Corporate America’s love affair with cloud computing has hit a feverish pitch. Yet ignorance persists when it comes to a momentous challenge at hand: how to go about tapping the benefits of digital transformation while also keeping cyber exposures to a minimum level.
Related: Why some CEOs have quit tweeting
That’s the upshot of FireMon’s second annual State of Hybrid Cloud Security Report of 522 IT and security professionals, some 14 percent of whom occupy C-suite positions.
Nearly 60 percent of the respondents indicated the pace of their cloud deployments have surpassed their ability to secure them in a timely manner. Notably, that’s essentially the same response FireMon got when it posed this same question in its inaugural hybrid cloud survey some 14 months ago.
That’s not a good thing, given migration to cloud-based business systems, reliance on mobile devices and onboarding of IoT systems are all on an upward sweep. “It doesn’t seem like we’ve moved the needle on security at all,” says Tim Woods, vice president of technology alliances at FireMon, the leading provider of automated network security policy management systems.
I had the chance to visit with Woods at RSAC 2020 in San Francisco recently. For a full drill down on our discussion, please give a listen to the accompanying podcast. Here’s a summary of key takeaways:
Shared burden confusion
Hybrid cloud refers to the mixing and matching of on-premise IT systems, aka private clouds, with processing power, data storage, and collaboration tools leased from public cloud services, such as Amazon Web Services, Microsoft Azure and Google Cloud. Hybrid clouds are being leveraged to refresh legacy networks, boost productivity and innovate new software services at breakneck speed, to keep pace with rivals.
Trouble is, the attendant security exposures are manifold and intertwined – and stand in the way of bringing digital transformation into full fruition. One big muddle revolves around the so-called “shared responsibility” security model, espoused by Amazon, Microsoft and Google. This is the fact that the cloud services provider is only liable for securing the underlying cloud infrastructure. Meanwhile, the burden for securing all of the interconnecting activities beyond that lies with the subscribing organizations.
FireMon’s poll showed a level of confusion persists regarding this shared burden, particularly among respondents whose organizations used one or more “as-a-Service” cloud subscriptions. Those who did not understand the model, or flat out did not know responsibility was shared, came in at 21.8 percent for Software-as-a-Service (SaaS), 20.7 percent for Platform-as-a-Service (PaaS), and 18.8 percent for Infrastructure-as-a-Service (IaaS) customers.
“Cloud services definitely can scale economically, and provide value, but at the end of the day, you’re not relieved of the need to understand exactly what your responsibility is, under those different cloud models, from a security perspective,” Woods told me. “You should know what you need to take ownership of versus what the cloud provider takes ownership of, and, by the way, it’s different for different cloud providers.”
It’s easy to see how and why this confusion has taken root. All those cool new software apps spinning out of hybrid clouds are the output of DevOps. Enterprises now develop new software by contracting far-flung independent code writers. Snippets of “microservice” coding get combined in “software containers” that circulate in “storage buckets” – virtual computing instances spun up in AWS, Microsoft Azure and Google Cloud. Yes, this all adds up to agile innovation. But it also translates into fresh software vulnerabilities getting spun up, at scale, as well.
Notably, the FireMon poll found 65.4 percent of respondents are still using manual processes to manage their hybrid cloud environments. Almost a third of respondents said that misconfigurations and human-introduced errors are the biggest threat to their hybrid cloud environment. Meanwhile, 73.5 percent of this group acknowledged they are still using manual processes to manage the security of their hybrid environments.
To understand how this state of affairs translates into material exposures, one need only read the GAO’s dissection of the 2017 Equifax breach, in which a hacking group pilfered personally identifiable information (PII) of more than 145 million individuals. The attackers got inside because Equifax failed to patch a vulnerability in an Apache Struts web server for on online dispute portal – a patch that was called for two months earlier by the US Computer Emergency Readiness Team (US-CERT.) The intruders located PII in some 48 databases and carried out a low and slow exfiltration campaign. They very methodically made 9,000 malicious database queries over 76 days. Upon manually discovering the breach, Equifax spent 60 days of investigating it, followed by a several months long cleanup period.
More recently, Capital One, which has spent billions on network defense systems, lost sensitive data for 100 million US and 6 million Canadian banking patrons – by failing to responsibly secure its process and procedures for use of AWS S3 buckets. That’s how an unemployed software engineer was able to access an S3 storage bucket, leased by Capital One, exfiltrate all of that data, and post it publicly.
Overcoming data saturation
There’s good reason to anticipate that things can get significantly better in the near term. Big steps forward are being made in leveraging machine learning and automation to more granularly analyze network traffic in hybrid cloud environments, with both performance and security in mind. It was clear walking the exhibit floors at RSAC 2020 that some amazing advances are being made to apply leading-edge data analytics techniques to securing hybrid networks.
This trend is unfolding most notably with SIEM technology; SIEMS are designed to gather event log data from all sources and generate meaningful security intelligence. Meanwhile, UEBA and SOAR technologies, which have come along to boost the horsepower of SIEMs, are advancing.
There certainly is a lot of headroom for machine learning and automation to make a difference in improving the security of hybrid cloud networks. FireMon’s survey underscores how the lack of automation and integration across disparate tools is making it harder for resource-strapped security teams to secure hybrid environments. Some 24.5 percent of respondents said that not having a “centralized or global view of information from their security tools” was their biggest challenge to managing multiple network security tools across their hybrid cloud.
For its part, FireMon is focused on helping companies improve their management of network operational and security policies and processes, Woods told me. This includes innovating technologies to automate firewall behavior testing, workflow integrations, traffic flow analyses, and rule recertifications. “There’s just so much information to deal with,” he says. “There’s event saturation, alert saturation, policy saturation, deployment saturation. And trying to bubble things up to the top, so you can focus on the most important events, is really what we’re trying to get to at the end of the day.”
It’s encouraging to see that machine learning and data-based analytics continue to make inroads in cybersecurity. As always, the burden lies with corporate leadership. It’s incumbent upon senior management to push pass any confusion and act responsibly. Those who strike a balance between speed of innovation and an acceptable level of risk to the public will endure. I’ll keep watch.
Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.
(LW provides consulting services to the vendors we cover.)
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/shared-intel-firemon-survey-shows-security-lags-behind-fast-pace-of-hybrid-cloud-deployments/