By Andrew Roberts, Chief Cybersecurity Strategist
The steady pace of workload migrations to the cloud is no surprise these days, given the ubiquity of cloud providers and solutions. In fact, Gartner believes that by 2028, more than half of all enterprises will leverage cloud platforms as a business necessity for their initiatives – not just as a technology disrupter.
Yet, given the complexity and variables involved, cloud security and breaches remain a major concern for organizations adopting the cloud. So what should organizations focus on to improve cloud security? “It depends” is often the most common answer, which is not very helpful.
Rather than add to the litany of best practices that may or may not be best for you, I propose “Two Laws of Cloud Security.” The laws may seem contradictory at first glance, but upon reflection, you will find that both are always true. When both are properly considered and implemented, the cloud will be a more secure place.
The First Law of Cloud Security:
The cloud is an extension of your data center infrastructure and should be secured as such.
How quickly we forget. For decades, IT professionals have been learning lessons (often the hard way) about making data center infrastructure more secure. Gone are the days when most IT admins had domain administrator rights just because it made their job easier. When we moved to the cloud, too many of us had forgotten those lessons and failed to implement simple, time-tested best practices within our cloud infrastructure.
Nearly eight years ago, Uber suffered a breach in which 57 million user records and 600,000 driver records were stolen from servers on AWS. How did this happen? The credentials for the AWS account were found on GitHub. Did we forget about the lessons we learned about keeping passwords on spreadsheets stored in shared drives?
Then again, Uber suffered another breach last year where the intruder gained access to the company’s VPN and Privileged Access Management (PAM) solution, facilitating full admin access to many of the company’s sensitive services. Again, valid credentials were used.
In both cases, multi-factor authentication (MFA) was either turned off in the cloud infrastructure or hackers obtained access to the MFA codes. We all know MFA is important in our data center; why don’t we remember that lesson in the cloud?
Here are some common cloud mistakes that could be avoided by learning from the past:
Not patching – Cloud servers are still servers. They run operating systems just like their physical counterparts. They still need to be patched. If you don’t know who is responsible for patching your cloud servers, then the answer is simple: you are.
Using a root account for everything – When creating a cloud environment, that initial user account has access to everything, kind of like a Windows Enterprise Admin, Schema Admin, and Domain Admin all rolled into one. We tightly control those on-prem Windows accounts, so why do we keep using the initial root account to manage our cloud infrastructure?
Leaving MFA turned off – Multifactor authentication is one of the best ways to improve the security of an account. While not infallible, it does greatly reduce the risk of compromised credentials. Cloud services offer MFA, and it’s easy to turn on. Why don’t we?
Forgetting the principles of least privilege – Inside the data center, the principle of least privilege is an actual “thing.” What about the cloud? See “Using a Root account for everything.”
Neglecting network ACLs – Network Access Control Lists (ACLs) have long been an important part of the data center defense strategy. Do you know how your cloud ACLs are configured? They are just as important in the cloud.
Failing to log and monitor – Logs are critical to data center operations and just as critical in the cloud, but all that is lost if those logs are not monitored. Cloud infrastructure can generate logs if you just turn logging on. Once logs are being collected, get them somewhere they can be monitored, like a SIEM.
Storing clear-text data – Tremendous investments have been made to encrypt data in the data center to protect it against a breach. That is just important in the cloud – just ask Uber in the earlier breach example.
The Second Law of Cloud Security:
The cloud is nothing like your data center infrastructure and should be secured as such.
While it’s important to remember the lessons learned from decades of operating data center infrastructure, we must also recognize that the cloud offers some unique security challenges.
We have all heard stories about data breaches that occurred because of a poorly implemented (and globally exposed) S3 bucket. Misconfigurations like that in the data center might expose data to more of the company than is appropriate, but it rarely leads to global exposure. Just ask Capitol One, a major bank and financial services provider, whose hack impacted 100 million customers and exposed information like Social Security Numbers, bank account numbers, credit scores, and more because of a misconfiguration on their AWS servers.
“The risks you face in the cloud might be similar to those you face with your data center. However, the controls you deploy in the cloud to treat those risks could be entirely different.”
– Gartner Outlook for Cloud Security for 2023 and Beyond
All cloud infrastructure operates under some model of shared responsibility. In the data center, the responsibility is always yours. In the cloud, “I thought they did it” is a statement that is used far too often. Know where your responsibility lies, and if you are uncertain, assume the responsibility is yours.
Some common cloud mistakes include:
Globally exposing data – Global exposure in the cloud means it is exposed globally in the very literal sense. Ensure your configurations are appropriate; start with no access and add only what is needed.
Using on-prem ACLs in the cloud – Earlier, we stressed the importance of ACLs, but that does not mean you can just copy your on-prem ACLs to your cloud infrastructure. That environment is different. The ACLs should be as well.
Assuming traditional security tools will work – Making a virtual instance of your traditional security tool and running it in the cloud is not always a good choice. With the autoscaling, immutable servers, and availability zones, these on-prem solutions may not know how to cope. Consider a solution that is built for the cloud or, at the very least, test your solution thoroughly before trusting it to give you the same protection you have come to expect.
Launching services without thinking – One of the value propositions of cloud services is the ease with which new services can be started and implemented, but that is also one of the pitfalls. Checking a checkbox does not take much thought; a mindless click may open unintended holes.
If we can remember the lessons that we have learned in the data center while acknowledging that the cloud also has critical differences, we can do a lot to improve our security.
A mistake in the data center would also be a mistake in the cloud…
but the stakes are higher.
Secure Your Cloud Environment
Let’s talk
Contact your MicroAge Account Executive at (800) 544-8877 to make sure your cloud journey is a safe one.
“As MicroAge Chief Cybersecurity Strategist, Andrew partners with clients to help them achieve great accomplishments in their cybersecurity, governance, risk and compliance programs. He is building a successful cybersecurity practice by focusing on client success, sales enablement and partner alignment. Andrew brings a wealth of experience in audit, advisory and cybersecurity leadership and freely shares that knowledge to help put clients on the path to success.”
Andrew RobertsMicroAge Chief Cybersecurity Strategist
