Security operations · 7 MIN READ · JEN BIELSKI · OCT 9, 2018 · TAGS: Cloud security / How to / Overview / Planning
Add up all of those selfies, food photos and iCloud backups and it’s no surprise that consumer cloud usage has increased 50% in the past five years. Companies are hot on their tail. In the past seven years, the number of organizations with at least one application or a portion of their infrastructure in the cloud has increased from 51% to 73%. Ready or not, the cloud is here.
But what does that mean for security?
What’s old is new (again)
It’s Groundhog Day! Or maybe Groundhog Decade? Cloud security today looks a lot like where “traditional” on-prem security was 10 or 15 years ago. Most people are just starting to think through how they’re going to build a security program around this new perimeter. For most, that starts with figuring out where their data is (… especially their sensitive data).
Unfortunately, we can’t just rinse and repeat what we did 15 years ago. While some things are the same, more has changed.
- User accounts are the new endpoints.
Attackers can compromise your data without coming anywhere near your network. They just need to compromise a single user account. That’s a lot less work than popping a box, moving laterally and performing reconnaissance before they steal the data. It also means your focus needs to expand from “where are my endpoints” to “what are my users doing?” Questions like “are my users logging in from places I don’t expect them to?” and “does this user have permission to access sensitive data” will uncover a lot more evildoers than looking for malware. - Those front-row seats now come with an obstructed view.
You can’t point to the box that has your “crown jewels” anymore. In fact, you’re no longer in full control of the walls that are protecting your data. That limited visibility means you’ve got to try a little harder to see the things that were once right in front of you. Speaking of control, it’s important to understand where the responsibility line is. What will your cloud vendor do vs. what do you need to care about? - You need some new plays … and probably a whole new playbook.
Coming up with a cloud security strategy is a little like playing a new game while the rules are being written. What’s OK for employees to do and thus what security needs to care about is in flux. For example, employees can upload and share a document in minutes with applications like Box, Dropbox and OneDrive. That’s convenient, but it also makes it easy for copies of your sensitive data to fly away. When it comes to the infrastructure, IT teams can “flip the switch” and spin up a new server or storage bucket. Policies to mitigate these new risks are playing catch-up and security is often left in the position of highlighting “weird stuff” that’s going on so that someone can do something about it.
Getting a grip on your cloud security strategy
It’s easy to try to push a round peg (traditional security) into a square hole (cloud security). It’s what you know and it’s routine. Plus, finding the time to focus on strategy can be hard. Understanding how to think about cloud security differently is half the battle. At Expel, we’ve thought a lot about it, and we’ve identified three key points that should inform your cloud strategy.
1. It’s part of your risk profile
It can be unsettling when you ship your data to the cloud. It’s easy to fall into the trap of assuming that just because you shipped it to a big-name vendor like Microsoft or Google that “they’ve got security covered.”
If your data lives in the cloud then it’s part of your perimeter. And if it’s part of your perimeter, then it’s another home on your plot of land to protect. That means you’ve got to include it in your risk profile. In the good old days, you could put a firewall around it and feel reasonably secure. But you can’t put a traditional firewall around cloud applications like G Suite and O365. So you’ll need a strategy to mitigate the risk.
The nice thing is that your cloud providers are responsible for things like infrastructure and networking. But in order to assess your risk, one of the key things you need to understand is where their responsibilities end and yours begin. Of course, you’re responsible for what you put in the cloud, including your applications and data. But what else? Failing to understand where that line is can create holes in your risk profile and leave the gate open for an attacker (or employee) to steal or misuse sensitive documents.
2. It requires special focus
It may be tempting to just take the logs from your cloud infrastructure and apps, send it to your SIEM and stir. Unfortunately, that won’t get you very far. Why? The data you need to look at and the questions you need to ask are different. As I mentioned above, users are the new endpoints. So…instead of looking for unusual endpoint behavior, a security analyst needs to look for unusual user behavior. And once they detect suspicious activity, they need to look for clues under rocks they haven’t turned over before – like AWS CloudTrail or O365 audit logs.
Here’s a quick example that illustrates what I’m talking about. Shortly after onboarding a customer we detected a phishing attempt in their O365 environment. The phishing email came from a legitimate user. But once we dug deeper into the audit logs we discovered the attacker had changed a mailbox rule to evade detection and then sent out hundreds of emails without anyone noticing. This discovery allowed us to develop a new rule to detect similar activity in the future. The detection, investigation and future preventive steps were all unique to the cloud (and in some cases, unique to O365). That’s what we mean by special focus.
3. Cloud security has multiple parts
When it comes to the cloud, it’s not a monolith. It’s more like triplets. There are different parts to think about. They’re all vying for your attention and you need to think about them differently. If you only focus on one – such as securing your cloud apps – you may be leaving the door to your cloud infrastructure unlocked for an attacker to walk right through.
At Expel, we break cloud security into three different parts: cloud applications like O365, cloud infrastructure (aka “servers in the sky”) and highly elastic cloud infrastructure where you’re auto scaling your servers based on load.
Breaking cloud security into three parts
| Cloud applications | Cloud infrastructure | Elastic infrastructure | |
|---|---|---|---|
| Sample applications |
|
|
|
| What they are | Software programs that are hosted in the cloud. If you log in to a website to use it, that’s a cloud app. If you install it on your own hard drive, it’s not. | A collection of servers, containers and virtual machines that are hosted by a third party. We call them “servers in the sky.” Basically, if your servers aren’t running in your own data center (or closet) you’re probably using cloud infrastructure. | An environment where you’re rapidly provisioning and de-provisioning servers and other resources based on spikes in end user demand. |
| What’s special about them | You’ve got less control and visibility over what users are doing and what data about their activity is available. | You’ve got less visibility into what’s happening and how the infrastructure might get compromised. | You need to understand how your applications behave and have visibility into what they’re doing at any point in time. |
| Detection questions to ask |
|
|
|
Each of these three approaches is so special that we’ll be publishing a separate blog post on each of them to dive into the details (so subscribe to our blog!). But for now, it’s important to note that you need to approach each of these three parts of “the cloud” differently than you treat your on-prem data and apps.
So … where do you start?
If you’re reading this and saying to yourself “that all sounds nice, but how do I get started?” you’re not alone. In fact, you’re in good company.
Here are a few ideas to help point you in the right direction:
- Inventory your cloud apps (and risk). Things like Office 365, Workday, Salesforce and ServiceNow are the obvious place to start. But chances are, there are dozens of different cloud apps in use across your company. Make a list and then rank them by risk. How bad would it be if an account were compromised or data was stolen from the app?
- Catalog all of your sensitive data (no matter where it is). With the march to the cloud all of your sensitive data probably isn’t where you think it is. So go find it … even if you’ve got to send out a search party.
- Figure out what cloud security data you’ve got. Chances are, you can use a lot of the investments you already have. So map the signals you get from your existing security tech against the risks you’ve identified. Do you have the right logs for things like user authentication? Data access? Where do those logs go and can you get alerts from them? Can you perform historical queries?
- Put some basic controls in place. If you’ve completed the previous two steps you’ll have a good grasp on what your cloud-informed risk profile looks like. And there are some basic things you can put in place even while you’re working on your broader cloud security strategy. For example, put identity management controls in place. Limit access to tasks like spinning up an S3 bucket in Amazon. Make sure that people who have admin access need it. And lock down login permissions by, for example, blocking logins from unusual IP locations.
- Implement two-factor authentication. This is a no-brainer and yet it’s amazing how many organizations don’t do it. If your cloud apps offer two-factor authentication, make it mandatory. Period.
- Invest in training. As we’ve mentioned before, learning is fundamental. The cloud is a new frontier and securing your apps and data that live there requires new skills. Get your team closer to your developers. And, if you have some, send them to a conference or a class. Allocate time and budget for them to play around with cloud-specific tech.
Finally, if you’re looking to increase understanding across your organization of the need to beef up your approach to cloud security it might be useful to run an incident response tabletop exercise. There’s nothing like running through a real-life scenario to identify gaps, improve workflows and highlight areas that need new investment that can make you better prepared for when an incident does occur. And if you’re having trouble getting people to attend, you might consider turning it into a game.
Of course, if you come to the conclusion you need someone to monitor your cloud apps and infrastructure, we’re always happy to help :-).
