Page 66 - Security Today, July/August 2020
P. 66

Combating Security Risks Various defenses needed to ensure risks, mitigations are under control
BCy Cliff Krahenbill
loud security is an increasing concern as more orga- nizations transition to use public cloud providers in either a hybrid or cloud-native model. The initial step in any information technology security process where
new technology is being implemented is to understand the risks that an organization is incurring.
Consider this information as you explore some of the types of risks associated with the inclusion of a cloud provider service (CPS) as part of a company’s infrastructure.
The following areas are considered among the highest associated with cloud computing (Cloud Security Alliance, 2020): Data breach- es; Misconfiguration; Lack of cloud security architecture; Insufficient identity and access management; and Insider threat.
The world is experiencing the widespread impact of the CO- VID-19 pandemic. This pandemic is causing disruptions and forc- ing changes upon businesses and individuals. Thus, changes of this magnitude deserve a re-assessment of an organization’s cybersecu- rity priorities and approaches.
Data breaches. These have often been high-visibility events re- ported in the news and causing substantial reputational harm. Be- yond major data breaches, even low levels of data leakage can cause severe harm to an organization. This can start with reputational and brand injury; however, it can include loss of intellectual prop- erty or legal and regulatory liabilities.
When referring to the cloud, the key issues are whethser appro- priate controls are in place. Controls should include robust auditing and reporting tools that can be implemented within the cloud plat- form. Auditing is important to help identify a breach or potential breach early on, which can dramatically mitigate the harm. This area can be a key deficiency in public cloud platforms where an or- ganization may be relying on the provider to implement appropriate tools, and the organization’s existing toolset cannot operate within the cloud. At a minimum, a deep understanding of the environment and tools will need to be developed and incorporated into an orga- nization’s cloud adoption process.
Another important mitigating technology is encryption and its associated key management service (U.S. NSC, 2020). The use of encryption, along with secure key management processes, can pro- vide an additional layer of protection from a data breach event.
Misconfiguration. This is one of the most common security is- sues in public cloud environments (U.S. NSC, 2020). Security mis- configurations often lead to data breaches.
There are a few significant reasons why this risk is so prevalent. For one, the cloud platform is new for many organizations. They may lack the immediate knowledge and skills to implement con- figurations that approximate those in their existing environment. Secondly, their existing practices may not be appropriate for the cloud. A third reason is the cloud is more dynamic than existing on premise services. The configuration options and implementation can change, requiring more due diligence.
One powerful tool that can be leveraged to increase configura- tion consistency is automation. Using provisioning and configu- ration scripts can reduce the opportunity for misconfiguration and improve the rate of implementation and quality checks. Us- ing automation allows additional review and auditing to reduce
errors and improve security. A least-privilege practice is recom- mended as a baseline.
Organizations often seem to stumble into the cloud without a defined and deliberate approach that provides an opportunity to address the foundations. There are many reasons for this, including time constraints or lack of technical understanding. Organizations that engage in “lift and shift” migrations attempting to apply their existing security practice haphazardly, often encounter difficulties (Cloud Security Alliance, 2020).
Cloud security concerns can be addressed by reviewing orga- nizational security policies as they relate to cloud technology. The policies and principles of the organization should be durable, with the implementation being dependent on what the cloud platform provides. Items such as defense-in-depth, or managing privileged accounts are entirely valid; however, they should be mapped to the specific cloud provider capabilities.
Identity and access management require a specific focus in cloud implementations. The first is addressing risks that occur with a large public-facing front door. In hybrid cloud implementations, identity federation infrastructure can be introduced. This is yet another security technology that needs to be reviewed, implemented and monitored. This requires new maintenance operating procedures and role identification. Cloud services may introduce new high- privileged accounts that need to be managed, such as a “subscrip- tion manager.” Password complexity needs to be defined, as well.
If an organization is using role-based access, what new roles are required? How will these new roles be managed? In the past, role- based access had a significant impact on security because of mis- configuration issues. The results of a credential being compromised in the cloud could result in the exposure of information inside the organization’s existing perimeter.
Risks of compromised identities can be reduced by using multi- factor identity solutions. Password policies, where applicable, should follow the existing internal standards. Federation and identity solu- tions should avoid storing or transmitting passwords that are not securely hashed or secured in another manner. Separation of duties can be a significant defensive approach, too. Application developers should not implement their credential stores, which could introduce new ways for credentials to be compromised.

   64   65   66   67   68