SECURITY: How do I Secure a Cloud Network?

The cloud may be the largest technology shift in our lifetime. In the past, the world’s most advanced technologies were only available to large companies who can afford to maintain large data centers, IT and development staff. With the cloud, anyone with a credit card and internet access can sign up with a cloud service provider (CSP) to gain virtually infinite computing resources in minutes. What makes the cloud so disruptive is that it can completely transform the basic economics of a business by accelerating time to market, expediting decision making, and ensure a faster response to global clients.

There is a dark side to the cloud: Security

In the Cloud Adoption & Risk Report1, organizations experienced on average 31.3 cloud-related security threats each month, an almost 28% increase over the same period last year and 92% of all organizations have stolen cloud credentials for sale on the Dark Web.

However, these security risks are not abating cloud adoption. A staggering 97% of worldwide IT professionals2 are using cloud functions within their organizations and 83% of companies store sensitive data in the public cloud. This broad adoption of the cloud as a repository for data also accounts for why the theft of cloud-based data affects 1 in 4 organizations globally.

Making matters worse, it’s harder than ever to hire skilled security professionals as 69%3 of cybersecurity teams are understaffed and only 34% have a high degree of confidence in their team’s ability to successfully detect and respond to cyber threats.

In the 2019 Capital One security breach, data for over 100 million credit card users, 140,000 Social Security numbers, and 80,000 Bank Account numbers4 were downloaded without triggering ANY alerts at Capital One5.  Capital One was tipped-off by an outside researcher 127 days after the initial breach. To make matters worse, the vulnerability exploited by hackers in the Capital One data breach was known by the cybersecurity industry as a potential vulnerability since 2014. 

The Capital One data breach isn’t the first time data stored in the cloud has been stolen but it does renew concerns about data security protocols in the cloud—and the role internal IT security teams play in implementing those protocols. It should be noted that Capital One worked closely with Amazon Web Services (AWS) to develop their cloud security model6  yet still suffered a massive breach.

1Cloud Adoption and Risk Report, McAfee, 2019

2Practical guidance and the State of Cloud Security, McAfee, Apr 2018

3State of Cybersecurity, ISACA, 2019

4Information on the Capital One Cyber Incident, Capital One, Sep 2019

5How the accused Capital One Hacker stole reams of data from the cloud, WSJ, Aug 2019

6Cloud security at AWS is the highest priority, Amazon

Securing a cloud network from human error

Multiple news stories have demonstrated that information can leak out of clouds.  However, it is almost always due to the users rather than the cloud provider. Human error can result in the misconfiguration of cloud security protocols. Cloud infrastructure built and managed by industry-leading CSPs such as Amazon, Microsoft, and Google is built to be secure, but it is often the organizations buying from the CSPs that are not using them securely.  Gartner7 estimates that through 2023, at least 99% of cloud security failures will be the customer’s fault.

Accidents happen, but the best way to mitigate human errors is through real-time visibility, quick notifications, and standard processes. A cloud-based network with end-to-end visibilty enables an IT operations team to see errors as soon as they occur. With quick notifications linked to standard processes, those IT operations teams get the information they need about the issue and know who is responsible to get the issue fixed quickly.

Visibility is key to cloud network security

The common thread for securing a global cloud network is visibility. To keep your data safe from hackers, you need a single unified view of every network connection. It can be difficult to obtain the “single pane of glass” view across an entire cloud network; modern enterprises often have a variety of business-critical apps, workloads in multiple cloud providers, and edge devices from different vendors on their network. CIOs and CISOs alike should demand from their service providers a client portal that simplifies and unifies network and application management with real-time visibility, analytics, and service control built for the multi-cloud enterprise.

Eliminate open file sharing

The most common cloud security incidents involve open file sharing which makes sensitive data available to outsiders8. This vulnerability is not new, in 2013 over 1,900 AWS S3 buckets were configured for public access9. In the latest Cloud Adoption & Risk Report10 organizations on average have 14 misconfigured instances running at any given time, resulting in an average 2,269 misconfiguration incidents per month. An estimated 5.5% of all AWS S3 buckets in use are misconfigured for public access.

Creating storage objects grants the owner full rights while completely denying the rest of the world. Production buckets should be explicitly configured by owners or administrators. Avoid the temptation to make them public and invest the time it takes to configure proper access control when creating storage buckets with CSPs. Organizations can use the discovery capabilities of a Cloud Access Security Broker (CASB) to find all open shares across all sanctioned and even unsanctioned applications.

Public CSPs typically offer secure settings by default but most content collaboration platforms (CCP) like Dropbox, Google Drive, and Microsoft OneDrive for Business allow users to share files and even folders with anyone who knows the URL. Because many CCP aim to enhance productivity, sharing defaults can be very permissive—which likely do not align with the security postures of most organizations.  Organizations must closely examine default-sharing options and strike the right balance between risk and trust. Restricting employees to only share links within their organization and to have the links expire within 30 days, would be a good starting point.

7How to make cloud more secure than your own Data Center, Gartner, Oct 2019

8Open File Shares are your biggest cloud security problem, Gartner, Aug 2018

9There’s a hole in 1,951 Amazon S3 Buckets, Rapid7, Mar 2013

10Cloud Adoption and Risk Report, McAfee, 2019

Watch for Shadow IT

Not only does the cloud make it quick and easy for IT to provision a corporate network, it also makes it easy for any employee on that network to provision their own cloud-based software as a service (SaaS) solutions—often without the IT team’s knowledge. “Shadow IT” is a term used to describe SaaS applications and cloud-based systems and services implemented and used without explicit approval from the corporate IT department.

Shadow IT creates numerous risks for organizations when it comes to data security and can often run counter to privacy and compliance laws. For example, some cloud-based SaaS is “free,” but the provider monetizes the service by capturing the user’s information and either selling it or using it for advertising. This particular introduction of unknown data usage via Shadow IT could put corporate data (especially in highly-regulated industries such as financial services and healthcare) in jeopardy.

Countering the use of Shadow IT requires IT departments to built their cloud networks with deep visibility that reaches all devices and assets. Seeing a list of all the various applications and services operating in their IT environment is the first step towards removing unsanctioned SaaS. Many IT teams use CASB and other automated processes to not only find but also block the installation of Shadow IT apps.