Cloudy, with a chance of malice
Cloud adoption has increased in the past couple of years, fuelled by work-from-home, but so too has growth in cybercrime. What to do about protecting everything the cloud touches?
Lockdowns and working from home necessitated by the pandemic were an unexpected reality check for businesses across the board. In addition, they established the value and flexibility of cloud, which led to significantly accelerated adoption of cloud technologies. However, equally dramatically, they also expanded the attack surface through the slew of devices, connections and apps now joining the corporate network. And things aren’t going to change any time soon, with remote or at least hybrid work environments becoming the norm.
William Morrish, group chief revenue officer, Performanta, says beyond a multi-cloud approach, organisations are moving to a fully distributed enterprise IT architecture that will often take a mix of the hyperscale clouds (AWS, Azure, GCP) but also numerous SaaS applications (Salesforce, SAP, WorkDay and suchlike). Digital transformation is driving massive improvements in companies, allowing them to focus on their core business and outsourcing the base infrastructure and day-to-day services to more tuned providers. “However, this presents a wide security challenge as data is no longer in one place, users no longer access one set of services and there’s no longer a perimeter to the IT estate. In many ways, cloud security is the same as on-premise security, just far more distributed. The cloud is often thought of as ‘my stuff elsewhere’, however the real shift is that the enterprise has outsourced the base level infrastructure, but the same application, user or authentication and data level risks still abound, and because of the distributed nature, can be even harder to control.”
Whether on-premise or cloud, it’s important to have security that is open, automated, and simple to manage, says Conrad Steyn, CTO, Cisco Sub-Saharan Africa. “With sensitive workloads and data in the cloud, it’s critical that companies have the proper tools in place to monitor and protect this information. According to research by Cisco, 94% of cybersecurity professionals report that they’re at least moderately concerned about public cloud security, and organisations need to choose a provider that has proven cybersecurity measures to protect a company’s private data.”
Bethwel Opil, enterprise sales manager, Kaspersky in Africa, says cloud-based environments will become part of standard operating procedure in the future. “This requires a fundamental change in approach when it comes to cybersecurity. No longer confined to the relative safety of on-premise security, employees must be continually educated on what constitutes good cybersecurity hygiene. Questions to consider include what data security means, why it is important, and how they can become victims of an attack through, for example, phishing emails or illegitimate applications they install on their work device without consulting the IT department. There is plenty of cybersecurity awareness training available, but it’s important to regularly refresh the knowledge to not let it fade away over time. Companies need to build a corporate culture in which everyone, regardless of where they work, understands the importance of cybersecurity. Then, of course, organisations should have dedicated protection that covers laptops, tablets, and mobile devices inside and outside the corporate perimeter.”
The same or similar security controls can be applied for cloud and on-premise deployments, says Ignus de Villiers, group head of cybersecurity, Liquid Intelligent Technologies, but the organisation needs to clarify the distribution of roles and responsibilities between the customer and the cloud provider, as these can change depending on whether IaaS, PaaS, or SaaS is consumed. “Equally important is to know which security controls are natively included in the service or licence that the organisation has chosen and whether it mitigates all relevant cybersecurity risks that it could face.”
Opil says there’s a shared responsibility model for security in the cloud, whereby cloud providers are responsible for protecting organisational infrastructure, but when it comes to employee devices and how the data gets transferred to the cloud, that’s up to the client company. To protect the cloud properly, and to enjoy all its features fully, businesses must use specialised cloud security solutions that are quite different from traditional endpoint protection platforms. But this doesn’t mean the safety of devices can be ignored.
“Each of the clouds has its own iteration of the shared responsibility model, but they all follow a similar premise; the base level infrastructure of the clouds are the responsibility of those vendors,” says Morrish. “For instance, it’s the responsibility of Microsoft, AWS and Google to ensure that their core platforms, management platforms and control systems are not breached. But the applications, configurations and data that go onto these clouds are always the responsibility of the enterprise.”
Steyn believes that the new normal has created an added layer, which means that everyone who deals with company data is responsible for security. Training individuals in the workplace has become even more critical to protect the organisation against threats anywhere the employees access the internet.
Speaking of controlling the access of myriad users of the cloud, De Villers says access control here should be similar to what is done on-premise, meaning that proper identity and access management, identity and access governance solutions and practices are required to ensure adequate management and visibility in this regard. In addition, appropriate security controls should support these to protect user identities and passwords by implementing multi-factor authentication (MFA), preventing unauthorised privilege user compromise by using privilege access management, and so forth.
For Steyn, it’s important to implement a security architecture that not only satisfies the compliance and industry regulatory requirements, but also provides a sufficient amount of protection against unauthorised access, data breaches, and similar. A good system needs to cover BYOD access, secure mobility, and remote access, even though they’ re not the easiest to manage and maintain.
No longer confined to the relative safety of on-premise security, employees must be continually educated on what constitutes good cybersecurity hygiene.Bethwel Opil, Kaspersky
Companies also need to ensure the safety and privacy of critical enterprise data in the cloud without disrupting operations. They can do this by following the same best practices that exist for data anywhere within the IT estate, says Morrish. “The enterprise needs to know what data they have, what it’s used for, who has access to it, why, and where it moves – all of this needs to be mapped, monitored and controlled. Combining this approach with a robust identity and access policy provides a good base level of safety around the data.”
Organisations need to define their critical data and then implement security controls to discover such information on-premises and in the cloud. They then need to categorise and protect it using suitable protection mechanisms such as encryption, digital rights management, and suchlike, says De Villiers. “Another essential factor that organisations need to remember is to detect data leakage, using solutions such as data leakage prevention. In addition, using a cloud access security broker (CASB) can facilitate similar protection in the cloud, as it identifies and blocks the use of shadow IT. Also, evolving initiatives like confidential computing prevent third parties like cloud providers from accessing or reading the data they host.”
The newest technology or approach is extended detection and response, which combines endpoint detection and response with network traffic analysis, security information and event management, and security orchestration, automation, and response, adds Opil. This centralising of security data gives users greater visibility across their endpoints and network, which, in turn, ensures a more comprehensive detection of threats. Security teams should also be looking at zero trust platforms, which take the approach that no user should be trusted by default, with identity and device authentication occurring throughout one’s network.
Because more than 70% of all data breaches start with web apps, it’s right to be concerned about them; any part of the IT estate that links public access to private assets is a primary (and all too often easy) target for attacks, says Morrish.
Organisations should follow several basic precautions, such as providing a VPN for all staff to connect securely to the corporate network, ideally to tunnel all the network traffic, and ensuring all corporate devices, including mobiles and laptops, are protected with appropriate security software, says Opil. They must ensure all apps and operating systems are updated, and restrict access rights of people connecting to the corporate network based on the need-to-know and least-privilege principles. Finally, remind employees about basic cybersecurity rules. These include not following links in emails from strangers or unknown sources, using strong passwords, and so on. Organisations must also ensure that staff are aware of the dangers of responding to unsolicited messages, and must agree on rules of work, for example whether all questions are asked in protected chats and conference calls are made via secured channels.
Additionally, from an application development perspective, Opil says companies must adopt a stance of ‘security by design’. This entails incorporating cybersecurity into every aspect of an application’s development process. If a business is to avoid its web apps being used as vectors for attacks, it must put security at the forefront of the development process.
Speaking of defending against network security threats in the cloud, Steyn says it’s all about hardened network protection. “Without proper security protocols, your business data is at risk. A combination of using a strong password system and password-less authentication can complement each other, to ensure protection. From a security standpoint, passwords are easy to steal and use maliciously at scale so it’s best to have a complex password and use biometrics, because compromised credentials are the leading cause of breaches. Keep systems protected by standardising software and continuing to update it, as in most cases the new update includes fixes for security vulnerability. Sometimes external threats are successful because of an insider threat. The weakest link in data protection can be your own employees, so ensure that users cannot install software onto the system without approval. Also, ensure employees understand network security, so that they identify threats, and know what to do and who to contact to avoid a security breach.”
Opil says although on-premise servers and workstations are reliably protected, the personal laptops, smartphones, and tablets of employees do not always fall within the remit of the IT security department. “Instead, it’s assumed that owners are responsible for the security of their personal devices, which is a potentially dangerous approach; it assumes that employees have the know-how and resources to secure their personal devices and home networks. It’s not enough to simply allow employees to use their own devices and think the organisation now has a BYOD policy, because by allowing the use of personal phones or laptops to store and use work-related information, the organisation must also accept certain risks.”
For Morrish, nearly all threats, besides physical attacks, use the network, so it’s more about how businesses can protect the network, detect malicious activity and respond correctly. Protecting the network is usually done with firewalls, but the move to zero trust and micro segmentation is starting to augment this, as it provides an incredibly granular approach to connectivity between servers and clients, ensuring that what is moved, how it’s connected and why it’s connected are all joined up.
…evolving initiatives like confidential computing prevent third parties like cloud providers from accessing or reading the data they host.Ignus de Villiers, Liquid Intelligent Technologies
When it comes to network threats and vulnerabilities in the cloud, De Villiers says the approach to securing these is similar to securing the network on-premise. Integral to ensuring cybersecurity threat visibility is having a suitable security incident and event management or security orchestration, automation, and response solution. This is where secure access service edge (SASE) comes in, as it provides secure access to the organisation's private network services and does the same for access to cloud services and applications. SASE typically resides in the cloud, which makes it accessible from anywhere and on almost any device. “Important, though, is that numerous security controls are enabled via SASE, including those that were historically part of an organisation's private network perimeter. These security controls enable secure access in the form of a secure VPN, allowing for integrated authentication, including MFA, zero trust access control, web content filtering, malware protection, DLP, CASB, and suchlike. An ideal solution for providing security when not working at the office is to move the security perimeter near the end-user using SASE.”
Zero trust is at the core of the SASE framework, says Opil. Transitioning from traditional perimeter security, to ensuring a protect surface under the zero trust framework, albeit assuming the use of available technology, may still be a less-than-simple or quick project. However, it will ensure that the company benefits from lower infosec expenses as well as a reduced number of incidents and their associated damage. The zero trust concept is becoming the core of new services, ensuring connectivity between valuable corporate resources and users, regardless of their location. New cloud technology is following the long path from the adaptation and rethinking of use cases to practically corporate standards. Zero trust is a vivid example of this kind of transition. We will soon witness the emergence of enterprise cloud systems that offer significantly shortened implementation times and retain the required levels of security and usability.
But is SASE a silver bullet? According to Steyn, as the workforce is increasingly hybrid, traditional network and security frameworks can no longer keep pace with this new way of doing business, and there has never been a more critical time to deliver something radically different. Every customer is unique and needs flexibility when determining how a SASE architecture fits into their environment, and when it comes to transformation, there is no one-size-fits-all approach. Moving to a SASE framework is no different.
Morrish ends with a caveat: A SASE approach makes sense, although one of the challenges faced by this emerging technology is that it requires an ‘all in’ approach to one vendor, which may not suit all, particularly when they have other security investments.