Unclouding Cloud Security

Bob Ivkovic, Principal of IT Architects

May 28, 2019

The toughest part about protecting corporate IT assets in the cloud is knowing what these assets are and who is using them.  Cloud providers are pretty good at hiding everything going on in the cloud infrastructure – from the cloud’s core to its edge.  Thus, we don’t always have a clear understanding of what parts of our cloud applications are the business’s responsibility to secure, and which fall under the domain of the cloud service provider.   If the business and cloud service provider are looking at each other to keep up their end of the bargain but don’t know where the dividing line is, it’s pretty well a given that security will be breached and data will be stolen, if not destroyed.

Whenever we acquire or use cloud applications or resources, we must ensure that those services are safe and compliant with enterprise security policies. Otherwise, we’re at risk of the bad guys downloading unsecured corporate files, theft of intellectual property, and complete business disruption.  This is ever so important with enterprise adoption of cloud technology and services as organizations store their data in the cloud.  Sadly, as cloud usage is accelerating, security considerations are lagging behind.  Furthermore, users have adopted rogue cloud applications where technology decisions are being made by employees without the knowledge or approval of the IT staff.  These decisions are rooted in the BYOD (Bring Your Own Device) movement and the consumerization of IT, or should I say the commoditization of IT.  Just think about individual employees storing and sharing confidential business information such as customer data or financial documents in Dropbox.  Management is to wrapped up in management to pay attention to technology standards and protocols.  Most everyone is signing up for hosted SaaS applications such as WordPress and Adobe Creative Cloud because anyone can do it, and you can do it without anyone else knowing.  We won’t even talk about the popularity of sharing cloud-based collaboration platforms such as Slack or SharePoint with partners, suppliers, and customers.  It’s become a free-for-all where corporate standards and guidelines can by ignored.

Regardless of what cloud products and services we’re using, organizations must ensure that they are implemented in accordance with corporate security policies; otherwise, the organization is at risk of having critical data lost or stolen or of letting outsiders gain access to confidential information and processes.  The risks are just too great to stand around and remain complacent about cloud security.  Organizations must get serious about protecting their IT assets in the cloud by addressing security threats and becoming proactive in challenging them.  Some key security practices every organization must undertake to secure its IT assets include the following:

1. Identify All the Assets You Need to Protect

Anything you own has to be secured.  Just think of all the cameras around an office building monitoring the grounds and inside hallways while capturing everything on video.  And don’t forget access cards used to get into secured work areas, and the tracking software to identify who is where and when.  This also applies to software monitoring network traffic, and identifying who has logged into the network, as well as who is using enterprise applications.  The software alerts the security team of suspicious activity and those who are trying to hack their corporate systems.  It goes as far as identifying the device, type, device location, and telemetry involved.  This software is sophisticated enough to identify who is fishing versus phishing for information.  The visibility into usage of systems and networks is possible through AI-based security software that can detect anomalies and identify patterns of behaviour pertaining to fraudulent and illegal activity.  Let’s face it, without this kind of visibility, it would be difficult to find the root causes of unusual situations as they happen.  This kind of visibility is required to keep IT assets secured.  It’s unfortunate that organizations have lost visibility into what their employees are doing with cloud services and where their data is sitting.  Some of the more security-conscious organizations have implemented a Cloud Access Service Broker (CASB) to get visibility into the entire cloud stack while providing security automation enforcing corporate policies.  CASB provides threat detection, automated incident response, predictive analytics, and security configuration management.  Organizations with hundreds, or even thousands of applications, require a CASB to monitor business-critical cloud transactions and enforce policies in accessing their enterprise applications.

2. Promote a Shared Security Model

An organization typically has complete ownership of security in a traditional data center application – including physical installation to network access, from patching vulnerabilities to checking users’ digital credentials.  However, in a cloud service model, responsibility for security is shared between the organization and the cloud service provider.  This is a problem when there is misunderstanding about the shared security model for cloud services.  Many organizations tend to ignore illicit behaviour and hacking activity because they don’t see that as their responsibility when it comes to a cloud service.  However, any model based on IaaS, PaaS, and SaaS, requires the organization to take responsibility in preventing illegal activities from penetrating the cloud, either the service or the application itself.  This is important when it comes to user authentication, especially since an organization knows who it’s users are and what they’re allowed to do.  Most organizations thrive to establish a single-sign-on authentication solution, but fail to understand that passwords simply aren’t good enough.  Thus, organizations can further protect critical data and transactions by using multifactor authentication with biometrics.  Overall, suspicious user activities should be identified, monitored, and acted upon.  This is referred to as “security event monitoring” and should not be confused with foundational event monitoring that cloud service providers use to defend against various network-level events.  This security event monitoring function tackles the visibility issue and responsibility of sharing security responsibilities.

3. Assign a Security Owner

Adoption of a cloud-based application or service should always include a security owner responsible for the entire enterprise application portfolio.  This individual needs to be part of the evaluation and approval process for adoption of any cloud-based solutions.  Furthermore, this individual and team must be involved in the implementation and integration of future cloud applications and services into the existing application landscape.  Otherwise, it’s only a matter of time that security incidents begin showing up on their dashboard.  Communication, collaboration, and visibility across the application portfolio is the key to securing IT assets plugged into the network infrastructure.  It’s no wonder that organizations fail to collaborate on security, risk, compliance, and privacy issues.  Teams start working in silos, and security ends up falling through the cracks.  Thus, everybody has to understand their unique roles in making cloud security successful not only across the enterprise application landscape, but also the interfaces to external entities such as partners, vendors, suppliers, and other stakeholders. 

The irony is that organizations trust the cloud to support their critical applications and for storing corporate data.  They think because someone else is managing their assets, they’ve got the security part well in hand.  Wrong.  Although security technology has the potential to minimize risks, it’s the responsibility of the organization to identify any security loopholes and potential to breach security.  It’s a fact that there is much more security awareness today, and cloud security capabilities and solutions available are far more superior.  What’s still missing though is the communication and collaboration between the security and risk teams to make it airtight.