Written by Andrew Neale
2019 will be in no doubt another big year for the cloud, with the vail of the cloud being something big and scary finally lifting, more enterprises and customers will start to embrace the cloud. From putting new systems in the cloud, lifting and shifting their systems fully to the cloud or even just going through a digital transformation and embracing cloud technologies in different aspects.
But what of the Security implications in the Cloud? Are these companies aware of the security measures their chosen cloud platform offers, or are they willing to possibly rearchitect their systems to cater for the changes in the security landscape, you can’t just lift and shift your on-prem security to the cloud, there are changes that have to be made.
So, in 2019, in the Cloud, what security measures should you take? Or, what measures should you have taken and need to consider?
1. Don’t Presume the CSP will take full care of your Cloud Security Needs
While they do have the responsibility of securing the infrastructure of their data centres and overall internal infrastructure providing the IaaS, PaaS and SaaS, it’s naïve and dangerous to think that it’s completely taken care of. They will provide you with the tools to implement your own security measures on top, whether it’s network separation, high- and low-level system monitoring or access controls. It’s up to you to correctly use these tools to suit to specific cases. Which leads me to the next point:
2. You can lift and shift and deploy new platforms and systems at a fraction of a price, but don’t leave the security as an afterthought.
Before you commit to a lift and shift, do a comparison against the security tools of the CSP and your own and see if you can at a first pass replicate your current security controls in the cloud. Then if you can, don’t implement the project straight away, see how you can instead then use the CSP’s security features to further enhance your own security measures. Even afterwards don’t be afraid to re-evaluate, the major CSP’s are always adding more functionality to their security suites.
3. Engage your on-prem security team to start getting trained on Cloud Security best practices.
Cloud Security has become a large issue in the last few years and now there are industry recognised certifications for Cloud and Cloud Security, it is worth investing time and effort to get one of these, it is better to learn how to swim before diving into shark infested waters and having a breach. The Cloud Security Alliance offer numerous resources on Cloud Security best practises, whitepapers and exams. It’s a great place to get started.
You could say that the above three points have been true since the public cloud came in existence. So, let’s get down to some 2019 Cloud Security events and issues to keep an eye out for:
1. AWS re:Inforce
This year Amazon WebServices will hold its first ever conference dedicated to cloud security in Boston. They will give overviews, hands-on demos on all the Security offering that’s AWS has. This conference shows how seriously AWS take security and it’s the first of its kind. I would expect to see GCP and Azure follow suit in the near future. It will be worth checking out if you are not only using AWS but have an interest in security as often their best practises are classed as some of the best.
2. Cloud providers will continue to push and offer native key management capabilities.
Encryption keys are often self-managed to fulfil regulatory requirements. However, that then leads to the possibility of the keys being mishandled or leaked. By embracing CSP’s key management capabilities, it should help lessen the chance of mishandling.
“…while self-managed key options will continue to evolve, customers will increasingly look to leverage provider-key-managed services to manage their keys”
Scott Ellis, Product Manager of Google Cloud
The fact that this came from GCP’s product manager would suggest that they have new features for this arriving in the near future to further enable key management.
3. Cloud Accounts will increase, not only in scale but also velocity
In 2019 it’s fair to say most enterprise level companies working in the cloud will have some sort account compromise attempt as Palo Alto Networks Unit 42 threat research team found, 29% of organizations running in the cloud have potential for cloud account compromises. Secure your cloud accounts, use MFA as a minimum standard.
4. Social engineering was, and still is the biggest threat to user security in the Cloud.
Thanks to innovations and advancement in AI and machine learning by the CSPs these can be leveraged to make more believable emails, calls and texts. Is there a way to defend against these? Beyond using filters on messages (but this can have the danger of blocking genuine messages with how close the attacks are becoming to the real thing) It boils down to simple polices and training, see an email asking for a certain key or passphrase? Have a process to ring the person first and only transfer face to face if possible. Always have that extra way to validate the authenticity of the requesters else you could find yourself on a breached data list somewhere.
2019 will be another interesting year for security for what breaches it brings to what new tooling CSPs and business bring to the table this year to fight and contain the ever-growing threats. On towards 2020, will it be the year that we finally see fully automated Security as a Service offerings (SecaaS) from the CSP’s? Until them, get learning and get securing, the best defence is ready and a well-trained defence.