Many Australian enterprises are getting their cloud security strategies wrong. While they are lowering infrastructure costs and introducing efficiencies by moving to flexible multi-cloud platforms, building the right level of security throughout their agile software development lifecycles is becoming difficult.
Almost two-thirds (61 per cent) of respondents to research questions posed by Cybersecurity Insiders, on behalf of Check Point, had integrated their DevOps toolchain into cloud deployments, but are still struggling with a lack of expertise that bridges security and DevOps. Only 16 per cent have comprehensive DevSecOps environments in place.
Senior technology executives gathered for a roundtable luncheon in Sydney recently to discuss why enterprises are often getting their cloud adoption strategies wrong, particularly when it comes to securing their infrastructure, as well as challenges around cloud compliance. The conversation, ‘Cloud tales: Lessons from a cyber incident response team’ was sponsored by Check Point Software Technologies.
Ashwin Ram, cyber security evangelist Office of the Chief Technology Officer at Check Point Software Technologies, says there are multiple factors at play when it comes to getting cloud strategies right.
Firstly, many organisations don’t understand or appreciate how dynamic cloud ecosystems are – a simple misconfiguration or security oversight can expose an organisation, he says.
“Cloud providers are innovating extremely rapidly and as such, it is difficult for cloud security teams to keep pace. The current cyber skills shortage is also a contributing factor as organisations struggle to find the right expertise to address the steep learning curve to bridge security and DevOps,” Ram says.
Further, he says, COVID-19 forced many organisations to rush their remote working and cloud projects in order to be more agile. This has resulted in many cloud projects being rushed through without proper assurance processes.
“Check Point’s Cloud Security Report 2022, 76 per cent of organisations have a multi-cloud strategy, which makes it difficult to implement consistent security. Organisations are struggling to implement the same security settings and policies on all clouds and ensure this is maintained to provide continuous consistency,” he says.
John Powell, principal security consultant at Telstra Purple, adds that it’s very easy to think of the cloud as reducing administration and providing more flexibility.
“But the truth is that there is a lot more to get right up front so that ‘business-as-usual’ is smooth as well as secure. The responsibility for security is shared according to what is outsourced to the cloud provider.
“This means that contractual arrangements are extremely important to make sure the boundary in the shared model is crystal clear. The need for legal expertise and even a cyber/legal mix of expertise is not often considered when moving systems and services to the cloud,” Powell says.
Meanwhile, John Boyd, group chief information officer at The Entertainment and Education Group (TEEG), says the organisation has adopted a hybrid cloud approach, which has provided the best of both worlds.
On-premise infrastructure provides stability for its venues, especially those in very remote locations. But when the business demands agility, the organisation turns to the cloud to meet these demand requirements, Boyd says.
“As for security, our team are testing at every stage of the software development lifecycle. Security is always at the forefront of our team’s mind and during application development, we adopt best practices such as educating staff, and outlining requirements clearly so [they] can focus on the most important issues,” he says.
Why cloud misconfigurations happen and what to do
The misconfiguration of cloud resources remains the most prevalent cloud vulnerability that can be exploited by criminals to access cloud data and services.
Check Point’s Ram says these misconfigurations happen because cloud teams are pushing out incredible amounts of code and building infrastructure at a rapid pace so mistakes are bound to happen.
Ram says that organisations with mature cloud security capabilities are using cloud security posture management tools to gain situation awareness of their cloud ecosystems in real time to automatically remediate misconfiguration.
“In addition to misconfiguration, organisations should also be aware of identity and access management role assumption attacks, which look to elevate privileges after initial entry. These attacks continue to be a significant concern,” he says.
Ram recommends that organisations invest in a tool that can visualise and assess cloud security posture by detecting misconfigurations, while automatically and actively enforcing gold standard policies to protect against attacks and insider threats.
Telstra’s Powell adds that exploiting the poor configuration of cloud resources is often much easier than exploiting software or hardware vulnerabilities or running a phishing campaign against privileged users.
“Misconfiguration is the most prevalent cloud vulnerability because it is often the lowest hanging fruit,” he says.
According to Powell, the configuration of cloud environments provides several technical security controls. He says that measuring technical security controls is best achieved by using technology tools.
“To this end, a cloud security assessment, with an associated tool, can be used to achieve this goal either as a once off or better still, as a regular check.”
TEEG’s Boyd says that the organisation’s resources are hosted exclusively within Azure and the team use Microsoft Cloud Service to proactively manage the security posture of the entire platform.
“Conducting regular assessments and reviewing any new recommendations help to strengthen the security configuration of our cloud resources,” he says.
Getting cloud compliance right
The ongoing technology skills shortage has made it difficult for organisations to find the right staff with skills to complete cloud-related audits and risk assessments.
Telstra’s Powell suggests that first up, organisations should “let machines do what they are good at and let people do what people are good at.’
“Technology controls can be tested and assessed with technical solutions and if this process is automated, then the compliance of the technical controls can be checked with high regularity so that any movement away from compliance is noticed and amended quickly.
“Assessing the actions of people or the flow of process is best assessed by a skilled security auditor and when human resources are scarce, they need to be used where they are most effective,” Powell says.
Secondly, if enterprises don’t have resources available internally to audit security controls or to design and build monitoring systems required to constantly test and assess these controls, then they should reach out to a partner, he says.
“It’s very difficult to retain specialised cyber security skills, so rather than continuing to train new cyber security staff, rely on the people who are already specialists and can provide that service,” he says.
TEEG’s Boyd says that compliance is an ongoing focus for his team, which is operating a business in seven regions, all with their own set of unique regulatory requirements. This requires the organisation to be aligned on its approach to compliance and execution.
“We rely on the expertise of our internal team in conjunction with key vendors that provide us with subject matter advice on risk assessment and establishment of clear policies and controls,” Boyd says.
Who is responsible with a breach occurs?
Attendees at the roundtable also discussed what enterprises need to be aware of when negotiating cloud contracts, particularly who is responsible for what when a breach does occur.
Telstra’s Powell says organisations need to make sure that the clauses of a contract with a cloud service provider defines the scope of what the provider is responsible for and what they are not.
Powell adds that this doesn’t apply only to a breach situation, but to everything that goes before a breach and the recovery from the breach.
“Be sure to include a clause of what can and can’t be tested within the cloud environment. Ask, ‘can we view the cloud service provider’s threat profile, risk assessments and risk register?’
“Most importantly, you cannot outsource accountability so don’t be too quick to believe that your risk is reduced because you are not responsible for the infrastructure that underpins your systems and services.”
Check Point’s Ram adds that most organisations will do well to understand the shared responsibility model as a first step.
“It’s important to note that the responsibility changes depending on the type of cloud resource you consume from infrastructure-as-a-service to platform-as-a-service to software-as-a-service offerings.
“The shared responsibility model is very specific on who is responsible for what as we saw with the Capital One breach.”