Protecting your 'digital jewels' from new public cloud threats
Protecting your 'digital jewels' from new public cloud threats
Not long ago, one of the most difficult challenges for cloud services providers (CSPs) was to convince organisations that it was safe to move their data from the security of their own server rooms.

Today, one of the cloud's strongest selling points is secure access to enterprise-grade compute services available to businesses on a utility basis. But as organisations of all sizes embrace the cloud and diminished their concerns over data security, few are aware of a new generation of insidious threats that are targeting the biggest CSPs and their users.

The problem with placing your organisation's digital crown jewels in the public cloud is that you must rely on the CSP's own security controls to identify and stop attackers.

Last year, there were several high-profile public cloud cyber-breaches where attackers exploited stolen credentials and poorly secured access routes into the cloud to steal sensitive customer data. 

The successful hacks against OneLogin and Verizon highlight how attackers can target a customer from outside the victim's network using stolen account credentials and API keys, and exfiltrate consumer and corporate data – all without the customer realising they'd been compromised.

The problem with the legacy approach to securing compute workloads in the cloud is that its underpinning services and infrastructure essentially occur in walled gardens into which customers have no visibility.

As organisations move more of their IT estate to the cloud and use platform and infrastructures as a service – such as serverless compute, storage and backup – they are required to trust whatever security mechanisms are being used. 

No one should ever claim that CSPs are complacent about security. Collectively, they spend billions of dollars each year to develop strong defences against a massive variety of rapidly-evolving threats.

What their customers should question – and what worries us – is that just replicating the use of private network security tools often leaves certain aspects of cloud security unanswered.

To defeat increasingly sophisticated attackers, including those financed and resourced by nation states, security tools need unobstructed visibility into cloud events that occur outside explicit cloud workloads.

The hidden stealthy threat to public cloud

Understandably, we often focus our security attention on the location of applications and data, with attacks similarly focused on where such valuable assets reside.

In traditional enterprise IT, digital assets were typically located in private data centres, on infrastructure, and in systems under direct, unilateral control. When moved to the cloud, the location of the app and data becomes more nebulous and riddled with dangerous blind spots. 

Where once the focus was monitoring and containing a plethora of unknown and unpredictable devices, now the challenge is on application interfaces and cloud credentials serving the site and data to the user. 

Communication to and within cloud services contain sensitive, high-value content. If communication is compromised – either by spoofing users into handing over valuable information in the belief they are accessing a legitimate site or by surreptitiously using spyware – then the walls that protect the cloud kingdom will come crashing down.

Replicating traditional endpoint security by placing security tools into cloud workloads isn't sufficient to counter today's increasingly sophisticated threats. Stolen keys can be used from anywhere, undetected and independently of the enterprise network, to access CSP services.

Armed with admin credentials to the shared storage platform service used by cloud apps, attackers can access, alter, steal and delete data, without touching the workload. And it's very likely that the data's owner will never even know.

The attacks against Verizon and OneLogin, both of which involved hackers comprising data in the Amazon Web Services (AWS) infrastructure, highlight two critical questions.

First, how did the world's largest CSP fall victim to cyber-attackers, despite the staggering resources they pour into security? And second, how could these massive data breaches go unnoticed for months?

Security researchers believe that these attacks have been going on for quite some time, but the scale of the problem is impossible to determine since there is no way to detect when a breach occurs.

No blind spots, better security

Public cloud platform services are an attack surface that many people are not yet fully considering. As enterprises continue to move more of their operations into the cloud, our industry needs to educate them about the scale of new threats – and more importantly what to do to about them.

Right now, few security solutions tie the public cloud into enterprise security architectures. Instead, the job falls to security professionals who still rely on the old data centre mindset of monitoring workloads and networks. Nobody is paying attention to the malicious behaviour of attackers.

Cloud providers might provide the right tools, but fail to educate their customers about the best way of using them. The lack of guidance over the best use of keys and server-less compute services is a perfect example of this.

Moving beyond the current impasse requires CSPs and security providers to better-educate security operations professionals who are responsible for protecting their own data, as well as that of their customers. It is also vital to enhance collaboration with third-party security providers to develop and deploy new generations of security tools to combat these threats.

By nature, Platform as a Service (PaaS) tools like storage, backup, and database are abstracted and run on infrastructure outside the data owner's sight and control and can be accessed from anywhere. Unimpeded visibility and integration with holistic enterprise security capabilities are required to effectively monitor PaaS access and usage.

Driven by AI, automated threat detection and response solutions are gaining in popularity. They enable security operations teams to continuously hunt for attacker behaviours at speed and scale to reveal early indicators of comprise.

There is no such thing as a perfect defence. But what escapes most enterprise IT organisations is that attackers are probably already inside the network. They hide by blending in with normal user traffic or in encrypted communications. And they hide in workloads where CSPs have zero visibility.

With implementation of the GDPR now only months away, enterprises need to undertake an extremely robust review of their cloud estate; one which includes their potential exposure to current and future threats, and what their CSP is doing to combat them, and how they can gain visibility and actionable insight.

Together, our industry has the expertise to ensure that we can make the cloud as secure as it can be, and to defeat the majority of the most determined attackers. It is critical to identify, understand and response early to security incidents before they become catastrophic data breaches.

To reach this point, however, we need to take an honest look at how we are working together to develop the best possible set of security tools and approaches – and ensure that enterprises are deploying them effectively.

Contributed by Matt Walmsley, EMEA director, Vectra 

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.