The Infosec CIA triad of Confidentiality, Integrity, and Availability are just as applicable today as they were many years ago.
In recent years, confidentiality has gone out the window as celebrities’ personal photos from their own devices are leaked with reckless abandon; ransomware, or IoT-powered DDoS attacks render information and websites unavailable; and fake ads, news, or trending topics leave you questioning whether anything online has any ounce of integrity.
The trifecta effect of bring your own device (BYOD), cloud adoption, and the Internet of Things have forced security teams and security vendors to re-think and re-architect how security is implemented.
Out of these three, cloud has perhaps had the biggest impact owing purely to its scale. Whether you’re using Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), or new cloud applications (Software-as-a-Service, SaaS), the benefits that cloud, in all its guises, brings to both providers and consumers are immense.
From a usability perspective, it's omni-present, scales rapidly, and on the whole rather reliable. It’s also really convenient, as you get your cloud resources or fully functional cloud application within minutes of providing your credit card details. Most cloud providers also do a decent job of creating secure environments for hardware, the network, computing, and storage.
It is because of these traits that the cloud has become an attractive proposition for many companies - taking away a lot of the burden and overhead that comes with managing your own infrastructure.
However, with this convenience comes some operational challenges. Without adequate data governance or records management, it becomes easy to treat the cloud as a digital dumping ground. With its seemingly limitless capacity, it becomes more convenient for companies to simply dump all information into the cloud rather than parse out what is needed or not.
This creates a unique challenge: where it is easier to collect data at scale than it has ever been before. Storage is cheap, and performance is largely unaffected by bottlenecks. Furthermore, Big Data analytics has reached the point where it can chew through terabytes of data like a hot knife through butter.
While easy to spin these services up, many often put all their faith into the cloud provider to provide all the security. However, while providers will typically secure the platform, it’s often left to the consumer to ensure administrative security controls (at least) are set. This is what AWS and Microsoft refer to as the ‘Shared Responsibility Model’.
The combination of these factors has created a perfect storm of potential problems. A simple setting misconfiguration on the database in the past may have meant access permissions were set incorrectly within a department and today, it can expose millions of sensitive records in the form of an insecure AWS S3 bucket.
If a criminal obtains administrative credentials, they would have to navigate through internal security controls, but in the cloud, correct credentials can open up access to the entire company's infrastructure. These mass exposures aren't necessarily due to any underlying fault by the cloud service provider. It often comes down to lack of awareness, or errors, by the user compounded by ease of use and the volume of data.
My friend Adrian Sanabria succinctly summed up the issue with the statement that companies need to move away from the mindset of: "Secure because it’s Amazon."
As the shared responsibility model that most cloud providers have adopted indicates, there is a lot of responsibility for data security that lies with the customer, and rightly so. The truth is that no cloud provider will understand or care for your data as much as you will.
While cloud may be a relatively new concept for most enterprises, the security fundamentals will remain the same. In this case, a mixture of people, process, and technologies will be needed to uphold the principles of CIA.
To help prevent you from becoming the next cloud breach headline, it’s useful to bear in mind the following points:
- Finding appropriately skilled people can be challenging, so it's one of the first areas you should look to before embarking on a cloud strategy. Without the right skills available either internally, or outsourced, the strategy will likely fail.
- Processes for handling cloud environments will also change. This includes understanding how to raise issues with the provider, securing credentials, and managing outages.
- Legacy security technologies will often not operate within or extend to cloud environments; but that's not to say the equivalent capabilities don't exist. Cloud vulnerability assessment, IDS, behavioral monitoring, log management, and SIEM all exist and should be taken advantage of so that the risk of exposure can be minimized. It’s better to invest in technology that can cover both on-premises and cloud environments.
- Setting policies with your employees is critical, as is the ability to monitor who is provisioning cloud services outside of normal business practices. They don’t call it ‘shadow IT’ for nothing, and lack of awareness of what they are doing can lead to additional risks to your organization.
- Assurance is your friend. Once a cloud environment has been setup and running, obtain independent assurance that it is working and secured as designed. Technical and procedural testing should be used.