Moving to a Cloud Service? Don’t Ditch Your Security Pros
Cloud services aren’t security by default. Here’s what you need to know.
Over the holidays, a relative showed me the multiple steps required to log into his work account. Just as I was commenting about the security measures involved with the multi-factor requirements and how impressed I was, he sighed loudly. “Look at my inbox,” he said, pointing at the screen. It was filled with spam email, and nothing was filtered to his junk file.
His organization had just switched to a well-known cloud service and, in doing so, the company all but eliminated its onsite security staff. Leadership figured that with the cloud service, security was taken care of. Since the switch, there has been a considerable rise in phishing emails, which the old security team had monitored and filtered when it came through the network.
I wouldn’t be surprised if this organization is hit with a serious cyber incident in the coming year, if the situation doesn’t change.
This company isn’t an outlier. As more organizations move to public cloud providers such as Amazon Web Services (AWS) and Azure, they falsely believe that security is the responsibility of the provider. And in fairness to cloud providers, effective security is often their second or third priority behind performance and scalability. After all, performance and scalability is the reason most organizations turn to the cloud. Yet, said Franklyn Jones, CMO at Cequence, “that means when—not if—a breach occurs, organizations will still need to be staffed with skilled security talent that can effectively manage tasks like incident response and forensics investigation.”
A Risky Trend
Eliminating IT and security teams in favor for cloud services is a risky trend.
AWS, for example, has regularly been in the news because of data breaches and cyber incidents, but most of them are preventable. Yes, AWS has security settings, but users either aren’t using or don’t know how to use them.
“The default privacy setting for AWS S3 buckets is owner-only,” Mike Baker, founder and managing partner of Mosaic451, explained. “Most AWS breaches involve organizations choosing the ‘all authorized users’ setting when expanding access to their buckets, not realizing that this setting includes all authorized users of Amazon Web Services, not just their account. This means that anyone with an AWS account can access that bucket with whatever permissions are granted to that level of access; it’s a free-for-all.”
Users also don’t realize what data they are making available when using these services, again setting up more risk.
“Many organizations find that cloud computing is easy, so easy that they start migrating all manner of data into the cloud without evaluating it and considering whether it even belongs there,” Baker added. This puts data at greater risk of being compromised, especially if you don’t have a security team to monitor data access.
Outsourcing Security
With public cloud providers such as AWS or Azure, users are responsible for running their own code on top of AWS or Azure infrastructure, explained Sonya Koptyev, director of Evangelism at Twistlock. “While the cloud provider handles certain responsibilities for configuring underlying hosts, servers or other cloud components, the users need to ensure that their code is free of known vulnerabilities and meets their own compliance standards, as well as preventing known infrastructure vulnerabilities.”
The answer to the security problem may be found in another service: managed security service providers (MSSP).
“MSSPs can make for an essential ally to enterprises because they will help advise and guide them through navigating a shifting and ever-evolving ecosystem in a time of constant change,” Koptvev. “Depending on an individual organization’s needs, the right MSSP will understand what your unique challenges are in terms of infrastructure, software delivery needs and compliance and auditing requirements.”
Selecting the right MSSP comes down to determining the benefits offered by the vendor weighed against the risks, said Mark Sangster, chief security strategist at eSentire, who offered the following guidelines to blend MSSP and internal IT/security services:
- Conduct security due diligence: Determine your needs, compare the benefits, conduct a risk assessment and review the MSSP’s policies and procedures to ensure they meet your standards.
- Demark responsibility: Map and determine data control (who owns it) and processing (who stores, accesses or manipulates it), access controls, least privilege and data encryption within the network and when moving across the internet.
- Establish duty of care: Identify which party (you or the MSSP) owns the product and service full life cycle: deployment, configuration, patching and maintenance and reporting. Never assume the MSSP is going to patch or update a system unless this service is documented.
- Establish security event and breach notification rules of engagement: Create a hierarchy of notification depending on the severity or priority of events, define security events or breaches and identify who pays for what (investigation and cleanup) in the event of a material event.
- Contractualize obligations: Contract minimum security standards, employee training, insurance coverage, breach notification and response.
- Consider liability mitigation: Require SSAE 18 SOC II certification and consider insurance coverage and policies to offset the costs when something goes wrong.
“Most data breaches are preventable,” Sangster said. “When it comes to security, clients must understand the division of duty between cloud vendor and themselves. Cloud security is shared responsibility and these expectations must be clearly defined and understood.”
