The Gap in the Cloud
Traditional security paradigms of corporations focus significantly on strong perimeter security. Most organizations already realize this is a dated model and are questioning how to adapt to Cloud and BYOD. Many now are reassessing their security approach and filling gaps by purchasing new tools.
In complex environments, security is typically tackled with a layered approach. The difficulty is each layer requires different management tools that are often managed by different teams so maintaining top down visibility is difficult. For example, the team responsible for application security (often developers) has very little interaction with the team responsible for DMZ management resulting in deployment and maintenance challenges.
One common gap is the management of file sharing services such as Microsoft OneDrive or Box.com. This was made clear with a recent high profile attacks against Apple iCloud in 2014 where sensitive (ahem) data was exposed due to an API related with the Find My iPhone service that did not have any protections against a brute-force password attacks. This vulnerability allowed hackers unlimited password guesses and allowed them to capture iCloud accounts with simple passwords. Apple quickly released a fix but the damage was done. Any corporate data in iCloud was also compromised albeit without the headlines. Traditional on-premises monitoring tools cannot prevent this scenario.
Another security gap is managing external service providers who require connectivity to your internal network. As a result, individuals outside of your company’s direct control represent more attack surfaces. Often seemingly innocuous points of entry are used as jump-off points to attain privileged access to internal resources. This is similar to the attack on Target in 2013 where an HVAC vendor’s account was used to gain entry and attain control of their Point-Of-Sale systems to steal credit card information. One study commissioned by Cyberark states that 80-100% of attacks rely upon elevated accounts. That is a staggering statistic but securing such accounts is easier said than done.
The New Cloud Security Layer
IT departments often address security gaps by purchasing new tools as is the case with the new breed of products that Gartner refers to as Cloud Access Security Brokers (CASB). These products aim to centrally manage cloud service providers, however, many are new to the market and subject to acquisitions. There is a lot of uncertainty in the CASB space and we suggest due diligence before purchasing such products.
A New Security Paradigm
The traditional layers of security have fundamentally changed where the Application Layer now is now outside the Perimeter and therefore existing tools provide no protection to sensitive data. IT departments traditionally make assumptions that the data is secured based on the outside layers but often this no longer applies. It is increasingly important to tackle Data Security head-on.
A better approach, for now, may be to assess new strategies around your IT governance and security policies. Consider the following:
1) Institute a top down security model that can be applied in a distributed fashion. Security should be everybody’s job, not just the security team
2) Implement a customer-driven architecture to engage the business and better understand industry drivers and business process. IT Security should be engaged, even up to executive level, to meet both business and security objectives
3) Simultaneously, institute an inside-out data-centric security model to align both business and IT requirements
4) Review your data security policies to ensure they are scalable and standardized across your organization
5) Institute a common set of controls, particularly for cloud applications, to attain some level of visibility. CASB tools or your existing SIEM strategy may help.
About the author: Bryce Cramer is a Manager at Enaxis Consulting with nearly 20 years of experience across various industries including four Fortune 500 companies to smaller businesses with a focus IT architecture, cybersecurity, project management as well as all phases of deployment and maintenance. Bryce holds a Bachelor’s Degree from Rice University with an emphasis in Cognitive Science.