The adoption of public cloud services is on the rise and with that comes the opportunity for cyber security breaches, due in large part to cloud misconfiguration.
Ahead of research to be published by Cyber Security Hub, in partnership with Concourse Labs, revealing the results of a recent survey on cloud configuration security practices we spoke to Don Duet, chairman and co-founder, Concourse Labs about the current state of play and the cloud security challenges organizations face.
“There is inherent risk when you do not have complete control over something that is public infrastructure, like the public cloud,” Duet said. “Equally, there has been a lot of discussion about the number of security professionals that are being used when it comes to the public cloud space with the likes of Amazon, Microsoft and Google.”
“The cloud providers cannot secure everything because your provisioning services, configuring them and using them. This is what they refer to when they say the shared accountability model.”
Many breaches within the cloud environment are self-inflicted by customers not correctly configuring their cloud usage. Industry analyst Gartner estimates that 99% of cloud security failures will be the customers fault through 2025.
“The issue they are most worried about is some misconfiguration or mistake they make that leaves them exposed,” says Niel MacDonald, Gartner Distinguished VP Analyst.
Scaling expertise through software
Duet noted that often people and organizations are using the cloud but its unfamiliar to them.
Given internal and external business pressures, “They may not fully understand or have the time to deeply understand exactly how to do things well,” he said.
Coupled with the fact the cloud is not static, cloud service providers are continually offering new services to adapt to evolving customer needs, having enough expertise to keep cloud operations secure is a challenge.
Duet suggested that there is likely no organization that can rely on their staff’s expertise alone, and the use of software and technology must come into play.
“This expertise needs to be multidimensional, therefore you will need to have a security lens over everything even if you’re not necessarily having a security person doing it,” he said. “That’s the way it can be facilitated through software, using policy as code and security as code type practices you can reduce risk.”
Having the right supporting technologies means you can scale a small number of experts widely and deeply across an organization.
“You don’t need to have a person doing a security review, you have the software doing the security review on your behalf. The content of that review would still need to come from people with expertise and that could be either expertise that you’re buying as part of the software product, or it could be your own professionals’ expertise that are getting scaled because they’re being encapsulated into the software itself,” he said.
Usage and identity-based policies and controls
Another challenge to consider is the pace of change businesses are facing today. While there are many different types of cloud services there is a big difference between the security levels of infrastructure as a service (IaaS) compared with a platform as a service (PaaS).
For IaaS its very consistent with how an organization would build things in its own data center, compared with PaaS which, while providing a much higher value proposition, allows organizations to take a globally managed service like a database and start using it”
“The difference is the ability to secure that [globally managed database] is often constrained,” Duet explained. “That’s one of the bigger industry questions as you get into PaaS versus IaaS. How do you make sure things are secure and do you understand what are the levers that you’re able to push and pull? How do you know if it’s being used appropriately?”
This is where the policies and controls that govern cloud security come into play, according to Duet. Organizations must work out how to develop strategies to determine appropriate usage and identity for the globally provisioned PaaS services are being use.
“That is an area that I think is still emerging as part of the cloud security framework that people are struggling with.”