Noam Rotem and Ran Locar, self-described security researchers and hacktivists, recently uncovered and exposed a 24 GB database that contained information pertaining to 80 million U.S. households – more than 62% of U.S. residences.
The discovery brought to light weaknesses and data leaks in numerous files stored in the cloud, and systems, exposing a mass of personal, high value data on the internet. This breach – and yet another one - is scary business and should have organizations wondering how secure their cloud-based data really is. (See our previous blogs, Researchers find 7 percent of all Amazon S3 servers exposed, and You may not know much about the companies exposing your personal information, but they know a lot about you.)
According to Forbes*, 70% of all software, services, and technology spending is geared towards the cloud. The market continues to see growth, especially with large enterprise organizations. Sid Nag, research vice president at Gartner, stated “We know of no vendor or service provider today whose business model offerings and revenue growth are not influenced by the increasing adoption of cloud-first strategies in organizations.”
Is Your Data Secure in the Cloud?
Unfortunately, as cloud computing delivers on its value, organizations making the transition often fail to properly evaluate the risks and refine their approach to securing applications or storing data in the cloud. Many organizations look to the service providers for the practical means to secure their cloud-based data, workloads, and applications. Amazon, Microsoft, Rackspace, Google, and other cloud service providers (CSP) are enabling companies with a range of security tools and methods, but they only deliver a portion of the needed security.
CSPs have adopted a “shared responsibility model” that does not address the pains organization face. Instead, each organization deploying to the cloud is ultimately left responsible for managing new challenges faced with securing their cloud environment along with any data, assets, workloads, or services they use. Given the increased dependence on running services in the cloud, a well-defined and executed security strategy is something organizations must gain more control over. Even though organizations are legally responsible for security their data in the cloud, as well as for any data breaches, that doesn’t mean they know how to property secure that data.
Problems to Consider
Looking through the lenses of traditional security may not be the best approach to securing assets in the cloud.
- Some traditional security tools may not be capable of handling the complexities of integrated technologies that comprise a cloud deployment where applications are not bound to any hardware and therefore can move without notice. One moment your applications are running in US-East and a nano-second later they could be based in US-West region. In this case, there is no notion of a network perimeter, making network-based, edge, or perimeter security developed to run in the bounds of a data-center substantially lacking in effectiveness when merely moved to cloud environments. Security teams must learn to secure data and applications in the cloud without the luxury of traditional hardware-based perimeter solutions they have come to know very well.
- The complexity and nature of data attacks can differ and significantly challenge traditional expertise and controls. For instance, cloud providers house assets for multiple customers. This multitenancy business model puts organizations at risk because system services are shared. An attack targeting information owned by one company puts another tenant’s data at increased risk. Protecting against such data breaches caused by multi-tenancy has often been out of the scope of traditional IT and SecOps teams, as evident with threats like Spectre, Meltdown and Foreshadow that demonstrate how real the problem is.
- Insider threat protection also takes on a new meaning. Organizations must now prevent unwanted access to information or running workloads from employees of services providers operating outside of the tenant’s physical control.
There are many other risks and concerns we can touch upon, but the point is that executing adequate security in the cloud is often marred by lack of insight into new types of risks in the cloud, limited visibility into how vulnerable cloud systems are and confusion around security measures used by cloud providers.
Approach Cloud Security Differently with These 7 Steps
Cloud transformation may require a new take on security.
- With Cloud vendors, SecOps and risk teams must do a thorough analysis of the cloud environments you will be using. Be aware of the technology that defines the cloud environment and its use, and understand where vulnerabilities exist (i.e., password protection system, decryption, key management, multitenancy).
- Obtain regular monitoring reports from the cloud vendor for review to determine if the vendor’s security protocols are being held to the business’s standards.
- Use nimble technologies intrinsically designed to secure information and flexible workloads in the cloud, and especially process-based solutions and those critical to memory protection, application control, and system integrity assurance. These areas represent the most prominent gaps for most organizations.
- Ensure military grade encryption on information transported and stored. Use a cloud provider known to keep your data safe and consistently accessible. You may reduce risk even further by storing and managing your encryption keys, instead of relying upon a third party.
- Monitor and track application file systems and processes running in the hosted server environment in real time. There’s a possibility that their apps/tools might be compromised or hacked, allowing an intruder to read your files either before encryption for uploading or after being downloaded and decrypted.
- Conduct thorough testing and make sure that no one can intercept your data as it moves from point to point in the cloud -- between cloud environments and across the enterprise. Make sure that no data leaks (malicious or otherwise) from any storage in the cloud.
- Employ solutions that automatically patch servers or hosted applications from vulnerability exploits preemptively, ensuring a degree of coverage against CVEs and zero-day exploits until patches are available and installed, and without negatively affecting applications not upgraded on time.
When considering the cloud, you have to rethink your security approach. Conventional on-premises security is designed for just that – applications and data that remain onsite in data centers . Execute the proper strategy to protect cloud-based assets and don’t be caught off guard with data and applications left exposed to bad actors.
For more information on securing data and workloads in the cloud, see our blog, “Gartner Market Guide Calls Memory Protection a “Mandatory Capability.”
