Background:
- The Cloud is a computing service that allows for on-demand access to data storage, software, and processing. It replaces the use of a hard drive by storing data, services, and software in data centers that can be accessed when connected to the internet. The cloud operates in three different formats: infrastructure as a service, platform as a service, and software as a service. These formats often are used in tandem when accessing the Cloud.
- Companies and individuals have found many different uses for the Cloud. Companies use it for services including file storage, test and development, disaster recovery, and big data analytics, such as getting analysis on consumers’ behavioral patterns. Individuals use the Cloud anytime that they stream a movie, share or store photos, or access email.
- The Cloud industry is expected to continue growing. The industry is predicted to reach $206.2 billion in revenue in 2019—a 17.3% increase from 2018. Some leading companies that are heavily invested in, creating, or expanding Cloud services include Adobe, Amazon Web Services, Google Cloud Platform, Kamatera, and Microsoft Azure.
- Using the Cloud comes with security risks. The Cloud runs software, and all software has vulnerabilities that can be exploited. If a nefarious actor accessed even just a part of the Cloud, they would gain access to individuals and companies’ private information including infrastructure details, personal and client information, and future plans.
- Cyberattacks against the “Five Eyes” countries (the United States, United Kingdom, Australia, and Canada) have increased in recent years. The Chinese hacking group “Red Apollo” in 2017 launched one of the largest ever global cyber espionage campaigns targeting Cloud service providers. “Operation Cloud Hopper” targeted a small number of IT service providers, giving it the potential to spread spying tools to all clients using the companies to run their computer networks. Companies in 15 countries—including Australia, Canada, France, Japan, Switzerland, the United Kingdom, and the United States—were targeted.
- Australia’s Parliament was hacked in February 2019, and the Prime Minister attributed the attack to a state-actor. Some experts judge that the Iranian group Mabna—which has been known to attack Cloud-based users—was behind the attack.
The Cipher Brief tapped four experts; President & CEO of SAP NS2, Mark Testoni, Co-chair of the Cybersecurity & Privacy Practice at Wilmer Hale, Benjamin Powell, former Deputy Director of GCHQ, Conrad Prince, and Director of Cloud Security at Secureworks, Lindi Horton, for their thoughts on the future of the Cloud and the issues likely to impact the bottom line.
Understanding Today’s Cloud
What is the biggest misconception about Cloud Security today?
Benjamin Powell, Co-Chair, Cybersecurity & Privacy Practice, Wilmer Hale
"The biggest misconception about Cloud security is that moving to the Cloud will either make your data more secure or less secure. Much still depends on a company’s specific implementation of using cloud platforms. Such a move can be far more secure – or can be less secure if not implemented properly."
“One of the biggest misconceptions is that all cloud applications are the same. Since they aren’t used in an equal or identical fashion, and the security around them shouldn’t be in a ‘one-size-fits-all’ approach,” says Mark Testoni, President and CEO of SAP NS2.
Mark Testoni, President and CEO, SAP NS2
"Another common misconception is that security efforts are outsourced to the cloud service provider. Organizations should partner with their cloud providers to ensure security controls are in place end-to-end."
"There are many new security services available through cloud service providers that organizations have the opportunity to leverage and improve their security posture. However, this doesn’t happen without effort and a thorough approach to security," adds Testoni. "Security is beyond protecting the network perimeter to monitoring what’s going on inside—presume they are already in—this vigilance is critical. Building a culture of awareness with good cyber hygiene practices is the top priority."
Conrad Prince, Former Deputy Director, GCHQ
Former Director General for Operations and Deputy Director of GCHQ
"A few years ago, the biggest misconception would have been that cloud cannot be secure. Today perhaps it is that cloud providers are sure to have security covered. I think security can keep up with the volumes of data, but as with all things cyber it is about rigorous application of core security principles which all too often does not happen for reasons of cost or convenience."
“I often hear CISOs comment that Cloud security is less secure than on premise security controls, but the reality is that cloud security is different than on premise controls and requires a different strategy. One is not more or less effective than the other, but to ensure the cloud services are secure, new processes, technologies, and services are available to improve your overall security posture. Transformation may be overhyped, but there’s quite a bit of evolution that is necessary to secure the cloud, and it requires you to think and work differently," says Lindi Horton, Director of Cloud Security at Secureworks.
Lindi Horton, Director of Cloud Security, Secureworks
"By traditional standards, the level of automation, especially in the detection arena, makes the cloud more secure than on premise infrastructure. But if you just do what you’ve always done, and you can’t keep up with the speed and scale required, then when new threats emerge you’ll be unable to truly secure your cloud."
The Security Risks
Cloud providers are prime targets for hackers. Security risks include costly and brand-damaging data breaches, weak identity management, the insider threat, system and application vulnerabilities, Advanced Persistent Threats (APTs) insecure APIs, and shared technology issues to name just a few.
Benjamin Powell, Co-Chair, Cybersecurity & Privacy Practice, Wilmer Hale
"And of course, once data is in the cloud, access to it is dependent on connectivity to service providers. That could raise issues of ensuring that there are not denial of service or other attacks that would impact ability to connect to cloud platforms."
Mark Testoni, President and CEO, SAP NS2
"A data breach is the culminating event of improperly mitigated risk within a computing environment. There is a long series of efforts to strengthen security in the dozen families of security controls. Account integrity is more important than ever. Multi-factor authentication is a now a default requirement."
“Further efforts to limit access and employ behavioral analytics and machine learning are critical to monitoring efforts. Organizations must assume that the enemy is already inside their networks, and their security efforts must reflect that level of risk,” said Testoni.
Conrad Prince, Former Deputy Director, GCHQ
Former Director General for Operations and Deputy Director of GCHQ
"In terms of cloud security I think the key thing for companies is not to fall into the mindset of thinking that they have transferred ownership of the risk in relation to their data or services to their cloud service provider. It’s still the company’s problem and they need to do the right amount of due diligence to ensure they are using a provider that offers an approach to security that meets the company’s requirements."
"In order to do this, companies need to step through a number of questions, including being clear what their business requirement is in relation to the cloud - what availability or connectivity do they need? What risks are acceptable and what are not?" says Prince. "They need to understand how the cloud provider is going to process and store the company’s information. And what legal and regulatory considerations apply."
Lindi Horton, Director of Cloud Security, Secureworks
"Traditional security controls at the perimeter are highly ineffective at preventing threats in cloud environments. Companies need to keep in mind that the vast majority of breaches happening on cloud services (IaaS, PaaS, and SaaS) are exploited due to misconfiguration of the cloud services. Stolen credentials and/or elevated permissions is the number one threat vector leveraged by threat actors in cloud services."
“These can easily be prevented by strong identity access controls, especially ensuring MFA is required for anyone with root or cloud console access. With the rise of SaaS applications storing sensitive data, including employee records, compensation, and customer data, strong identity and access management controls are necessarily to detect and prevent data exfiltration from external and internal threats,” adds Horton.
Looking Ahead
What do companies need to be keeping top of mind when it comes to predicting the future of the Cloud?
Conrad Prince, Former Deputy Director, GCHQ
Former Director General for Operations and Deputy Director of GCHQ
"Companies need to be clear what security considerations are particularly important to their circumstances and look at how the prospective cloud provider matches up to those priorities. This might include understanding what the cloud provider’s security governance framework is, how data in transit is protected, the cloud provider’s approach to personnel security, how they secure their supply chain, how access management operates, what auditing is done and how the company can access audit records."
"It is really important to go with a cloud provider that can provide verifiable evidence of how it is meeting these various security requirements. Ideally, companies will negotiate in security standards into the contract with a cloud provider. And in the best cases there will be independent validation of the cloud provider’s security," says Prince.
Benjamin Powell, Co-Chair, Cybersecurity & Privacy Practice, Wilmer Hale
"The arms race will of course continue between attackers and defenders. Hopefully with proper implementation, cloud providers can bring security expertise and resources to the problem that result in overall greater security. At least one hopes that will be the case. But it also still requires high attention to security by companies."
Mark Testoni, President and CEO, SAP NS2
"There are emerging tools that perform network security task automation and key encryption that can assist in managing large volumes of data. Organizations need a strategy that incorporate tools, best practices and expertise in order to truly safeguard information."
"For example, when building a fence, it is not about having the best wood. It is about leveraging the best tradesman, with the best design, and the best materials, in order to truly shield the home. This is exactly what is required to safeguard an enterprise," says Testoni.
Lindi Horton, Director of Cloud Security, Secureworks
"Companies this year are looking at evolving their cloud platforms with serverless, containers, and IoT platforms to keep pace with competitive pressures. This requires security organizations to radically re-invent their security controls, processes, and posture."
"Especially in the cloud arena, cloud service providers (CSPs) are closing many of the security gaps, but the way they implement these controls is vastly different from one another," says Horton. "Companies are faced with a real challenge because they need security professionals to specialize on each cloud platform while also needing them to cover any unintended control gaps that are introduced because some platforms implement the controls differently. With an acknowledged security labor shortage, especially in cloud, companies will have to rationalize their security controls across multiple cloud platforms while not blocking the business from its strategic objectives."
Research by McRae Mayfield
Read also The Future of the Dark Web, by The Cipher Brief
Engage with Former GCHQ Deputy Director Conrad Prince and SAP NS2 CEO Mark Testoni at The Cipher Brief Threat Conference March 24-16 in Sea Island, GA. There are limited seats remaining. Request your ticket today.
