Need for Guardrails in Cloud-Native Applications Intensifies

  /     /     /  
Publicated : 23/11/2024   Category : security


Need for Guardrails in Cloud-Native Applications Intensifies


With more organizations shifting to cloud services in the pandemic, experts say the traditionally manual process of securing them will be replaced by automated tools in 2021 and beyond.



The security fallout from the sprint to set up employees home offices in the COVID-19 pandemic wasnt just about vulnerable endpoints and home networks: Even more worrisome was the rushed adoption of cloud-based technologies as physical offices and security operations centers went dark and home offices lit up.
The hybrid physical and cloud-based IT infrastructure is real now in many organizations, altering the enterprise landscape for 2021 and beyond thanks to COVID-19 prompting organizations to shift to a work-from-home model practically overnight.
Organizations already had been struggling to manage and properly secure their physical IT infrastructures, which had expanded with mobile and Internet of Things devices and risked exposing corporate data.
Now add cloud services to the mix – such as AWS S3 data storage, Salesforce, Slack, ServiceNow, and others – and the potential for blind spots and vulnerable devices multiplies. The infamous
wave of leaky AWS S3 storage bucket incidents that began in 2017
and continues today was just a hint of whats to come, given how easy it is to inadvertently
mess up cloud security
.
The core challenge is visibility and control of what connects to the corporate network, and the cloud has exacerbated an already murky and difficult task. Most reputable cloud-based services actually come with built-in security controls, but its still up to the customer to manage and configure those settings, and thats often the problem. According to Gartner,
99% of cloud security mishaps through 2025
will be at the hands of the customer. And that will likely lead to leaking and compromise of sensitive data.
Several startups and technologies are emerging to attempt to address the visibility and management problem. DisruptOps, for example, the brainchild of Securosis principals Rich Mogull, Mike Rothman, and Adrian Lane,
spun out of a project
built by the veteran security consultants and recently raised $9 million in Series A funding less than two years after its fall 2018 launch. The cloud-based service provides what the founders call guardrails that automatically assess and enforce security policies in a cloud infrastructure – including configuration mishaps.
Last month, security-as-a-service startup JupiterOne
emerged from stealth
with $19 million in Series A funding. Its service automatically finds and keeps updated online physical and virtual devices and assets in an organization, including cloud-native services.
Identifying and managing the security of cloud-native services and assets traditionally has been a time-consuming, manual job. Assigning engineers the task of manually taking inventory and maintaining all of an organizations assets is costly as well, notes Will Gregorian, CISO of wealth management service Addepar.
Youre always [just] catching up to the asset management program, he says.
Addepar recently swapped out its government, risk management, and compliance (GRC) tool for JupiterOnes service. Gregorian says his firm now can run queries on AWS S3 accounts to ensure theyre properly locked down and not exposed on the public Internet, and measure policies assigned to a storage bucket.
You can see who has access to what bucket, for example, he says, as well as identify access keys that are no longer needed and can be retired.
Misconfiguration of security-as-a-service (SaaS) or cloud-native applications is common and mainly due to human error and the fact that its nearly impossible to manually keep up with all of the potential settings and connections offered in these services. According to a new survey from AppOmni, nearly 60% of organizations today
manually audit their cloud-based applications
for security and compliance. In addition, just 31% run automated tools to manage SaaS configuration and security, while 10% have no process for it whatsoever.
Security teams are often so busy being reactive with ransomware, needing to patch, and hardening the perimeter that managing SaaS configuration is often left up to the lines of business, which rely on IT to manually configure and administer the apps, notes Brendan OConnor, CEO of AppOmni, which offers a service that manages the security of SaaS applications, including APIs and configuration settings.
Often security teams dont even have login access to Salesforce.com or other applications used in an organization, he notes. That can lead to misconfiguration of security controls in ServiceNow, Slack, and other cloud-based applications, OConnor says.
Visibility is the core challenge, he says, and security teams typically dont have the bandwidth to fully master all of the details of these apps or the way API connections with SaaS applications all work both internally and externally.
Massive SaaS applications such Salesforce and ServiceNow have hundreds of knobs and switches to learn, he says. AppOmnis service regularly finds users with unnecessary and overly permissioned access to these apps, he says, and its mostly due to configuration mistakes or oversight rather than malicious activity.
Even so, an account left exposed to the public Internet is ripe for abuse, especially with cybercriminals regularly scanning for vulnerable systems sitting out there.
Kurt John, chief cybersecurity officer at Siemens USA, says many organizations went from mapping out a gradual cloud rollout to an instant adoption in the pandemic that upended their plans.
With this accelerated move ... they obviously need to prioritize business operations, and a lot of times that happens at the detriment of security, he says.
Thats why organizations need to invest in sufficient cloud asset management and configuration management, notes Richard Stiennon, founder of IT-Harvest. Stiennon says there likely will be waves of data breach disclosures in 2021 in the wake of COVID-19-related phishing attacks this year.
Im worried next year is going to be the all about breaches again, Stiennon says.
And given that some 96% of organizations worldwide
plan to relocate sensitive data to the cloud
in the next two years, according to a new study by Trustwave, breaches could get even uglier if organizations dont properly manage and secure their cloud services.
Meantime, the rapid cloud adoption amid COVID-19 is accelerating new technologies to help manage these new hybrid infrastructures: the next big thing for getting the cloud under control could be a more useful AI model. Keith Neilson, technical evangelist for cloud governance vendor CloudSphere, says in 2021, AI will evolve from just detecting anomalies, as most of its iterations do today, to actually alerting security teams about credible threats.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Need for Guardrails in Cloud-Native Applications Intensifies