in place to cover the most complex cloud and multi cloud set ups. Whilst managing new technologies like cloud can appear daunting and uncertain, implementing a multi-cloud orchestration and automation strategy for security will be key for your long-term cloud success and return on investment. Any attempt to roll out a new cloud environment without including security controlling will increase your cloud and overall risk and will lead to compliance failures.
Whereas CSPM is the simplest way to prevent unauthorized access to your cloud assets and data, another important consideration is to protect your cloud workload for DevOps work streams. Cloud Workload Protection Platform (CWPP) is a host-centric solution that targets the unique requirements of server workload protection in modern hybrid data center architectures, and checks the workloads being migrated to IaaS with integrated vulnerability scanning, often used in tandem with CSPM ensuring your assets are risk free and a combination will ensure your cloud and assets area always protected and secure. In the shared responsibility model, organizations stay responsible for their workloads. Therefore, IT teams need to implement the same security processes to protect workloads (the CWPP part) and the cloud configuration assessment (the CSPM part), two sides of the same coin.