Rapid innovation is driving organisations to adopt cloud services as critical infrastructure. Cloud acceleration has become a boardroom issue, with non-technical leaders often being vocal proponents of cloud as the route to achieving wide-ranging business objectives. However, cloud innovation can introduce security risks if rushed, says Frank Kim, Fellow and Lead for the Cloud Security and Security Leadership curricula, SANS Institute; and CISO-in-Residence, YL Ventures.
Cloud security providers are constantly improving their security offerings and capabilities. As a result, businesses may be tempted to rely on these cloud-native security services. However, the most effective approaches rely on enterprise security teams building expertise and capabilities in-house to build a proactive security programme. Security professionals need time and resources to ensure appropriate protection for the business. Here’s how they can help their business forge a solid foundation for secure and effective cloud acceleration.
Getting started with cloud-centric threat modelling
Organisations are moving critical assets, data, and processes to the cloud, making it an obvious target for attackers. As such, cybercriminals are growing savvier about how to gain initial entry, compromise accounts, escalate privileges, take advantage of misconfiguration, and much more.
Security teams need to use threat modelling to keep tabs on cloud attacks and impacts. Understanding adversary tactics and techniques in cloud attack scenarios make it possible to detect breaches before data or assets are exposed and prevent lasting damage.
Cloud threat modelling, as outlined in our latest white paper, ‘Cloud Security: Making Cloud Environments a Safer Place,’ requires the consideration of a range of factors: adversaries, attack techniques, outcomes and risks, and countermeasures. It is also highly strategic. First, define what to model threats for, such as an entire system or a component. Second, look at threats – what can go wrong? An account hijack? A vulnerable package exploited in a container image? Third, look at mitigations and controls that can reduce or eliminate risk. Finally, validate that the analysis conducted has been thorough and reasonable.
Demystifying attackers’ strategies
Many organisations are leveraging the MITRE ATT&CK model to help frame threats. Understanding the typical phases of attack can feed into building a proactive cloud threat model. For example, initial access is gained by exploiting public-facing applications, exploiting trusted relationships, or discovering valid accounts in cloud environments.
Persistence is where an attacker takes steps to ensure they can return at will. At the same time, privilege escalation is a common goal to access valid accounts or to manipulate role assignments. Alongside this, attackers will often use access to seek out other resources that may be vulnerable. Following this, collection and exfiltration see data moved to a location under the attacker’s control.
Cloud threat modelling across the attacker’s entire lifecycle will unveil potential vulnerabilities and establish proactive security mitigations. Next, let’s look at three core pillars for mitigation.
Security Pillar #1 – Identity and Access Management
Identity and access management (IAM) defines who needs access to what and controls the entire life cycle of user and access management across resources. Mature organisations will centralise identity and access wherever possible. Another benefit of a centralised identity approach is reduced operational overhead.
One significant cloud-driven shift in identity management is the advent of machine identities versus traditional human identities. Machine identities include services accounts for systems like cloud VMs, cloud functions, and containers and help mitigate the risk of other technical accounts used for programmatic actions and deployments.
Security Pillar #2 Data Security
A sound data security strategy for the cloud is a fundamental requirement. Undoubtedly, one of the most important security controls for data protection in the cloud is encryption. Cloud providers have the capability to implement encryption at scale reasonably easily. For some organisations, this automatic encryption will prove sufficient. In many other cases, though, data protection will need to be more specific.
Another key factor is secrets management. Managing sensitive secrets (including encryption keys, API keys, passwords, and other credentials) has proven immensely challenging for most organizations. Data Loss Prevention (DLP) is also essential, with many organisations turning to DLP tools and services, which can be notoriously difficult to implement and maintain.
There are ways of managing all of these challenging factors within the cloud, but ideally where threat modelling has revealed where risk can be best mitigated.
Security Pillar #3 Visibility
The third critical pillar of cloud security is visibility, with an emphasis on logging, event management, and automation through guardrails. Visibility goes beyond traditional system and network visibility but must cover applications, systems, networking, and their configurations in the cloud. This concept also applies to control plane visibility and visibility of the cloud environment itself. In addition to extensive logging of all activity within the cloud, several new services are available to continuously monitor cloud accounts and infrastructure for best practices configuration and security controls status.
To achieve network visibility, tools such as network firewalls and intrusion detection and prevention can be used alongside the collection of network flow data. Cloud-native access controls and monitoring capabilities can also monitor and track network events and behaviours.
Take comfort but also take action.
Cloud security is getting better all the time. The key advantage of the public cloud is that cloud providers are in a virtuous circle of security improvements. This provides a strong foundation for security professionals to build their cloud security programs.
However, as cloud services grow, security teams must use more advanced controls and develop more dynamic processes for evaluating security in the cloud to ensure success. This means conducting regular threat modelling exercises and focusing on three primary mitigation categories – identity and access management, data security, and visibility – to provide a dynamic foundation for cloud security.
