Digital attackers are increasingly turning their attention to the cloud. According to the 2020 Trustwave Global Security Report, the volume of attacks targeting cloud services more than doubled 7% in 2018 to 20% a year later. This growth made cloud services the third most-targeted environment after corporate and e-commerce at 54% and 22%, respectively.
These trends highlight the need for organizations to secure their cloud environments. Provided below are some things they should keep in mind along the way.
CSPs – Configurations and More
First, it’s important to point out that organizations are constantly shifting in their preferences for Cloud Service Providers (CSPs). A large majority of customers currently have AWS or Microsoft Azure. However, some customers have a hybrid of both AWS and Azure, and we are even starting to see a few customers adopt Google Cloud Platform (GCP). This points to an important realization: organisations need to multi-skill their employees to support these vastly different cloud platforms as they continue to undergo their digital transformations.
Fostering skills across multiple CSPs is an important matter of security. Oftentimes, we see single-skilled workers try to adopt security on CSPs that they are not familiar with. Such unfamiliarity could produce a misconfiguration that could enable attackers to access an organization’s sensitive information.
Traditionally, those misconfiguration events involved storage silos like Buckets, Blobs, etc. A number of customers had misconfigured storage that faced the public a while back. That’s what the malicious hackers look for – potential intellectual property or customer information in an insecure bucket. However, CSPs are now providing these services at a secure (private) state by default, so you would have to change it to a public-facing state deliberately going forward.
That raises an important question: should you adopt the default security configuration for your CSP in an attempt to avoid a misconfiguration incident?
I think caution is in order here. Some of the default settings CSPs provide may not be a requirement for your environment, so perhaps disable them. I’d also check all my settings against a hardening standard. At the end of the day, cloud service providers provide you a platform and the tools to manage that platform. It’s not their responsibility to secure your environment. It’s yours.
Therefore, you need to be confident that the settings in your CSP are set to the way you need them. Sure, the defaults may be a good place to start, but I would personally check them all. At the end of the day, it won’t be the cloud security provider that will be on the news at 10, after all.
It’s a Process
2020 has been a very challenging year for many, not to mention organisations who need to ensure the lights remain on in a safe and secure manner. This means giving employees access to critical systems from remote locations. We have seen the adoption of additional perimeter hardware to cope with the demand and jump servers put in place to access secure restricted systems. But to date, we haven’t seen many organisations move to the cloud.
Let’s be clear on a few things, though. Moving services to the cloud is not something that can or should be done overnight. It should normally take months of planning to ensure the right systems are running and conduct migration to the cloud. Take Office 365, which essentially can lift your whole AD management capabilities to the cloud. As we become more dependent on Software as a Service solutions and Infrastructure as a Service, there will be less demand on systems being accessed via remote VPNs.
Align to Cloud Hardening Standards
Fortunately, organizations can choose from a variety of standards to harden their cloud environments against attack. The Center of Internet Security (CIS) has a very mature set of standards and guidelines for multiple cloud providers as well as operating systems and applications, for instance. However, there are other standards out there such as the National Institute of Standards and Technology (NIST) that also cover hardening cloud environments.
In my opinion, though, there are a lot of overlapping controls in all the standards. As long as at least one standard is adhered to, it will help reduce the attack surface.
Automate, Automate, Automate
Over the years, automation in many areas of security has been increasing to meet the demand of so many systems generating alerts, discovering vulnerabilities, churning out logs, etc. Automation now extends to compliance. Solutions like Tripwire Enterprise can automate the process of checking multiple tests against many endpoints to show compliance across the estate. If you can use these solutions to continuously monitor systems for deviations from a specific standard, then you will be able to react quicker to potential security issues before a breach can occur.
So many organisations discover security breaches when the breach occurs and not before, so it’s time to get ahead of these breaches and help prevent them from happening in the first place. Malicious hackers use automated tools to continuously sweep and scan CSPs for misconfigured systems, which we have learnt can be easily achieved. So, if we started to use similar tools to ensure those holes are not there in the first place for the hacker to discover, then I’m up for that. Automation is a thing now. It’s time for organizations to embrace it.
Where Tripwire Fits In
Tripwire’s cloud cybersecurity solutions help organizations to automatically manage and enforce the configurations of their AWS, Azure and GCP accounts. It also helps them to monitor and manage vulnerabilities across their cloud assets as well as maintain consistent security controls as cloud assets spin up and wind down. For more information on Tripwire’s cloud cybersecurity products, click here.