Cloud Computing and Cybersecurity
Cybersecurity in cloud computing environments is a multi-layered architecture, involving best practices in user access and privileges, hardware and software security, virtualization, firewalls, and other processes used to protect data and infrastructure.
Cloud security incorporates industry and compliance policy, hardware and software platforms, best practices, techniques, procedures, and processes used to maintain the integrity of cloud data, infrastructure, applications, and systems.
The steps to secure data and infrastructure vary between organizations, serving things from filtering traffic and limiting access to authorized users. Responsibility and security efforts are divided between the cloud service provider and the tenants. Most cloud security solutions utilize processes, automate protection, and monitor and report into a security operations system.
Challenges of cloud computing and cybersecurity across all sectors
2019 report by Coalfire showed that 93% of organizations saw cybersecurity as a major concern. “Some areas of prime security importance mentioned by these companies were data leakage (64%), monitoring new vulnerabilities (43%), unauthorized access (42%), platform misconfiguration (40%), regulatory compliance (39%), data privacy (33%), and defending against malware (25%).”
What is the World Economic Forum doing on cybersecurity
The World Economic Forum’s Center for Cybersecurity is leading the global response to address cybersecurity challenges and improve mutual trust. The organization is an independent global platform committed to supporting international collaboration on cybersecurity in the public and private cloud offerings.
Understanding the Shared Responsibility Model with the Cloud Provider
- With Infrastructure as a Service (IaaS) or Platform as a Service (PaaS) providers such as Amazon Web Services (AWS), Google Cloud Platform (GCP), the cloud provider takes on more of the responsibility for security, though the client organization must still follow best practices for security. The client also owned their data, not the cloud provider.
- When a client organization is using Software as a Service (SaaS) they must have a plan for restricting user access to only authorized users. The end users still bear some responsibility for following procedures for data protection.
User Access and the Principle of Least Privilege
The principle of least privilege ensures that users in an organization only have access to the information they need to complete their tasks at hand. This is especially important as a company expands, and more people are brought in to access data either on-premise or in the cloud to get work done. The security administrator can set connection limits to make sure the right people have access to the correct dataset. For example, your accounting department probably does not need access to your codebase. Some platforms allow temporary access to users who are not long-term employees.
The push to the Cloud
How often does the public cloud get breached?
Cloud breaches happen more often than people realize. With so many global brands moving to the cloud including Intuit, Netflix, Disney, and others, the hackers will follow the money.
Internal attacks within the public cloud
Yes, similar to the enterprise security landscape, internal and external breaches do occur within the public cloud environment.
For the second time in 2020, disgruntled Amazon employees released a number of Amazon customer email addresses to third parties voluntarily.
The employees responsible for the insider breach were fired. While Amazon did directly email any customers that may have had their email addresses distributed to a third party, it isn’t clear precisely how many customers were impacted by the incident.
In November 2018, Amazon’s security division discovered that a third-party retailer known as Krasr had paid approximately $160,000 in bribes to Amazon employees. In exchange, they sabotaged Krauser’s competitors on Amazon’s marketplace.
Amazon identified and fired seven employees who had taken money from Krasr. They referred Krasr to the FBI, but it does not appear Krauser’s owner has been arrested or charged with any crimes. Even with public or private VPC offerings, providers also face many internal security attacks similar to the clients they serve. Insider threats impact all organizations including financial, government, and cloud service providers.
Pen Testing – A necessity for cloud deployments?
Did the cloud deployment make things easier and less costly? Probably not. Security teams now need pen testing more than ever before. These pen tests should be ongoing. Organizations should consider developing a workstream sprint to incorporate the various methods of pen testing through the year instead of a once a quarter or annual engagement. Leveraging white, gray, or black box pen testing engagements will bring a higher level of resilience
Pen testing should include the following;
- Validation and effectiveness of the net-new deployment of technology. (white box engagement)
- Validate the access privilege policy and enablement is working. (Gray box engagement)
- Continuous testing on all active APIs and 3rd party interfaces (white box engagement)
- Test all open sources libraries leveraged by the DEVOPS and APPSEC teams? (Black box engagement)
Cloud security threats are very real. Cloud servers will continue to be under attack. Continuous pen testing and monitoring of systems will help systems stay safe.
