Five strategies to boost your existing cloud security
Analysis and research on the state of cloud security has become richer and more prescriptive. Some security firms now provide services specifically to users of AWS, Azure, and Google Cloud. One such firm is RedLock, which employs a Cloud Security Intelligence (CSI) team to examine and report on emerging threats and best practices. A close reading of their most recent Cloud Security Trend report, released in May 2018, suggests several strategies you can use to back up defenses you already have in place.
Beef up your security forensics
The complexity of hybrid IT has shifted security from a prevention oriented discipline to one more dependent on detection and forensics. In June 2018, after extensive investigation, Tesla acknowledged that an insider with privileged access used a false username to make direct code changes to the company’s Manufacturing Operation System and export large amounts of highly sensitive data to unknown third parties, even after the insider left the company.The attacker had apparently moved inside the organization without detection for many months.
Privileged access management is critical for organizations to protect sensitive information. Every organization should have a least-privilege policy and police it. But, this story also points out the importance of having advanced forensics in place to discover and detect any unapproved access. Bad actors have become more skilled at disguising their activity. That means our security efforts need to focus more on anomaly detection, event correlation, and forensics analysis.
Set alerts for risky cloud configurations
Data exposures continue to make headlines in 2018 with major firms such as FedEx and MyFitnessPal (Under Armour) leaving massive amounts of customer data exposed on unsecured cloud storage resources. On average, RedLock found that 51% of the organizations they monitor had publicly exposed at least one cloud storage service. In February 2018, security researchers at Kromtech discovered FedEx had inadvertently exposed customer passports, drivers licenses, and security IDs on “leaky” Amazon S3 database instances. Why were they leaking? Because proper access controls were not configured during implementation. Despite Amazon’s efforts to help customers detect misconfigurations of cloud resources, the problem persists.
Even though you may have outsourced compute and storage resources to a cloud provider, you are still responsible for making sure security over those resources is implemented correctly. Don’t accept the defaults in your cloud instances and management systems. If you are offered a more secure process for data protection by your provider, use it. RedLock is advising their clients to implement policy guardrails to ensure configurations adhere to industry standards and issue alerts when configurations are changed to automatically resolve any violations.
Encrypt sensitive data stored in cloud
In addition to reviewing resource configurations, you should also consider encrypting sensitive data stored in the cloud to provide another speed bump against accidental disclosure. RedLock found many more organizations securing their cloud databases this year, with only 49% of databases not encrypted, compared to 82% last year. Encryption is an important security safeguard and can help meet the requirements of regulations such as HIPAA, PCI-DSS, and GDPR.
Some cloud providers automatically encrypt data at rest, however it is data owners that are held responsible by regulators for ensuring data privacy. This is why the Cloud Security Alliance recommends that data should be encrypted before it passes from the enterprise to the cloud provider and remain encrypted in transit, at rest, and in use.
Restrict outbound traffic
Earlier this year, RedLock researchers discovered hundreds of Kubernetes administration consoles accessible over the internet without any password protection. Within these Kubernetes consoles, access credentials to the companies’ AWS and Azure clouds were exposed. This allowed hackers to access virtual machines paid for by these companies and hijack those resources for crypto mining.
Unauthorized use of virtual servers poses a threat by offering hackers the ability to steal sensitive data or take over your command and control systems. Many attacks use a technique to trick your firewall into opening up an outgoing connection to an outside host managed by the attacker.This works because outgoing connections are less scrutinized than incoming connections. To increase control, you can limit the amount of outbound traffic allowed from environments with sensitive customer data.
Implement vulnerability scanning
While many organizations conduct rigorous vulnerability scanning on their data center infrastructure, the same cannot be said for their cloud-based resources. In their report, RedLock noted 24% of its clients were missing critical patches for their clouds and 39% of the hosts examined by Amazon’s GuardDuty service since its launch in November 2017 exhibited activity associated with compromise or reconnaissance by attackers. Those numbers are too high to ignore considering the potential impact of a breach on compliance, reputation, and revenue.
The ephemeral nature of cloud instances makes it hard to identify resources communicating with suspicious IPs, and familiar tools may not work in cloud environments. This means public cloud users must find other methods to ensure vulnerabilities are detected and prioritized. With the access to packet data available from a cloud visibility solution like Ixia CloudLens, cloud users can more easily develop behavioral baselines and sniff out malicious activity.
Maintaining cloud security in 2018 is complex, which is why it is necessary to implement strategies that strengthen cloud security and limit the risk of attack or data breach.