• Follow us


Cloud security: What every tech leader needs to know

Enterprises that move to the cloud enjoy clear benefits – namely redundancy, cost savings and easy integrations – but the challenges and security risks that come with hosting applications in the cloud are numerous as well.  Among CTOs and CISOs there is unease with the lack of visibility; worry about the potential for data exfiltration by internal or external threat actors; and concerns about compliance. The issues don’t end there. We also find that rather than truly integrating security and compliance in the cloud, security often remains an afterthought, with organisations bolting-on traditional on-premise security controls in a piecemeal fashion.  Companies need a more proactive and comprehensive approach in order to achieve the right levels of control implementation, coverage and maturity across all areas critical to effective cloud security.

This is the first in a series of articles setting forth our views on how enterprises can more effectively protect information in the cloud.  The following best practices and insights are informed by our experiences protecting Fortune 100 enterprises from data breach and should be top of mind as companies seek to enhance their information security posture in the cloud:

Deploy and validate data loss prevention capabilities

One of the most important considerations for companies moving to the cloud is deployment and validation of data loss prevention (DLP) capabilities.  For any Software-as-a-Service (SaaS) solution – including Office 365, Amazon Web Services, Salesforce or Workday – one of the first steps toward effective DLP is establishing data labelling practices.  Ineffective data labelling practices make protection against exfiltration risks almost impossible because DLP solutions rely on regular expressions, or pattern-based searches, to identify and protect against data loss. We advise companies to treat unlabelled documents with the utmost sensitivity and block them from leaving the enterprise by creating stringent DLP policies.  This can be achieved via auto quarantine of files that violate these policies.

Organisations that maintain sensitive data need to evaluate host-based sensitive data discovery solutions and/or network-based DLP provided by cloud access security broker (CASB) solutions.  CASBs provide the ability to inspect all client-to-server traffic in cloud environments to reveal threats or malicious files hidden in Transport Layer Security (TLS) encrypted communications.  CASBs also enable system admins to detect unauthorised network calls made from the cloud to malicious command and control (C2) servers. The auditing capability provided by CASB tools can be easily integrated with on-premise enterprise layered defences. This integration provides a single pane view of the entire enterprise threat protection capability.

Large global companies need to effectively protect sensitive data from exfiltration but may lack a complete understanding of the footprint of their various cloud solutions. This makes it all but impossible to achieve the DLP coverage necessary to fully protect the enterprise. Companies can achieve greater visibility into their cloud footprint through effective identity and access management practices such as single sign-on and granular authorisation. These controls help companies ensure that sensitive traffic traversing their various cloud solutions is inspected by CASB proxies. 

Recent security breaches have underlined the risks associated with failure to enforce granular authorisation for access to files containing sensitive information. It is critical that companies effectively restrict access to members of authorised groups. When organisations are implementing security policies, system administrators also need to take into consideration enforcement of CRUD (“Create, Read, Update and Delete”) and download capabilities for each group within an organisation.  Along with this, conditional access must be enforced for contingent staff to ensure access is restricted to devices approved by the organisation.

Mature identity and access management controls

Identity and access management (IAM) capabilities are integral to attaining a mature information security posture in the cloud.  As a starting point, companies should be thinking about single-sign on (SSO), access request and certification for corporate and employee-owned devices and privileged access management.

A cornerstone principle of effective IAM programs is that security can be achieved and maintained most effectively through centralisation. SSO, a mechanism for unifying user authentication across diverse platforms, is one such example of this concept, providing a single pane view into who is authenticating to corporate servers while facilitating more efficient and effective employee onboarding and offboarding. Additionally, SSO provides a foundation for more stringent authentication through enforcement of multi-factor authentication (MFA).

In the same vein, companies should also be thinking about an initiative to centralise management of applications from an IAM perspective (e.g. access request and certification and periodic user access reviews). Based on our experiences, such initiatives can advance overall IAM maturity and ensure proper enforcement of security policies for applications and users.

We also view privileged access management (PAM) as core to an effective IAM posture. PAM helps organisations restrict and monitor the use of privileged accounts in the cloud, including service accounts, to reduce the risk of privileged credentials being misused by an adversary. We have seen incidents where the privileged credentials of Fortune 100 companies were compromised and misused to plant remote shells throughout the network. These attacks could have been prevented by enforcing more granular IAM policies.

Protect data at-rest and in-transit with strong end-to-end encryption

When devising a cloud security strategy, companies need to determine how to secure data-at-rest and in-transit with strong end-to-end encryption.

The most critical aspect of securing data-at-rest in the cloud is the protection of secret keys given by cloud service providers.  Many companies fail to handle these keys securely.  Even at the largest companies, we still see the inadvertent exposure of public keys through entry of the keys’ web addresses into an Internet browser. This common misstep may lead to not only the leakage of the cloud platform’s credentials and configuration, but also a complete takeover of the cloud instance.

For data-in-transit, most companies are already aware of the benefits of sending data over encrypted channels such as TLS. However, it is important to note that when handling sensitive information, such as healthcare or financial data, it is critical to add another layer of encryption to protect against man-in-the-middle-type attacks. For example, companies might consider encrypting the payload and pinning the TLS certificate.

Perform application security evaluation

With the rapid adoption of agile development methodologies such as DevOps, effective integration of security into an enterprise’s software development lifecycle becomes critical to leveraging the cloud securely. One of the biggest misconceptions with respect to cloud security is the belief that cloud service providers will integrate security controls for applications and databases hosted for the enterprise. In reality, most cloud service providers, including AWS, Microsoft and Google, operate a shared responsibility model whereby enterprises maintain responsibility for:

consumer data;application security;identity and access management;network and firewall configurations;client-side configurations;server-side encryption; anddata integrity authentications.

Cloud service providers in turn look after redundancy, storage, database and networking.  It therefore becomes vital for enterprises to integrate security and compliance into their existing continuous integration and continuous deployment pipelines.

To improve the security of cloud applications, companies should first identify security vulnerabilities as early as possible within the SDLC. In practice, this means that companies should be fusing security architecture review and secure code review at the earliest stages of development to drive secure implementation of code. Many security solution vendors have already adopted this approach by giving developers a security arsenal, including training, integrating security practices within the integrated development environment (IDE) and within the continuous integration pipeline.  Pitfalls we’re currently seeing include the programming language dependence of security solution vendors despite the plethora of programming languages within the development ecosystems of large enterprises. These tools fail to deliver the same levels of quality across different programming languages. For instance, a large enterprise may leverage both Node.js and Java, with security tools effectively identifying Node.js vulnerabilities while overlooking security risks in Java. Companies facing such challenges need to prioritise the customisation of their tools to achieve uniform effectiveness across programming languages. Additionally, companies can leverage benchmarking tools to understand the efficacies of various security solution vendors.

Evaluating the efficacy of production security tools is also critical to securing cloud applications. We recommend to first initiate a purple team exercise geared toward pressure testing key security controls. This approach allows companies to identify whether attack paths exist that may compromise a company’s cloud instance. To better recognise the benefit organisations can gain from purple teaming, companies need to understand the landscape of production security evaluation options. Red teaming exercises provide an adversary’s view of the company’s security posture, blue teaming exercises provide a defenders’ view, and purple teaming combines both adversary’s and defender’s point of view to offer a comprehensive evaluation of information security risk. We see a trend toward companies seeking to build or enhance purple teaming capabilities, sometimes with the help of external experts. In our experiences, companies can most effectively conduct purple teaming exercises in production by blending manual techniques with automated approaches. This allows companies to lessen downtime resulting from any identified security issues. It is important that companies do not conduct purple teaming exercises in QA environments as this could lessen the validity of the results.

Purple team evaluations can help identify security vulnerabilities and business gaps in production, providing visibility to the efficacy of layered defences such as web application firewalls (WAF), security gateways, security information and event management (SIEM), single-sign on and run-time application self-protection (RASP).

Maintain strong logging and monitoring capabilities

Strong logging and monitoring capabilities are essential for organisations to quickly detect and respond to malicious activity affecting their cloud deployment. Conventionally, security information and event management (SIEM) systems – which provide log collection and analysis – were challenging to install and maintain. Log retention was also very storage intensive.  Newer SIEM systems are easier to deploy as result of modular functionality.  Storage has also lessened as an issue with enterprises increasingly storing logs in the cloud.

Business leaders should strive toward using SIEM to achieve a single pane view of attack patterns leveraged against cloud applications and infrastructure. This is achieved through log aggregation from various discovery sources (WAF or RASP). Companies should validate the efficacy of SIEM capability with a view toward creating a continuous feedback loop, whereby the commonalities between attacks feed into changes in the rulesets of layered defences and/or application code. We see that many companies fail to establish this feedback loop, undermining their ability to protect information in the cloud.

A steady procession of headlines underscores the reality that even the largest global enterprises continue to struggle with cloud security. Leadership teams must tackle cloud security risks by integrating effective security controls and processes within their continuous integration continuous deployment (CI/CD) pipeline and production environment. Additionally, security teams need to create a continuous feedback loop between non-production and production environments to strengthen their company’s overall security posture.

Swapnil Deshmukh, CTO and co-founder, Certus Cybersecurity SolutionsImage Credit: Melpomene / Shutterstock

Read More

Leave A Comment

More News

Latest ITProPortal news

StrongVPN review 2019-05-20 11:30:48Simple yet effective VPN vendor.

Fujitsu says trust can be the new keyword 2019-05-20 09:00:34Fujitsu doubles down on trust as new CEO promises changes.

Salesforce suffers major outage 2019-05-20 08:00:16Glitch gave employees the ability to read and write across company data.

GDPR - weathering the storm, one year on 2019-05-20 07:53:07Experts discuss GDPR one year on.

HPE snaps up supercomputing firm Cray 2019-05-20 07:30:01Deal will see HPE pay out $1.3bn in cash.

UK consumers don't think GDPR has worked 2019-05-20 07:00:06They don't feel any safer than they did a year ago.

South Korea to ditch Windows for Linux 2019-05-20 06:30:52Cost and security seem to be main concerns.

A new manufacturing approach to optical transceivers 2019-05-20 06:30:28In order to enjoy the same benefits as the silicon electronic supply chain, the optical transceiver industry needs a new approach to manufacturing.

Google pulls Android support for Huawei 2019-05-20 06:17:23Broadcom, Qualcomm, Infineon join Google in limiting their partnerships with Huawei.

It’s all about the logs – Looking into 2019-05-20 05:30:34Complete and accurate logs are the keystone of any effective information security program.

The business of millennials: Consumers, workers and brand 2019-05-20 05:30:12The millennial generation has been the subject of speculation, jokes and awe since the term was coined, and is often criticised about its consumer hab

Making 2019 the year of the end-user 2019-05-20 05:00:07Here’s what is changing in 2019: A laser focus on the impact of all of this tech to those who matter – end-users.

TechRadar: Internet news

Where to buy Microsoft Office: all the cheapest New! 2019-05-21 04:50:22Don't pay more than you should if you want to buy Microsoft Office

Best camera phones under Rs 20,000 in India New! 2019-05-21 04:45:50It is quite easy to pick a good smartphone when you have enough funds to spare, but getting a good camera under a budget is rare.

Best phones with big display in India New! 2019-05-21 04:43:33With Xiaomi, Samsung and many others making big-screen smartphones, the market seems to be having a problem of plenty.

What is 5G? Everything you need to know New! 2019-05-21 04:31:315G networks are here now - here's our guide to all the latest news and more.

Permission to intrude: hiring hackers to bolster cyber New! 2019-05-21 04:30:28F5 Networks' Tristan Liverpool explains how to hunt down ethical hackers.

New Xiaomi Mi Band 4 images confirm a New! 2019-05-21 04:05:04Xiaomi's upcoming fitness tracker has leaked yet again, and the latest suggests we'll see a color display.

PS5 will offer 'seamless' Remote Play cloud gaming New! 2019-05-21 03:46:22So says Sony during a corporate catch-up meeting, where it also showed off the new console's blistering load speeds.

SIM swap fraud leaves two-factor authentication users at New! 2019-05-21 03:28:37Kaspersky urges financial and online services not to send tokens via SMS as SIM swap fraud leaves two-factor authentication users at risk

Cheapest 4G phones in India for May 2019 New! 2019-05-21 03:18:464G phones don’t have to be expensive. Pick the cheapest 4G phones from our list.

RHA MA650i earphones bring Lightning connectivity to popular New! 2019-05-21 03:00:30The new earphones also come in Android-optimized and wireless variations.

Netflix Australia’s best TV series: over 60 great New! 2019-05-21 02:06:12Our comprehensive list of the top TV series you can watch on Netflix in Australia.

Huawei promises Android ban won't affect Australian customers New! 2019-05-21 00:51:45Huawei has confirmed that Australian customers will continue to receive security updates and have access to Google's apps.

TechCrunch » Enterprise

VMware acquires Bitnami to deliver packaged applications anywhere 2019-05-15 12:52:01VMware announced today that it’s acquiring Bitnami, the package application company that was a member of the Y Combinator Winter 2013 class. The

Tealium, a big data platform for structuring disparate 2019-05-15 11:11:57The average enterprise today uses about 90 different software packages, with between 30-40 of them touching customers directly or indirectly. The data

Solo.io wants to bring order to service meshes 2019-05-15 11:05:07As containers and microservices have proliferated, a new kind of tool called the service mesh has developed to help manage and understand interactions

Egnyte brings native G Suite file support to 2019-05-15 09:10:55Egnyte announced today that customers can now store G Suite files inside its storage, security and governance platform. This builds on the support the

In travel tech, 4 rivals merge in Europe 2019-05-15 07:30:14The growth of Airbnb and other big travel startups has given a fillip to the wider travel industry, and today several smaller startups in the short-te

New Relic takes a measured approach to platform 2019-05-14 16:02:12New Relic, the SaaS applications performance management platform, announced a major update to that platform today. Instead of ripping off the Band-Aid

Beyond costs, what else can we do to 2019-05-14 14:59:00In this section of my exploration into innovation in inclusive housing, I am digging into the 200+ companies impacting the key phases of developi

CEO Howard Lerman on building a public company 2019-05-14 13:05:01It’s just over two years since Yext debuted on the New York Stock Exchange, and to mark the occasion, I sat down with co-founder and CEO Howard

Sisense acquires Periscope Data to build integrated data 2019-05-14 12:00:23Sisense announced today that it has acquired Periscope Data to create what it is calling a complete data science and analytics platform for customers.

Algorithmia raises $25M Series B for its AI 2019-05-14 11:00:35Algorithmia, a Seattle-based startup that offers a cloud-agnostic AI automation platform for enterprises, today announced a $25 million Series B fundi

LinkedIn integrates and updates jobs and hiring platforms, 2019-05-14 08:58:43LinkedIn, the social networking platform for the working world that’s now owned by Microsoft, has leveraged its role as a repository for people&

Announcing TechCrunch Sessions: Enterprise this September in San 2019-05-13 19:30:35Of the many categories in the tech world, none is more ferociously competitive than enterprise. For decades, SAP, Oracle, Adobe, Microsoft, IBM and Sa

Digital Trends

The Iron Throne deserved better: Who should have 2019-05-20 12:47:22Who should have sat on the Iron Throne? A look at some of the people who could have been the best ruler to sit on the Iron Throne in Game of Thrones,

Ubisoft goes to great lengths to make its 2019-05-20 12:33:18Ubisoft's accessibility project manager David Tisserand shared details on a new accessibility initiative during Global Accessibility Awareness Day. H

GM thinks up new electronic brain for its 2019-05-20 12:00:48General Motors is launching a new electrical architecture to support more tech features in its cars. The system debuts on the 2020 Cadillac CT5, and w

Vampire: The Masquerade – Bloodlines 2 publisher opts 2019-05-20 11:28:23Epic Games launched its first major sale and made the decision to cover the cost of discounts, but a couple of publishers opted out anyway. One withdr

Now that Game of Thrones is over, here’s 2019-05-20 11:23:19Now that HBO brought its hit series Game of Thrones to a conclusion, audiences are going to have a Westeros-sized space open up in their regular viewi

Walmart slashes prices on electric hybrid bicycles for 2019-05-20 10:53:28Electric bikes can be economical, convenient, and fun. Heading into summer, Walmart slashed the prices for two pedal-assist Hyper E-ride Mountain and

Here are some common Kindle Fire problems, and 2019-05-20 10:44:06Is your Amazon tablet giving you grief? Is it refusing to behave the way you expect? Take a deep breath -- everything will be fine. Here are some wide

The Samsung Galaxy Tab S4, the best Android 2019-05-20 09:34:12Apple dominates the tablet market, but others are catching up: The Samsung Galaxy Tab S4, our favorite Android tablet, proves that these devices have

Huawei fires back against U.S. ban after Google 2019-05-20 09:29:53Google has severed most of its partnerships with Huawei, after its addition to the "Entity List" of the U.S. Department of Commerce. Future Huawei d

The best OnePlus 7 Pro cases to keep 2019-05-20 08:00:12The OnePlus 7 Pro is OnePlus's latest flagship killer, and it's an incredible phone. But it's expensive, and it's not going to protect itself. Get

Realme starts selling phones in the U.K., and 2019-05-20 07:48:29Realme, a Chinese smartphone manufacturer from the same group as OnePlus, Vivo, and Oppo, has launched its first device in the U.K. and Europe. The Re

Help wanted: British royal family seeks social media 2019-05-20 03:50:01The British royal family is looking for a social media expert to help it communicate its role and activities to the masses. So if you like the idea of

Disclaimer and Notice:WorldProNews.com is not responsible of these news or any information published on this website.