Undoubtedly, the year 2020 has been an inflection point for propelling increasingly more data to the cloud for superior management, predictive analysis, and secure data in a comprehensive manner. Reliable and meticulous, the top cloud providers offer top-notch security tools to manage customers’ workloads. However, this assurance brings a catch: these providers only gradually allowed transparency regarding their responsibilities versus customer responsibilities with respect to the management of customer workloads. The public cloud providers’ shared responsibility model declares the crucial specifics of the customers’ responsibility for the workload management that they operate in, while the providers fulfill the responsibility of protecting the ongoing security and upkeep of the cloud infrastructure. Considering the enormity of the responsibility that customers face on the cloud, let’s carefully examine the top challenges that come with this exercise.
By Raghunath Venkat Thummisi, Founder & CEO, Cannon Cyber
New organizational perimeter – Diversified workloads spanning across on-premise, public, and private clouds have extended the boundaries of the enterprise, prompting customers to scramble to grasp new organizational perimeters and deploy effective perimeter security.
Role played by Cloud Access Security Broker (CASB) – The organizations’ move to cloud services has triggered an increased opportunity for the deployment of CASB solutions. CASB is deployed to effectively monitor and understand the data flows to detect potential threats and stop a variety of breaches. CASB systems also find applications being deployed for inline data protection, with tokenization or encryption. The potential use cases for CASB solutions are many, but they are hindered by the lack of consistent technical standards for data protection that the cloud providers can follow.
The current systems fall short in addressing all these challenges.
Complexity through data overload and lack of visibility – Some customers lack a complete understanding of the cloud infrastructure services provided and their effective usage and associated challenges that hinder their organizational security compliance. One of the significant advantages of leveraging cloud-based technologies is that organizations do not have to manage the resources and workloads to keep it operational. Cloud control and triggers make it possible to have a set-up where this is addressed by the cloud provider. However, the very benefits to cloud operations have a negative impact to as well: losing the control and hence the visibility of the day-to-day tasks for managing, monitoring, and maintaining the systems. This presents a significant security risk in terms of not having a handle on the activities.
This poses an important cloud security risk that customers need to address as it affects their operations in the inability to validate the effectiveness of security controls and postures related to storage, network instances, and policy triggers. It also undermines threat remediation on account of the lack of control over cloud assets. This has a cascading effect in the inability to run predictive analytics and utilization to identify anomalies related to potential security Indicators of Compromise (IOCs) Cloud practitioners need to be cognizant of the impact of the addition of cloud services to existing workflows so as to have a granular view of data paths across applications such that they can be tracked in conjunction with the services made available by the cloud providers to protect data breaches. This is an important consideration towards evaluating and determining the level of visibility and control that organizations have to better protect themselves.
A detailed understanding of cloud providers’ logging and monitoring features can be leveraged along with the workflows, policies, and rules related to the application lifecycle; this will enhance visibility through a continuous view of application and asset health.
Multi-Cloud workloads – To an increasing extent, organizations embrace a diversified approach of guarding core assets and data through the adoption of a multi-cloud strategy, which prevents the compiling of all resources into one basket. Superior in nature, a multi-cloud strategy enables organizations to align application needs for resiliency, optimization, and performance. A distributed set of services poses a challenge for attackers to launch a DDoS. Additionally, this model becomes favorable as a means to prevent vendor lock-ins. While this model constitutes a sound business strategy, it invariably presents a multitude of challenges for deriving consistent security policies across all the environments, thereby exposing users to potential risks of unidentifiable threats, and risking inconsistent security posture.
Not Inherent to Cloud – Traditionally, many SaaS applications haven’t been designed for operating in cloud environments. They must be re-designed and made cloud-native. Some cut corners and take shortcuts to make their applications cloud-ready and this results in unexplored native security flaws in applications.
Workload lifecycle management and threats – Deceivingly, the ease of staging and de-staging virtual appliances on a cloud, accompanied by a warmer embrace of opensource invites, can create tremendous risks that may compromise the security of systems. Notably, the following responsibilities carry great importance: identifying and mastering an approach for Identity & Access Management (IAM) pertaining to roles, users, key management, RBAC policies, etc. — this is in addition to policies concerning workloads, instances, and specific services-based triggers. Consequently, organizations must devise a well-rounded, automated approach to the lifecycle management of control, application, and the data path.
Third-party security – RSA 2020 enlightened participants about a significant theme: third-party security (which has garnered attention alongside the increased progression of breaches related to third-party integrations). Managing third-party risk isn’t just a good to have a strategy; it’s mandated by regulatory controls to incorporate consistent management of third-party integrations (factoring in the multipath data flows that today’s applications orchestrate). Depending on industry and data privacy laws, organizations must contractually mandate security, privacy measures, and controls for third-party integrations. Establishing secure controls demands a very sound and resilient third-party security policy baked into the configurations. It must not only enable organizations to automatically identify their overall posture related to organizational and regulatory mandates, but also have remediation measures available to fix inconsistencies.
Secure your APIs – Most security products protect data and access through the lifecycle of the data-consuming process and report to several partner tools through SOAP or Rest APIs. Moreover, myriad public APIs document their implementation and inner workings of these APIs to launch attacks through message intercepts, packet injection, or man-in-the-middle threats. Therefore, most of these negative outcomes are attributable to the bad design of API constructs.
Shift Left – Traditionally, statistical and dynamic analysis security tools employed in tandem enable engineering teams to identify security vulnerabilities in the application source early in the lifecycle and ensure conformance to organizational coding guidelines. However, they present a challenging proposition when effectively managing run-time issues associated with inspecting application behavior, as well as the context around it. Consequently, Run-Time Application (RASP) tools are gaining ground. The increased hygiene of building secure products and environments focuses on preemption than remediation after the occurrence of the incident gains prominence.
5G Security – The emergence of 5G will define a new paradigm in the edge-cloud infrastructure with newer industries and use cases while redefining existing Industry applications. Along with it, 5G brings additional threat vectors to be addressed. According to the 5G PPP organization (https://5g-ppp.eu/), over 7 trillion wireless devices will be connected, opening new possibilities for security vulnerabilities. With the explosion of the edge-cloud infrastructure, researchers at Purdue University have identified 11 new vulnerabilities related to 5G locations of endpoint devices, thereby raising the specter of endpoint device attacks. Not only does 5G bring faster speeds to accelerate data movement to the cloud, but also arrives with a foreign set of challenges.
Is System Randomization the answer to next-gen Cloud Security? As various Industries look at handling the diverse sources of security breaches at a revolutionary pace, the continuous prospect of protecting static infrastructures against dynamic and ever-mutating threat vectors begs the question of how to make our cloud infrastructures more dynamic to prevent vulnerability to attackers. Major advances in the field of system randomization related to the concept called Moving Target Defense (MTD) focuses on the aspect of randomizing workload policies to minimize the information gained by adversaries. Moving Target Defense (MTD) has shown promise to be an effective security mechanism to secure the cloud by changing the attack surface to make uncertainties for the attackers.
Randomizing system attributes including policies, passwords, configuration, runtime configurations, memory locations, and dynamic compilation provides some answers and presents an orthogonal perspective of looking at security defense.
As industries across the spectrum embrace digital transformation and sprint towards an agile way of managing their enterprise workloads, public clouds, and the associated complexity offer a new frontier with protecting organizations’ core assets.
This story first appeared in the June 2020 issue of CISO MAG. Subsribe now!
About the Authors
Raghunath Venkat Thummisi is a passionate product builder, Security practitioner and Evangelist focused on building the next generation Security Products for businesses who are experiencing a rapid change in their Security perimeter. Venkat’s experience is in building scalable Infrastructure Cloud Native SaaS Products with a focus on Security across the landscape from Core to Edge. In doing so, he has built strategic ecosystems of Customer and Channel partnerships. His experience spans big companies such as EMC, RSA, Trizetto as well as his current startup (Cannon Cyber). He is a contributing member of Forbes Technology Council and CISO MAG, he loves to be in the midst of action advising emerging startups to foster innovation.
The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.