With nearly 50% of the global corporate data being stored in the cloud, it is no surprise that cloud security has become an essential priority for cloud users. Many people even today argue that their data may be safer on their local servers, where they have more control over its security. Still, the deposit is entirely dependent on the capabilities of the respective organization. In contrast, experts suggest that storing data on the cloud is more secure as the cloud service provides, having a superior security architect in place to protect your data. While both arguments have pros and cons, one cannot deny the degree of freedom and efficient performance of cloud computing. But, at the same time, it could safely be said that any technology is only as efficient as understanding its user, and the same applies to cloud security.
By Abbas Kudrati, Chief Cybersecurity Advisor, Microsoft Asia Pacific
How Cloud Security Differs From Traditional Infosec
The security threat involved with cloud computing is generally more stressed in contrast to its benefits, as the concept of your entire data and operations being in a digital but dynamic environment where things are constantly changing is hard to wrap our heads around. However, cloud security operations are more or less similar to that of IT security. Therefore, understanding the particular difference between them is critical to expel the lingering suspicions about the term ‘cloud.’ Some of the key differences that cloud security needs to consider could be listed as:
- Restructured boundaries: The core of cloud security deals with access and authorization protocols and restrictions. The traditional security environment controlled access using a perimeter security model, i.e., providing access over local networks, etc. However, the cloud environment is highly interconnected and spread over the internet, where the traffic bypasses traditional perimeters. Thus, the cloud security framework must include security models for application programming interfaces (APIs), identity and access management, account hijacks, malicious insiders, etc. Similarly, preventing unauthorized access by adopting a data-centric approach and strengthening the authorization process are some of the solutions that CSPs need to implement.
- Virtual scalability: Cloud computing implies hosting resources delivered via software. The data storage and processing in cloud infrastructure are dynamic, scalable, and portable. Hence, the cloud security framework needs to incorporate the environmental variables accompanying the workload. The framework also needs to accommodate both states of rest and transit, either encrypted or transiting dynamically through the cloud management system and APIs, to mitigate threats and data loss.
- Evolving threat landscape: With the rapid growth in technologies, the threat landscape and attack vectors are also evolving. These sophisticated developments are anything but a positive impact on modern digital security, which of course, includes the cloud. Advanced Persistent Threats (APTs) and increasingly sophisticated malware and ransomware are designed to evade security defenses by targeting vulnerabilities in the computing stack. As a result, there is a pressing need to develop a clear solution to these threats. It is the responsibility of the cloud service providers and clients to stay updated with emerging threats and evolve cloud security practices.
Cloud Security Challenges
Cloud computing and storage is service action between the cloud service provider and the client. Each has its share of task responsibilities while incorporating cloud technology into its existing applications and network. Hence, an implementation error or misconfiguration could lead to vulnerabilities. In addition, cloud security is a key concern for cloud storage providers, as regulatory requirements towards storing sensitive data bind them. But the security reality differs with respect to various aspects involved with the implementation of cloud technology, such as the lack of clear perimeters for the public cloud. These issues are further augmented due to challenges posed by the adoption of modern cloud approaches such as automated Continuous Integration (CI) and Continuous Deployment (CD) methods, distributed serverless architectures, Functions as a Service (FaaS), and containers.
Some of the most prominent threats to cloud security include data breaches, account hijacking, data loss, insecure application program interfaces (APIs), service traffic hijacking, inept cloud storage providers, shared technology, etc., which could very well compromise cloud security. Attacks such as Distributed denial of service (DDoS) tend to shut down a service by overwhelming application/network with help are the most considered issues for cloud security. Apart from this, the human element also contributes significantly towards existing challenges. Most people think external hackers and malicious insiders are the biggest threat to cloud security, but that’s not always the case. Internal employees do present a large risk for cloud security, and these employees need not necessarily have any malicious intentions. However, they could still harm unknowingly through mistakes such as using a personal and unsecured device to access sensitive data, access it outside the organization’s secure network, etc.
The change in threat landscape could be identified and classified into an exploit, transversal, and monetization, where the traditional exploits included social engineering, phishing, and geo-filtering evasion with proxy. In contrast, the exploits for cloud platforms involve acquiring tenant keys from GitHub, RDP/SSH password spray, brute force, etc. Similarly, traditional traversal attacks included credential theft and abuse (hashes, SSH…), scan & exploit, etc., whereas for cloud platforms it has evolved to pivoting to on-premises from the cloud. For the purpose of monetization, threat actors famously use ransomware, targeted data theft, commodity Botnet/DDOS, etc., but the latest attempts have evolved to crypto-mining – (webservers, visitors).
Increased attack surface, lack of visibility and tracking, changing workloads, and complex cloud environments could be considered as some of the advanced cloud-native security challenges that present themselves as multilayered risk factors faced by cloud-oriented operations. Apart from these few other trending security challenges could be listed as follows:
- DevOps: Organizations that have implemented the highly automated DevOps and CI/CD (Continuous Integration and Continuous Deployment) technologies need to identify vulnerabilities during the SDLC (Systems development life cycle) stages and embed appropriate security controls.
- Data visibility and control: The crux of any shared cloud storage service is the data is moved outside the corporate network away from devices managed by the IT team. This, in many instances, such as security integration or cloud forensics, makes it slightly difficult to access the data freely. Also, to understand the overall security, the IT team needs the ability to see into the cloud service itself. The limited control and access to underlying elements provided to the client will make it difficult for the client’s infosec team to create a near-perfect defense mechanism around it.
- Cloud-native breaches: These types of breaches differ from the traditional on-premises breaches, as they often occur using native functions of the cloud. Unlike the traditional IT attacks that require malware to deploy/land attacks, the malicious actions are deployed by exploiting errors or vulnerabilities in a cloud deployment without the use of malware. The threat actors tend to expand their access through weakly configured or protected interfaces and tamper or exfiltrate data.
- Misconfiguration: The overall security responsibility in the cloud is generally divided into two, i.e., the cloud service provider and the client through the service level agreement (SLA), where each is responsible for the security of their own physical and digital assets within their perimeter. The security responsibility against cloud-native breaches often falls to the cloud customer, including the configuration of the cloud service or assets. Misconfiguration of services, especially in IaaS (Infrastructure as a Service), will lead to vulnerabilities prompting cloud-native breaches. Studies have shown that 99% of misconfigurations go unnoticed by cloud customers . The same could be said for the AWS S3 buckets, where often user roles are configured very loosely, granting extensive privileges to those that do not require it.
Trends in Cloud Security
The shared responsibility cloud model tends to push most virtual infosec responsibility onto the organizations using cloud services, irrespective of whether the data is being used, processed, and managed in a third-party cloud. Thus, organizations are developing new practices to meet these responsibilities. One of the trending methods is using centralized platforms to provide multi-cloud security unified, as most organizations use different and multiple CSP. Tools such as cloud security access broker (CASB) could be helpful to fulfill cause as it sits between users and cloud applications and monitors activity. Another trending approach is to protect your data before it reaches the cloud through encryption, masking, and tokenization. Similarly, organizations are also adopting a zero-trust model to improve their identity and access management; numerous recent breaches today tend to target misconfigured accounts. Hence, organizations are developing specific identity management platform capabilities that could integrate into their cloud environments.
Secure Access Service Edge
Secure Access Service Edge (SASE) is a single cloud-delivered service model that incorporates multiple network security frameworks such as CASB (Cloud Security Access Broker), Zero Trust, FWaaS (Firewall as a Service), etc. onto a single WAN platform. This framework enables fast and secure cloud adoption without interrupting data accessibility. The global pandemic of COVID-19 has acted as both the impetus and the driving force for digitalizing the operations of many corporate organizations, and the cloud has grown in popularity. Correspondingly, cloud security and especially SASE, has goosed the interest of security professionals managing the challenges of remote operations.
SASE tends to merge the network traffic and security priorities while maintaining the direct and fast network-to-cloud connectivity, i.e., a combination of both speed and security control. Furthermore, it allows security professionals of the client organization to apply identity and context that specifies the exact level of performance, reliability, and security for network sessions. Some of the significant benefits of the SASE framework could be listed as:
- Provides flexibility towards implementing infosec service threat prevention, web filtering, sandboxing, DNS security, credential theft prevention, data loss prevention, next-gen firewall, etc., in cloud architecture.
- It is a single platform that provides multiple security services. Hence, saving cost and security expenditure for the cloud service user.
- Simplifies network security by minimizing the number of security assets and applications needed to be managed.
- The high-speed deliverance and connectivity increase the performance while not compromising security, as its threat prevention model provides a complete content inspection.
- It is widely known to provide a Zero Trust model to the cloud users by removing trust assumptions when users, devices, or applications connect to the cloud.
About the Author
With over 21 years of experience in information security, Abbas Kudrati is currently the Chief Cybersecurity Advisor at Microsoft Asia Pacific and has abundant experience in the domains of cloud security, digital transformation, zero-trust network architecture and strategy, cybersecurity strategy and road map development, stakeholder engagement, vendor management, security operation, incident management, security governance, compliance management, enterprise security architecture, and security awareness.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.