When even the giants aren’t safe in the cloud, what’s everyone else to do?
TD Bank, Ford and Netflix all discovered this month that their data was exposed when card-skimming hacker group Magecart found a way to scan Amazon S3 buckets (public cloud storage that holds data and other backend essentials for companies) and hit more than 17,000 domains to steal customer data and credit card information.
At the same time, Cybersecurity Insiders’ 2019 Cloud Security Report revealed almost all cybersecurity professionals (93 percent) are moderately to extremely concerned about public cloud security — up from last year. A parade of high-profile breaches shows their worry is justified.
Accenture, Time Warner Cable, Dow Jones & Co., Verizon Wireless and the Department of Defense have all suffered massive exposure due to misconfigured Amazon S3 buckets.
The problem isn’t with Amazon or any other cloud service provider (Microsoft Azure and Google Cloud round out the top three). The problem, experts say, is that so many cloud customers don’t grasp that they themselves are responsible for securing their corporate data in the cloud.
Jay Heiser, VP and cloud security lead at Gartner Inc., told CSO Online that we’re seeing “a cloud security transition period in which focus is shifting from the provider to the customer.”
Companies are moving more and more of their data and workloads to the cloud — then playing catch-up when it comes to protecting them. It’s a headache that doesn’t discriminate by industry or business size.
“Organizations continue to adopt cloud computing at a rapid pace to benefit from the promise of increased efficiency, better scalability and improved agility,” Holger Schulze, CEO of Cybersecurity Insiders, explained in the 2019 Cloud Security Report.
“While cloud service providers like Amazon Web Services, Microsoft Azure, and Google Cloud Platform continue to expand security services to protect their evolving cloud platforms, it is ultimately the customers’ responsibility to secure their applications and data within these cloud environments.”
Peak InfoSec CEO Matthew Titcombe said too many customers give little thought to protecting their data in the cloud, incorrectly assuming that their cloud service provider does the heavy lifting when it comes to security.
IT’S NOT THEM, IT’S YOU
“The fundamental problem with clouds is: Out of sight, out of mind,” Titcombe said. “I run into this even with developers using the cloud. They think, ‘Oh, it’s up in the cloud; it’s safe, it’s secure,’ and they don’t necessarily manage it the same as they would if the servers were on-site. Because [with servers on-site] they’re fully responsible for everything all the way from physical security to power to everything else. [When you use a public cloud] you tend not to think about it as much. …
“I’ve done cloud security assessments for clients and when I’ve gone to talk to them about these cloud service providers, I’ve literally been told: ‘We’re secure because we’re on Google.’”
“You can’t say Google does all of your security,” he said. “You can inherit controls for security from them only to a point.”
Public cloud security operates on a ‘shared responsibility model,’ and too many businesses don’t understand how that works.
Cloud management platform vendor CloudCheckr explains: “The cloud provider is responsible for Security Of The Cloud and the customer is responsible for Security In The Cloud.”
Providing a secure cloud means the cloud vendor manages and controls the host operating system, the virtualization layer and the physical security of its facilities. Providing security in the cloud means the customer must correctly configure and manage security controls for the guest operating system and other apps (including updates and security patches), as well as for the security group firewall. The customer is also responsible for encrypting data in transit and at rest.
“Really the most critical thing, for anybody going to the cloud, is to truly understand that cloud service providers’ expectations for the consumer in their shared security responsibility model,” Titcombe said.
“You have to understand what their expectations are of you. The best way to do that is to do a search: ‘Microsoft Azure shared service responsibility,’ for example. That’s going to give you their expectations. A lot of them also have tools that will help you to make sure you’re going through the controls to make sure you’re doing [your part].”
Cloud Security Alliance last month released the “Treacherous 12 Top Threats to Cloud Computing Plus” report, in an effort to help businesses make informed decisions on cloud adoption strategies.
Among the dozen: data breaches; insufficient identity, credential, and access management; system vulnerabilities; malicious insiders; data loss; advanced persistent threats; and abuse and nefarious use of cloud services.
Despite the risks and persistent attacks, “up in the cloud, the data is going to end up being more secure than what most businesses can do on-premise,” Titcombe said. “It’s a Catch-22. Let’s just talk about Office 365. … Even with the risks of Office 365, our default go-to is to always recommend that those types of cloud services — email, that type of stuff — are, by far, going to be more secure.”
It’s the next part of the conversation, Titcombe said, that’s critical: Where do you want to allow your data and information to go? Is it only going to be allowed on company-owned devices? Are you going to allow it on personally owned devices — and if so, how will you control that? How will you monitor usage within your own on-premise network — and do you even know you need to do that?
Endless problems arise when businesses jump into cloud services without planning, and need to “bolt in” security after the fact. By then, someone has almost certainly installed Office 365 on their home computer, which automatically downloads all the company’s files — corporate emails, customer data, intellectual property — shared in the Office 365 cloud to that PC.
And then, Titcombe said, “you’ve got your data out there uncontrolled — and instead of sitting behind a full-blown firewall, it’s just sitting behind a Comcast-type firewall or something from Best Buy. … There’s nothing stopping a hacker then from moving that [data] via your home computer, and your company probably isn’t watching you.”
Bitglass’ 2019 Guardians of the Cloud report found 85 percent of companies now enable bring your own device (BYOD), “which is alarming given the fact that securing mobile devices is second to last on organizations’ leading cloud priorities.” In fact, most companies still lack full oversight and control after log-in.
Defending against malware is hard for companies that are still deciding whether they want to let their employees access corporate data from personal devices, the Guardians of the Cloud report said.
“While enabling BYOD provides enhanced productivity and efficiency, it can give malware more attack vectors that it can use to infiltrate the enterprise,” it stated. “As such, organizations must select cloud security tools that secure data access from any device in real time, and block zero-day malware at upload, at download, and at rest — without any agents.”
The cloud makes mobile device management much more critical, Titcombe said, and companies can’t afford to take a narrow view.
“‘Mobile device’ is no longer just your tablet, your smartphone or a laptop,” he said. “It’s basically any device outside of your core office area with access to your data.”
In addition, “you’ve got to actually maintain and monitor all the different cloud services you allow, and approve them,” Titcombe said, “and choose them just as appropriately as you would when buying a new PC and new software.
“After that … you just can’t say you’re good enough at that moment, and that’s good enough forever going forward. It’s got to be continually monitored and adjusted.”