Today’s security teams have a lot on their minds.
Cloud implementations have brought incredible leveraging of on-demand services to modern enterprise – but they’ve also introduced a host of new security issues.
Let’s look at some of what is on the radar for professionals tasked with managing these innovative cloud services and partnerships with tech vendors.
Data Loss and Leakage
It should be no surprise that data loss tops the list of cloud security concerns.
A data breach is an expensive and damaging experience for any company. New data regulations like the General Data Protection Regulation in Europe create even higher standards. Security teams are forced to implement many types of controls to make sure that the chances of a data breach are reduced as much as possible, and that if something does happen, that there is a plan in place for effective response.
Protection tools range within a spectrum that encompasses perimeter protections, data handling protocols, and data restoration tactics. Failback and failover processes help to ensure data recovery: The use of availability zones means data will be available to add back into systems when it is lost in one jurisdiction. There are also key recommendations for notifying federal authorities of a data breach, doing damage control on sensitive data sets, and notifying customers as necessary. Threat mitigation and disclosure are two of the key priorities in a data loss incident response plan that works.
That’s data loss, but what else are cloud security experts worrying about?
Misuse of Employee Credentials (and Other Unauthorized Access)
A new report by cloud consulting firm Delta Risk interviewed respondents with skin in the game in terms of cloud services, and got a list of major worries that are often included in risk mitigation plans.
The most common one, according to data released in the study, was unauthorized access due to improper use of employee credentials, or various types of unauthorized access.
Identity and access management tools play a role in effective network protection, but so does endpoint security. Bring your own device (BYOD) and the internet of things (IoT) are introducing new risks – companies have to figure out how to keep human error from jeopardizing their data assets.
In the old days, that may have meant gluing shut USB ports or establishing perimeter security setups. Now, it means working with security tools that are “embedded in a network fabric,” new security automation resources that continually monitor network events and flag outliers. That, plus a good set of human review standards, goes a long way toward helping companies to avoid circumstances where employee credentials are misused by hackers. For instance, if a given user has his or her typical workstations, the network monitoring system may be able to spot trouble simply by identifying an unusual access request from an unknown device – or even an access request outside of typical use hours.
API Holes and Interface Issues
Another top cloud concern is the misuse of application programming interfaces and in particular, the use of API keys by hackers.
APIs have brought incredibly broad versatility to enterprise functions. They allow for third-party payments and all sorts of other neat new capabilities. At the same time, they pose a risk if the API keys are open to abuse.
A Dark Reading story from 2012 cites the Stuxnet attack, where hackers used code signing keys to get in under the protective structure of the host-based security system.
“The security and availability of general cloud services is dependent upon the security of these basic APIs,” wrote CSA analysts. “From authentication and access control to encryption and activity monitoring, these interfaces must be designed to protect against both accidental and malicious attempts to circumvent policy. Furthermore, organizations and third parties often build upon these interfaces to offer value-added services to their customers. This introduces the complexity of the new layered API; it also increases risk, as organizations may be required to relinquish their credentials to third parties in order to enable their agency.”
More recently, experts continue to deliver notes on how to decrease the chances of improper use of API keys, for example, the need to test on a regular basis as companies scale and build out API-based functionality.
Another cloud concern that was top on respondent’s minds in the Delta Risk study was cloud misconfigurations.
This vendor-agreement-centered issue revolves around some of the ways that customers of infrastructure as a service (IaaS) or platform as a service (PaaS) options find that improper setups put their data at risk.
Here are some of the common types of issues emblematic of cloud misconfiguration problems:
- Weak passwords
- Inactive data encryption
- Lack of permission controls
- Lack of identity access management
- Insufficient policy or policy awareness
In other words, when the cloud setups themselves aren’t set up right, danger ensues. So, it’s incumbent on security personnel to evaluate the details of on-demand services, especially IaaS and PaaS, not just in looking at the service level agreements, but also practically surveilling these vendor platforms in the field to make sure that loopholes are closed and data is protected.
Over time, setups that include various vendor services can suffer from “configuration drift” – say, for instance, a company achieves cloud-centered network operations with a set of vendors and then contracts with Amazon AWS S3 for object storage. All of this has to be globally handled to prevent security holes in any part of this pipeline or data life cycle.
These are some of the top stresses that add to the job of the security pro who is trying for a comprehensive network protection and risk mitigation plan. Think about how to move forward in this age of data-centric operations, and what that means in terms of data privacy and security.
About the Author:
Justin Stoltzfus is an independent blogger and writer for TECHOPEDIA.COM. He is also a business consultant assisting a range of businesses in developing media solutions for new campaigns and ongoing operations. He is a graduate of James Madison University.
Stoltzfus spent several years as a staffer at the Intelligencer Journal in Lancaster, Penn., before the merger of the city’s two daily newspapers in 2007. He also reported for the twin weekly newspapers in the area, the Ephrata Review and the Lititz Record. More recently, he has cultivated connections with various companies as an independent consultant, writer and trainer, collecting bylines in print and Web publications, and establishing a reputation for excellence in corporate training, marketing campaigns and other media projects.