High-profile breaches have sparked interest in an emerging class of security software. The technology, named cloud security posture management (CSPM), scours cloud environments and alerts staff to configuration issues and compliance risks, most of which stem from human error.
Exhibit A of this type of gaffe occurred at Capital One in 2019, when a former Amazon Web Services (AWS) employee exploited a misconfigured Web Application Firewall (WAF) the financial service provider was using as part of its operations hosted in AWS, exfiltrated data and stored it on GitHub. In 2018, both a Walmart partner and GoDaddy were exposed when they left AWS storage instances accessible via the internet.
Misconfiguration misfires in the cloud
Most CIOs will tell you that their data is more secure with cloud vendors, but human error leaves even the stoutest compute networks susceptible to attacks, thanks in part to the various permissions and access points that leave enterprises exposed, says Gartner analyst Neil MacDonald. In fact, 99 percent of cloud security failures will be the customer’s fault through 2025, according to Gartner.
“The issue they are most worried about is some misconfiguration or mistake they make that leaves them exposed,” MacDonald says.
For instance, developers pressured to meet DevOps deadlines hastily spin up new virtual machines and unwittingly leave their networks exposed, says Land O’Lakes CISO Tony Taylor.
Common misconfiguration mistakes expose cloud storage folders and data transfer protocols that are left accessible via the internet, as well as user accounts with excessive access rights. Previously, staff sniffed out such exploits with manual checks or even wrote automated scripts to detect weaknesses.
Check your cloud posture
The high levels of automation and user self-service in cloud platforms, including both infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS), have magnified the importance of proper cloud configuration and compliance, according to Gartner’s MacDonald.
Gartner recommends companies hedge against risks by investing in CSPM, an extension of cloud access security broker software (CASB) built to enforce security, compliance and governance policies for software-as-a-service (SaaS). Palo Alto Networks, DivvyCloud, McAfee are among the several vendors offering CSPM suites.
At Land O’Lakes, Taylor is using CASB and CSPM software to understand to whom thousands of accounts are provisioned, what permissions each user has and who is sharing what data with whom, among other traits of the company’s Microsoft Office 365 and Azure cloud software. The software, McAfee’s MVISION Cloud, identifies mistakes such as configuration errors in ports and databases and technology services that are not encrypted, as well as systems that are out of policy with state and federal privacy laws. It also automatically alerts security staff to anomalies, such as suspicious access.
Such protection traits are critical for a company that worries about protecting personal information in accordance with state privacy laws such as California Consumer Privacy Act (CCPA) and General Data Privacy Regulation (GDPR). “Before [MVISION], we had no good sense of our security posture,” Taylor says.
‘Side windows’ in the cloud
Securing cloud environments is challenging because unlike on-premises technology, around which companies put a firewall and other perimeter protections, data from multiple customers often resides on the same computers, thanks to the multi-tenancy architecture of the cloud, with each customer leveraging different configurations, says Rajiv Gupta, McAfee’s senior vice president of cloud, and founder of CASB startup Skyhigh Networks.
The vast array of permutations exponentially widens the footprint of vulnerabilities perpetrators can infiltrate to exfiltrate data, says Gupta, who sold Skyhigh to McAfee in 2017. To be sure, these holes cropped up in on-premises infrastructure as well, but many of these misconfigurations remained hidden. “With cloud services, that safety net goes away,” Gupta says.
Moreover, developers inadvertently create vulnerabilities as they spin up new servers, opening new ports and garnering elevated privileges over time. Such “configuration drift” weakens security posture, Gupta says. Developers further complicate matters when they use APIs to connect third-party apps, such as a business intelligence tool, to their cloud service. Unbeknownst to the company, the third-party service makes a copy of all the data. Too often, companies aren’t aware that they created this “side window” until they are breached.
“The problem is compounded because there are so many intricacies and side windows between cloud-native components,” Gupta says. “Once I get in, I have lateral movement.”
The CIO’s take on cloud security
CIOs tell CIO.com they agree with these points — and that the AWS-Capital One imbroglio served as a wake-up call.
Like any emerging technology, cloud presents CIOs with risk-reward scenarios, according to Lookman Fazal, CIO of New Jersey Transit, who is consuming cloud from AWS. “It’s an age-old discussion,” Fazal says.
In his consideration of moving to the cloud, Fazal researched whether he could replicate AWS’s uptime of 99.9 percent match its incident security response rate in his own data center. For both considerations, the answer was no. “The KPIs of uptime and security were a lot better with AWS,” Fazal says.
Moreover, AWS ensures NJ Transit disaster recovery compared to the cost of failing over to a secondary data center in the event of an outage. Migrating to the cloud was considerably cheaper as well, allowing NJ Transit to shave $2 million off the cost of running compute resources on-premises.
Picking the right cloud vendor is also critical, says 84 Lumber CIO Paul Yater. As customers, it’s incumbent upon IT leaders to make sure the right checkpoints and audit protocols are in place.
“You can’t assume they’re doing everything right,” Yater says of cloud vendors. “You need to view the cloud vendors as an extension of your IT organization, so you hold them accountable to the same levels of security.”
Tips for protecting cloud services
IT leaders offered some tips for working with cloud vendors to ensure security.
Front-end security is paramount. It’s critical that customers implement policies and procedures before developers spin up cloud services, says Taylor, of Land O’Lakes. IT leaders must fix any holes in the front end of their environments — making sure that data isn’t exposed to the internet — and institute a sound DevSecOps model, Taylor adds.
Your cloud vendor must earn your money. Ask a cloud vendor to demonstrate a PEN (penetration) test and track and inquire about its firewalls, sensors and other tools that monitor traffic between network connections, Yater says. Also: Make sure they have the right data retention policies to protect your company.
Everyone is responsible. Security should happen in the context of a “shared responsibility” model, in which companies and cloud vendors do their parts to shore up their data from outside perpetrators as well as rogue employees, Gupta says. “People need to grok what it means to uphold their responsibility of the model,” Gupta says.