Cloud Security INSIGHTS Archive: January 2021
Online MS in Cybersecurity from Drexel University
Drexel University’s online MS in Cybersecurity utilizes the College of Computing & Informatics and College of Engineering’s network of professionals to give students access to the latest research, tools and insights, and prepares students to meet the workforce needs through rigorous academic and experiential practical training. Learn More »
From the Front Lines: Securing a Cloud-Native Company
By Infosecurity Professional Staff
|Image Credit: Getty Images|
Eric Gauthier, CISSP, had a traditional IT background that included running data centers and security when he landed at a company that tasked him with building a screening program for a cloud-native, serverless infrastructure.
What Gauthier learned from his early challenges were outlined in an (ISC)² Security Congress presentation to help others establish similar secure environments without compromising on security.
“A lot of employees are remote or working remotely, and you can take a lot of the lessons of what cloud-native companies are doing and feed it back into your organization,” Gauthier, the vice president of technical operations for analytics software provider Burning Glass, explained.
The pandemic provided a chance for organizations lagging in digital transformations to rethink if now was the time to abandon servers and physical locations in favor of a cloud-first environment where the focus is on protecting data and sharing responsibility for security—versus continuing to fold cloud service adoption into a more traditional on-premises IT setting.
Meet Alice and Bob
To illustrate the advantages and issues with these two different arrangements, Gauthier introduced two fictitious organizations: one run by “Alice” in a cloud-forward company in which she’s focused on data security and vendor management, and a more traditional IT shop overseen by “Bob” that’s reliant on IT and physical security like badges, network controls, IoT, etc.
“For Alice, one of her challenges [is] just to even know who her vendors are; to keep track of them; to know their capabilities and whatever data they are holding,” he said. “If there is no network, Alice doesn’t really have this capability.” Alice can’t watch network activity to know who is coming to a site and review firewall logs to ensure that the correct traffic is blocked. “She has a problem of just discovering what services are out there.”
Alice also must carefully scrutinize and periodically review cloud service agreements to ensure adequate security—like firewalls or VPNs and access management software—is provided by a vendor and where to augment it with in-house support.
Bob, on the other hand, “owns” everything in his IT shop. His issues with managing users, endpoint security, application security and network missions control revolve around costs and capacity.
“His team has to be significantly larger. They have to be able to handle and triage—all of these events that are happening, all of these other layers down lower than the user trying to get access to data. He needs a team with a much broader skill set,” Gauthier explained. “He needs to worry about system matching, hardening, not just system patching. Business continuity is a huge problem. You have all of this physical equipment sitting in a physical location. What happens if some other event happens and you can’t get into the office?”
Gauthier sees advantages for Alice, who can leverage the security built into cloud services she buys. She doesn’t have to worry about security patches and instead can put more attention to user access and data classification. Additionally, cloud service providers have the agents to sit on laptops and endpoints and provide visibility into data usage that assists Alice with data loss prevention (DLP).
He went on to explain how DLP solutions with cloud services differ from traditional tools like firewalls or VPNs that restrict or block internet access. “What you’re really saying is, ‘I want to prevent any machine on the network from having access.’ It’s the application proxy itself that’s exposed to the internet. Blocking access from all machines in the world to accessing your information also means you can get around a split-tunneling problem. There is a trade-off you have to have when you’re doing tunneling.”
Split tunneling can be difficult with a distributed workforce, especially if employees are physically located in different regions, or countries. Alice, as Gauthier noted, does not worry about that if everyone’s accessing cloud-based applications. What is a headache, however, is implementing single sign-on with many different vendors all requiring their own access controls. Traditional single sign-on provides a federated way to manage users and centralized logs. It also helps with password management if employees need only log in once to access multiple applications or databases.
Steps to securing cloud-first environments
Because Alice is reliant on third parties to share responsibility for securing her company’s digital assets and data, vendor vetting is critical. She must make sure a cloud provider’s offerings align with her company’s security policies. Gauthier offered as an example Amazon Web Services (AWS), which requires audits and provides some security, but perhaps not at the level organizations now require.
So what should organizations now dependent on cloud services do to boost cybersecurity measures?
“The first thing that I would say is don’t rely too heavily on your network. It’s odd for me to say, because my history is in building networks and data history,” Gauthier said.
“If you’re looking at how to build a compliance program, think about your VPN. If you are facing a heavy solution, also look at your VPN,” he continued. This is even more important with most employees working from home who need to access networks and corporate data stored elsewhere. Requiring everyone to use the same VPN solution is one way to secure transmissions. And, you gain greater awareness of what is happening with your end users—what applications they are accessing and from where through the VPN’s dashboard capabilities.
Data security should be given the same consideration as endpoint security. “This allows you to have more structured conversations. My security standard for accessing this application is showing whatever that is. Now you are making a more risk-based approach on accessing that data. Also, like Bob, you can use VDIs [virtual desktop infrastructures] and workspaces.”
Speaking of Bob, he too has to be careful when vetting vendors, some of which will likely now be cloud service providers. “I think he also needs to invest in a vendor management program. If you can look at your security program and talk to your IT team about that model, that creates a baseline. You can say, ‘If you’re going to have this network, you’re going to do this thing.’”
Finally, the CISSP reminded everyone to remain hyper-focused on data—where it’s located and who has access to it. “There are a lot of tools coming out now to manage data in the cloud. They are getting better and better at it, and you can leverage them for internal applications.” One such solution, he noted, is a cloud access security broker (CASB), especially when most of the organization’s endpoints are internal.
“If you are a cloud-native company, you have to focus on your data,” he advised. “You don’t have any other choice. If you are at a traditional shop, try to start thinking about things on that side. Focus on identity access and management and getting a solution that’s going to cover you, no matter where you are.”