Johannesburg, 20 Nov 2020
It seems it may be a good time to be a cyber criminal, since as far as these bad guys are concerned, the cloud has essentially brought their targets one step closer. After all, it offers them the potential to search for – and target – a larger and more dispersed attack surface area over the Internet.
The reason for this is that while organisations are typically aware of physical security measures, such as requiring a firewall, endpoint and server security on-premises or in the corporate data centre, there remains less clarity for them in respect of cloud security.
In the transition to the cloud, says Pieter Nel, Sophos regional head for SADC, enterprises need to ensure configurations are secured in a way that prevents discovery by attackers, while at the same time being aware that the management plane itself is now accessible from anywhere.
“The cyber criminal focus on the cloud becomes even more notable as businesses introduce new cloud platform as a service (PaaS) offerings, such as shared storage, containers, database services and serverless functions. These are services that must be securely configured, as they cannot typically have a security agent running on them,” he says.
“Moreover, attackers are implementing increasingly sophisticated attacks, such as automating searches to exploit vulnerabilities in virtual machines. They then use this entry method to exploit cloud provider metadata services on the machine, in order to access temporary identity and access management (IAM) credentials to footprint the customer environment.”
From there, continues Nel, they search for the IAM permission template for a particular role, apply it and switch to said role. This gives them access to central storage, among other things in the environment, allowing them to exfiltrate data.
“Despite this, it must be noted that the idea that public clouds are less secure than hybrid or private clouds is false. The issue lies in a lack of understanding around what the customer is responsible for in terms of security. Cloud providers operate a shared security model, and this means the customer is responsible for securing anything they run or store in the cloud.”
“Many customers fail to fully understand their responsibilities with regard to securing cloud environments. The fact is that despite a lot of security being provided by the platform, the ultimate responsibility for using these services correctly and securely belongs to the customer.”
It must be added, he continues, that merely enabling something doesn't necessarily make it secure. To properly secure a cloud environment, the customer needs a good design and a clear use case so they can wield the platform tools effectively and extend them with third-party services where needed.
“Or, to put it another way, you need to design a persistent and detailed security posture that covers all the public cloud platform services and deployments you wish to use. For that, you need cloud skills in your team, although not all organisations recognise this fact in the early days of a migration.
“The reason such skills are vital is that during that first phase of cloud migration, you are likely going to build that infrastructure manually in the cloud provider console. However, this infrastructure can be difficult to replicate exactly, and these slight variations in configuration end up creating weak deployment velocity, bugs and security issues,” says Nel.
This issue is usually compounded as more developers are added, with each requiring their own environment. In the end, the enterprise may end up with development, test and production environments that are all quite different from one another. This leads to application bugs when each team merges its changes to the live system. It also creates a nightmare for security and operations teams, who need to fix security and reliability issues across similar, yet different, environments.
“Perhaps the best approach is to empower developers and DevOps teams to work in a much more secure way, by integrating with existing tools and processes. In this way, they are using tools they are already familiar with in their build pipeline for creating new infrastructure. Moreover, when it comes to the deployment of infrastructure templates to the company’s cloud environments, this is only granted if security and compliance assessments – carried out by dedicated cloud security management tools – are passed.”
“In the end, if you wish to outsmart the increasingly ingenious methods being exploited by today’s advanced cyber criminals, your cloud transition must be managed carefully. Ensuring your organisation avoids building infrastructure containing misconfigurations that could be exploited by an attacker is a critical early step,” he concludes.
Share