A Cloak with holes: CSP Provided Security
The last 2-3 years have seen a spike in the adoption of cloud especially among organizations who had possibly never thought about moving to a shared environment due to security concerns like large corporations, banking, financial services, etc. The main drivers have been efficiency, easiness, flexibility, scalability, lower TCO among others. This adoption was further fueled in 2020 due to COVID-19 and the requirement to support remote working, collaboration, faster scaling, etc.
This has also fueled another type of growth; but the not favorable kind – Attacks on cloud assets. This has swiftly joined the ranks of the top favorites of hackers due to the nature of information being stored on the cloud.
A majority of companies on the cloud believe that securing their assets is the sole responsibility of the CSP and hence, they ‘over trust’ & think that they’ve ‘transferred their risk’. But, it’s further from the truth.
Per a recent McAfee report, 69% of CISOs trust their cloud providers to keep their data secure, and 12% believe cloud service providers are solely responsible for securing data.
The shared responsibility matrix illustrated aims to throw light on the subject –
In a nutshell, if you’re on the cloud, then the CSP will secure the cloud operations and you will need to secure everything that you have on the cloud.
Hence, you will need to secure the following among others:
- Identity & Access Management
- Client & Endpoint Protection
- Data classification & accountability
- Your applications
- OS, Network & Firewall Configurations
- Network Traffic Encryption, Server-Side Encryption & Data Integrity
- Secure management and control of terminals that access cloud services, including hardware, software, application systems, and device rights
- Data – Security, Compliance & Privacy
Interestingly, even your data isn’t encrypted by default and needs to be turned on by you.
It is stipulated that by 2022, over 90% of the cloud security failures will be due to misconfigurations & oversights by end organizations. With over 96% of businesses either completely or, partially on the cloud, it is critical for organizations to develop a strategy for securing their cloud presence.
Hence, cloud ops teams need to view this as their servers & assets that they need to secure rather than hoping to transfer risk.
Some common types of threats/attacks/hacks in the recent past –
- Poor Access Controls
- Insecure APIs
- Hardcoded keys & credentials in the code
- Misconfigured Cloud Storage (Commonly reported as Leaky S3 Buckets for AWS)
- Security Group Misconfiguration
- Poor access management & permissions
- Loss of control over end-user actions
- Shared Tenancy Flaws
Our cloud security experts prescribe the following immediate steps for securing your cloud –
- Train your staff & help them understand the shared responsibility matrix
- Understand & document your crown jewels in the cloud and locations of critical data
- Leverage Segmentation to segregate various workloads & resources especially production, instances with client data, etc.
- Understand the level of failover, business continuity & disaster recovery provided by the CSP and how it impacts your cloud operations
- Review who has access & their rights across the board
- Update your firewall rules
- Understand the configurations, settings & other controls that end clients can impose on their cloud presence
- Enable Backups and Logging & Monitoring
- Run a vulnerability scan to ensure your cloud assets are devoid of vulnerabilities. This will aid in detecting the ‘low hanging fruit’ vulnerabilities. You can start with an unauthenticated scan & then progress to an authenticated scan
- Draft & publish your cloud security policies and procedures
- Conduct a cloud security configuration review to verify & ensure no misconfigurations on the platform or, end assets especially in your end workstation/server instances & storage
- Request for your CSP’s latest security credential/certification to assess & understand the controls you would inherit and gaps you need to wary of/compensate for
- Conduct a penetration test to detect further weaknesses & gaps
- Leverage a benchmark for evolving into a secure cloud operation. A few examples can be CSA’s Cloud Security Services Management (CSSM), CIS Foundation Benchmarks for AWS/GCP/Azure
- Commission an internal auditor, external vendor to conduct a thorough cloud asset to detect deficiencies & draft a mitigation roadmap
Accorian‘s deep expertise in implementation & securing cloud along with the mindset of ‘thinking like an attacker’ has aided our clients in building and maintaining a secure cloud presence. Our services cover every aspect of cloud computing and ensure that you are secured end to end.