Security vs. Speed: The Risk of Rushing to the Cloud

  /     /     /  
Publicated : 22/11/2024   Category : security


Security vs. Speed: The Risk of Rushing to the Cloud


Companies overlook critical security steps as they move to adopt the latest cloud applications and services.



Businesses deploying cloud-based applications and services often overlook critical security steps as they scramble to keep up with the latest technology, and the rush is putting them at risk.
Theres a lot of customers who have this cloud-first mandate, says JK Lialias, senior director of cloud access at Forcepoint. Theyve been told, thou shalt move to the cloud as much infrastructure as you possibly can.
A lot of pressure is on line-of-business employees to adopt cloud applications and infrastructure, he continues. IT departments are essential in delivering these services and often neglect to understand how on-premises data and processes translate to the cloud.
Whats happening in the move to the cloud has happened in the tech industry from the beginning, says Michael Landewe, Avanan co-founder and VP of business development. People move to new tech based on new features and capabilities. Security always follows.
The gap between moving to the cloud and implementing strong security has shrunk as new technologies accelerate the process, he explains. However, most companies are still followers and dont take all the necessary steps, sacrificing security in the process.
Never Assume Youre Secure
Theres a lot of assumption when it comes to cloud responsibility. Some businesses think the whole security issue is something you put into the providers realm, says Jim Reavis, CEO of the Cloud Security Alliance. The cloud provider may have security services and capabilities, which you can order as an extra, but a lot of responsibilities shift to the cloud.
Cloud providers typically own the hardware, network, host operator, and virtual machines, says Dan Hubbard, senior security architect at Lacework. The customer owns everything above that: operating systems, containers, applications, and all of the related access controls.
This is where things get a little muddy from a corporate perspective, he explains. Most companies have parameters in traditional data centers, and their core principles and rules dont apply in the public cloud.
Landewe points to the shared responsibility model, which reminds companies they must secure data they move to the cloud. Many businesses, especially those with small IT departments, hand responsibility for data access and security to cloud providers. The service-level agreement from most vendors explains where customers are responsible for their data.
You need to have an honest conversation with the vendor and ask, where does your security responsibility end and where does mine begin? he explains. The owner of the data still has to be entirely responsible for that information.
Skipped Steps and Dangerous Consequences
Its one of those things where the speed sometimes impedes overall understanding and education, says Lialias of the transition to cloud. This is one of the areas where it needs to be balanced.
Hubbard puts companies into two categories: cloud natives, which were founded in the cloud and dont need to migrate, and larger businesses with traditional data centers. The latter group is navigating the transition to public cloud and overlooking critical steps in the process.
Proper account configuration is key here. Last years series of Amazon Web Services (AWS) leaks affecting major organizations, from Viacom to the Republican National Committee, demonstrated a broad oversight of basic cloud configuration steps. Its an easy and dangerous misstep.
From what we have seen and what we know about these, they have all come down to client-based issues; mistakes theyve made, says Reavis. AWS has strong security but most people dont know to properly configure their access so that data is secured. If theyre making these configuration errors in AWS, theyre likely making them in other services, he adds.
Cloud credentials must also be secured, Hubbard emphasizes. Attackers frequently steal login data for platforms like AWS and Azure, and abuse the power of the cloud on behalf of customers to mine cryptocurrency, send spam, and distribute distributed denial-of-service attacks.
If someone gets access to those, they can impersonate you in your portion of the cloud, he says. You need to manage access to the machines … who logs into machines, from where, and what do they do when they log in.
Admins should adopt two-factor authentication and lock access so administrative accounts can only log in from certain IP addresses. Uneducated admins can do a lot of damage very quickly, says Reavis, who says phishing and credential-based attacks will be common going forward. There should be closer scrutiny on how admin accounts are hardened.
Once someone has access to your account, they do everything in their power to maintain that control, says Landewe. Administrators arent the only ones at risk, he notes. Many attackers target low-level employees and, once theyre in, use that access to target high-level workers.
Do Your Due Diligence
The average enterprise has about 1,000 software-as-a-service applications in use, says Lialias. They probably know about 600 of them, and there might be 30 that could potentially be very high risk. Businesses know they house both sanctioned and unsanctioned applications. Its up to them to understand whats out there and assume control over the software that employees use.
The key for moving to the cloud is doing due diligence, he explains. They swipe a card and click a button, and they forget their due diligence.
While mistakes can and will happen, businesses can stay one step ahead by ensuring accounts are properly configured, credentials are secured, and they have visibility into the applications being used and people using them. Being able to see and control data is essential.
Experts hope to see a slowdown in incidents like AWS bucket leaks and see companies marry caution with speed. However, many will need a wake-up call before adopting best practices.
Were going to see more of the same in organizations needing to make a mistake to learn that they need to take this seriously, says Reavis. He advises businesses to look to educational programs from major cloud providers, the Cloud Security Alliance, and (ISC)², which all have cloud security courses.
Related Content:
2017 Smashed Worlds Records for Most Data Breaches, Exposed Information
Over 12,000 Business Websites Leveraged for Cybercrime
Poor Visibility, Weak Passwords Compromise Active Directory
Crypto-Mining Attacks Emerge as the New Big Threat to Enterprises

Last News

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Security vs. Speed: The Risk of Rushing to the Cloud