cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Cloudy with a Chance of Breach

The day starts like any other. You’re finally starting to feel like you’ve got a handle on the security posture of your enterprise, because you’ve been able to add a reasonable amount of visibility into the infrastructure:

  • You have a Netflow collector reporting anomalies.
  • Taps or network packet brokers are installed at key ingress/egress points.
  • Vulnerability management systems are implemented to scan networks or devices and report regularly.
  • Firewalls, intrusion detection systems (IDS) and other malware detection mechanisms send log and alert data to a security information and event management system (SIEM) or a managed security service provider (MSSP).
  • A centralized log correlation system is deployed to meet the needs of security and assist operations with troubleshooting.

Then the unthinkable happens.

Your boss waltzes in to tell you, “We’re moving to the cloud. Isn’t that exciting?!” While management is already counting the money they think they’re going to save by eliminating on-premise systems and reducing head-count, all you feel is frustration and dread. How are you going to do this all over again, and in the cloud, without the organization going broke or your team having a nervous breakdown?

Remain calm and don’t surrender to nerd rage. While challenging, there are ways to use some of your existing tools and leverage similar ones built into software-as-a-service (SaaS) or infrastructure-as-a-service (IaaS) offerings in order to meet your security needs.

For example, you can still use network monitoring tools such as Netflow to track anomalies at key ingress/egress points between the enterprise and the Iaas or SaaS. To implement access restrictions, you could set up a dedicated virtual private network (VPN) tunnel between your physical network and the cloud environment, forcing your users through traditional, on-premise controls. Additionally, most cloud providers offer the ability to create access control lists (ACLs) and security zones. This provides another method of restricting access to resources. By leveraging VPN tunnels, ACLs and logging ingress/egress firewall rules from your network to the cloud service, you can create an audit trail that will prove useful during and post breach.

Other useful access control methods are the addition of multi-factor authentication (MFA) or single-sign-on (SSO) to your cloud service or infrastructure. We all know the problems with passwords, but this becomes even more frightening when you consider your services and data are in a multi-tenant environment. Many cloud providers support free or paid MFA integration. Moreover, you’ll want to leverage the provider’s SSO capabilities to ensure that you’re controlling, auditing and removing administrative access centrally. When choosing a cloud service, these requirements should be in your RFP in order to ensure that a provider’s offerings in this realm align with your security model and compliance initiatives.

If you already have security products you’re comfortable with, you generally don’t have to reinvent the wheel. Because of multi-tenancy, you won’t be able to install physical taps and IDS appliances, but you have other options in applying more traditional controls to IaaS and Saas.  Many companies offer versions of their products that work within cloud environments. Network firewalls, IDS, web application firewalls (WAF), logging systems, vulnerability scanners; a simple search in the Amazon Web Services (AWS) marketplace should alleviate your fears.

Finally, many providers have an administrative console with APIs and external logging capabilities. AWS’ Cloudtrail and Cloudwatch are just two examples.  With some effort, these can be integrated with either an on-premise or outsourced SIEM.

Migrating to the cloud can be intimidating, but it doesn’t have to be the end of security as you know it. Your team must be prepared to shift the way you apply controls. With some tweaks, some of them will still work, but others might need to be abandoned. The cloud seems to be here to stay, so security must adapt.

18 Comments
MVP
MVP

ugh..the cloud.

We are seeing more of it.  Granted I am not as involved on the security side, but it still offers challenges for general monitoring as well.

Thank you for the blog !

Yes, the headache factor just jumped an order of magnitude.

Plus I have a problem with the phrase "The Cloud."  It's not a cloud, it's not nebulous, it's not vague in any way to a Network person.

The correct term is "A.S.P.".

As in "We're moving some of our services to an Application Service Provider via the Internet.  Their Highly Available Network Operation Centers are located in Nevada, Nebraska, Michigan, and Maine and their hardware is totally resilient/redundant; plus, they've signed a Five 9's SLA with us!  Here are the 7x24 contact numbers for their NOCs, in case you have questions or need to report problems.  Here are the names of their administrative and technical staff teams, through which you can escalate trouble tickets to higher and higher supervisors and managers--right to the CEO! We'll be relying a lot on this ASP, so we're having an initial ice-breaker with their staff next month; we'll start with lunch at the local fancy restaurant's meeting room.  They're a good team, and I think you'll like the depth of their expertise and the access you'll be given to them for design and troubleshooting resources."

Now if someone presented that to you, wouldn't you feel good about it?  I would!

As I read, and my blood pressure rises, I have to just sit back and think for a few minutes......How can I solidify my position with the company, what are the pro's and con's, and how can I ensure a fall back plan is ready when a security breach spells catastrophe for the Enterprise.

MVP
MVP

Yes the cloud does add to the monitoring complexities. I just hope that all staff don't end up in the cloud!

MVP
MVP

I would call in the director for a meeting to discuss the pros and cons of running services in the cloud.

I would put extra emphasis on the cons. Here's some food for thought:

Top 10 cloud computing risks and concerns

8 Reasons to Fear Cloud Computing

9 Cloud Computing Security Risks Every Company Faces

Cloud adoption carries big risks for companies

Common Risks of Using Business Apps in the Cloud

Level 14

The bosses always have the right to move to the cloud, but when they say that they are outsourcing and it's now the provider's responsibility, it make my blood boil.

You can outsource the work effort, but never the responsibility.

Keep the ISP clean & honest with NPN & NTA, but keep the cloud provider clean & honest with NPM & elastic servers gold-image agent monitoring & SAM, DPA, and the rest everywhere possible.

Level 11

I agree, the cloud can be intimidating at first.  The more exposure you have to it the more advantages you will see.  You don't have to compromise security, continue to use best practices and stay up to date with the latest software updates. 

MVP
MVP

When one dares to use the "c" word around here our security guys feel a disruption in the force. I don't deal with the security aspect at all but from a monitoring stand-point it doesn't seem all that bad. Unfortunately, by the time we get around to actually using the cloud they'll be something better. Who knows, maybe we'll be storing things in galaxies or universes soon.

Level 14

I am amazed that most senior level management does not grasp the concept of what "cloud" computing is. As rschroeder​ rightly calls it "ASP".

All the things that we would do to defend our realms should be looked into prior to signing on the dotted line. It's called "due diligence".

That said.... It all ends up being OUR responsiblilty.... So we adapt and move forward....

Level 7

I am not sure how to take the original post or the varied comments other than to say if it is a wave just ride it out and it will hit the beach eventually.

Level 20

When you don't own the actual infrastructure I don't see how no matter what kind of reassurances you get from the ISP that you could ever really trust it or for that matter do much about it when things go wrong... for this reason many industries I thought would almost never consider this but... cost is king I guess and some are more than willing to take much increased risk to see lower bottom line.

CourtesyIT hit the nail on the head... it's scary enough being responsible for the things you do control!!!  It's common sense that apparently many are more than willing to throw out the window to save a few bucks... well when the company is in the news or on the front page of a newspaper... I don't want my name attached to that byline.

Level 11

I must admit I enjoy new challenges and as well as migrating to the cloud I am hoping there will be a secondary step of migrating from a service providers cloud back to your own cloud. (yes I agree 'Cloud' is a misleading term)

I'd also sugest that your own cloud has the capacity to burst out to the service providers cloud when required, which would give your company time to expand your own cloud capacity to bring those services back in house again.

Two terms that I see as 'potential' sticking points and I often hear are:

1) Latency to and from said cloud

2) High performance processing cloud costs vs running high performance locally

Both of which become moot if utilizing a cloud infrastructure locally. However, did the Security implications just double?

Or Triple?

Level 20

Not only did they double or triple... you now have absolutely no control over most of it and on top of that when something really goes wrong... what can you do about it?  Better read the small print on the contract or have a team of lawyers look at it if you are using that cloud for anything but your own business too!

Level 11

It does sound over the top doesn't it? 

But that's the way companies are starting to go with AWS Openstack hybrid clouds. There a few case studies out there now of where it has been implemented, Lithium technologies springs to mind. How successfully is another matter..

Level 14

Fortunately, we haven't and won't have to make this jump.  Classified networks will stay in house.

Level 20

Hehe nope the nispom sorta frowns on that! lolol!  Crazy though the rest of the DoD is all about to jump into a bunch of cloud stuff... as if the OPM breach wasn't bad enough o.O

Level 8

I understand the allure of cloud. But I don't understand how anyone could think of it as secure. People say it's more secure than your own lan, but, you still have to have your own lan, so it's not more secure it's an added risk that requires a connection through an untrusted network and allows connections from anywhere in that untrusted network. That's the main reason for having cloud, people can get to it from anywhere and work from anywhere. (and cheapskates who want to downsize IT.)

But we are a regulated industry with regulations and penalties and cloud breaks all of the regulations for security of information like sysadmin staff have to have clearances. DOE rules are that anyone with administrative access to the software or hardware running on the physical box and/or virtual system have clearances. To me that means the entire cloud providers sysadmin and devop staff, world wide.

That is not going to happen. And it can't be verified/audited.

I don't know of an industry where they don't have some information they have to protect, whether the company formula for a product, user details, user private information, payments by credit card (they have interesting regulations and audits) or "state secrets". Why they would want to use less than the best security possible for that information is beyond me. This is your companies life blood. Why would you not want to protect it the best way possible? Why trust it to strangers? It is not worth everything to you?

And processing/storage is so cheap right now. Put in a VPN and a terminal server and your wandering workers can access it at your network without opening your data up to random strangers who happen to work at your providers off-shore office.

Isn't your data worth a little more to make sure you know where it is?

Level 21

As a hybrid cloud services provider I wanted to say how well I thought this was written.  I love the fact that you point out that there are options out there and how we need to not fear the cloud but learn to work within it and that technology will adapt to it.  Hybrid clouds offer a great option for folks that may need some more control for some systems but not all and would like the flexibility to move workloads between different environments.

About the Author
Mrs. Y is a recovering Unix engineer currently working as a security architect. She likes long walks in hubsites, traveling to security conferences and spending time in the Bat Cave. Sincerely believes that every problem can be solved with a "for" loop.