Despite greater adoption and significant benefits, many organizations are still worried about trusting their assets in the public cloud.
Several recent reports have highlighted these concerns. The 2019 Cloud Security Report from Cybersecurity Insiders and ISC2 found that 93 percent of organizations are moderately to extremely concerned about public cloud security. More than 90 percent of respondents to a recent cloud security report from Bitglass agreed.
Both of those reports, along with another also written by Cybersecurity Insiders and sponsored by Check Point, detailed the reasons why organizations are so concerned.
The reports had similar lists of what respondents consider the biggest threats to public cloud adoption. Major concerns include data loss and leakage, unauthorized access and misconfigurations of the cloud platform. Others are external sharing of data, lack of visibility, malicious insiders, malware/ransomware, data privacy, compliance and data sovereignty.
These results aren’t surprising at all, said Jon Oltsik, senior principal analyst at Enterprise Strategy Group.
“There are a lot more moving parts, and something is happening all the time, which increases the probably that something will go wrong,” he said. “For example, if you are hosting your applications in containers, you have to understand the vulnerabilities and attack vectors around containers. If you are using a serverless model, the same thing can happen. It all changes where you put your security controls and what you need to monitor.”
Oltsik said he would characterize the biggest public cloud security threats that are hindering adoption a bit differently, narrowing them down to careless users, vulnerable configurations and attacks that cross the kill chain into the cloud to gain access.
Whether it’s due to lack of knowledge or simply not caring, there will always be careless users, he said. In addition to user education—always important—Oltsik stressed the importance of monitoring users in ways that can identify malicious, suspicious or careless behavior. The best ways to do that include limiting what users can do through least privilege, role-based access control and strong authentication. He recommended using user behavior analytics and behavioral monitoring tools, as well as practicing good Identity and Access Management (IAM) hygiene.
“You can also use a SIEM [security information and event management] to write some correlation rules so you know that if someone performs steps one, two and three consecutively it’s a mistake,” he added.
As for addressing vulnerable configurations, Oltsik recommends implementing scanning and profiling tools. “Make sure, for instance, that S3 buckets aren’t wide open for anyone to authenticate to, which was a default configuration a few years ago and got a lot of people in trouble,” he said.
The last concern about public cloud security—that attacks can cross the “kill chain” into the cloud and gain access to sensitive data—is a big one. As Oltsik explains it, it’s when hackers either use the cloud as a way to access data on-premises or compromise a user through a phishing, social engineering or other attack, using that vector to access data in the cloud. It’s a complicated problem, but there are ways around it, he said.
“You have to understand what your users and developers are doing and what constitutes normal behavior to be able to spot anomalies and understand how they impact things that are downstream like application and data,” he explained. “In other words, understand the kill chain: how what happens in one place can impact what happens in another.”
One of the best ways to understand and monitor the kill chain is by using the MITRE ATT&CK Framework, a knowledgebase of tactics and techniques that attackers use when compromising organizations, he added.
The Problem with Legacy Security Tools
All three reports stressed the fact that security tools designed for on-premises environments are not inherently portable to cloud environments. As the Check Point report put it, “Legacy security tools are not designed for the dynamic, distributed, virtual environments of the cloud. Sixty-six percent of respondents say traditional security solutions either don’t work at all or provide limited functionality in cloud environments.”
That’s true, but there are ways around it, Oltsik said. Organizations with major investments in on-premises security tools, for example, probably don’t want to scrap those tools and buy new ones. Instead, they can deploy agents in the cloud, creating a hybrid between a traditional security control and a cloud security control.
But that’s a stopgap measure. ESG research finds that enterprises prefer tools purpose-built for the cloud, as long as those tools integrate with traditional tools.
“You don’t want to have to replicate policy, the data you collect and enforcement rules,” Oltsik said. “But the cloud is a different environment and the way you monitor and control it is different, so you sort of need to be open to a different model to the cloud as long as it fits into your overall security strategy.”
But longer term—generally within three years—enterprises will push for integration.
“It’s not uncommon today to have an investment in your on-premises data center and applications in multiple clouds,” Oltsik said. “It’s going to be a heterogeneous world, and that means you want security tools that can fit in all of those environments consistently. You want to be able to have access to workloads and data without having to write four rules based on where that data lives and where the workloads are.”
ESG has found that organizations tend to start with stand-alone cloud security tools and integrate them into their environments over the next few years. “That’s why you see vendors like Cisco, Palo Alto and Check Point acquiring born-in-the-cloud tools and integrating them into their architectures,” he said.