By Dave Gordon
The cloud, the newest frontier of data storage, has mega-household name corporate providers – AWS, Google, Microsoft, IBM –that for many, give the impression these services are built like titanium lockboxes.
But whereas enterprises are adopting cloud services at a rapid rate, hoping to seize on increased development and growth, few users truly understand the potential vulnerabilities of this kind of wide-scale adoption.
According to new reports, the speed of adoption is so fast, that even enterprises are unable to secure themselves against increased threats to security.
One recent study analyzed these concerns at length.
July 2019’s mid-year update to the Skybox Vulnerability and Threat Trends Report said cloud container vulnerabilities have increased by 46 per cent, when compared to the same period in 2018. That share has since increased to 82 per cent. The report also says “third–party plugins and applications are expanding the attack surface and introducing new risk to the organization.”
Bugs are as prevalent in cloud and on-premise environments, but cloud services “are often lacking the necessary security diligence to ensure effective network segmentation, access to resources and rigour in risk and vulnerability management,” notes Skybox. “The processes which many companies currently have in place to secure their cloud projects simply don’t go far enough to guarantee proper testing both before, during and after the technology has been implemented.”
Mark Nunnikhoven, vice-president of cloud research at Trend Micro, argues both the cloud provider and the company, have a “shared responsibility” in finding a solution.
The problem has a lot to do with a lack of education, he says.
“To date, almost every single security issue reported ‘in the cloud’ has been a result of a misconfiguration. This means that the millions of compromised data records over the past 24 months could have been avoided. To me, this means we—the security community—have a lot of work left to do around education.”
Nunnikhoven insists that organizations need to take cybersecurity seriously and integrate it into their organizations.
However, Nunnikhoven takes issue with the report’s assertion that “Devops teams are working under assumptions about ‘security in code’ that don’t consider the lifespan and permutations of their creations.”
To him, teams that have adopted a DevOps culture are actively seeking out guidance on security and finding the security community unable to understand modern development and delivery.
“These teams of builders are trying to deliver solid, reliable solutions. For the most part, the security community is failing to provide the education and tooling required to help these teams reach their goals.”
Education and culture, according to Nunnikhoven, need to change if companies are to properly respond to security threats on the cloud. A big obstacle to this, as Skybox notes, are corporate protocols, which “surround the deployment of cloud IaaS resources.”
That ranges anywhere from misconfigurations, to lack of testing, leaving businesses exposed to security and compliance risks. Testing and backups are key, as well.
A steady-state in the cloud doesn’t exist
Meanwhile, last year’s ThousandEyes Cloud Performance Benchmark Report examined cloud performance data across public cloud providers—AWS, Azure and GCP, Alibaba Cloud and IBM Cloud —during a period of four weeks.
The study found that there were significant architectural differences that resulted in performance inconsistencies (related to latency, loss and jitter), depending on where in the world an end-user was located. Alas, there is no steady-state in the cloud.
“While Google Cloud and Azure rely heavily on their private backbone networks to transport their customer traffic, protecting it from performance variations associated with delivering over the public internet, AWS and Alibaba Cloud rely heavily on the public internet for the majority of transport, resulting in greater operational risk that can impact performance predictability,” the report notes.
Hongwen Zhang, CEO of Wedge Networks, a firm with a focus on cloud security, says that people aren’t asking the right questions in the correct order.
“They ask ‘how do we get this working,’ instead of ‘how do we get this working with all of the security in place?’”
Like Nunkihoven, Zhang sees a lack of education and failed processes as the problem:
“You really need to understand your service provider’s security model, and certainly you have to find ways to continually test and monitor this,” he says. “The other thing is, if you look at today’s security breaches, a lot of them are targeted attacks.”
Zhang calls for people to pay more attention to the WiFi that connects to services.
“Place another layer of protection – real-time protection – that helps make sure you have peace of mind. The other thing is continued situational awareness. Basically, when a lot of devices and real-time enterprises are connected to the cloud, provide a way to monitor all those devices.”
Shea Stewart, partner at Toronto software company Arctiq, suggests several specific strategies to address these vulnerabilities.
One of which is automation for deployment and patching, since humans can make slight mistakes that may cause problems. Stewart makes the case for the need for “Infrastructure Resiliency,” by which he means a dynamic infrastructure that can change components in a quick and efficient manner.
Runtime tools, he says, can be critical in identifying the blast radius of a potential vulnerability, and can help identify which specific workloads require attention.
“These tools can also often restrict application workloads to operate within a known and acceptable pattern, often blocking processes that may be tied to an exploited vulnerability,” he adds.
Stewart also pays close attention to what he calls “endpoint security enforcement.” The idea of a “perimeter” in cloud infrastructure isn’t as ideal as it once was in the data centre, and tools need to be deployed to treat every endpoint, or application, as a part of the perimeter itself.
“Tooling that enables zero-trust networking at the microservice level becomes increasingly important to reduce the dependency on the IaaS perimeter configuration,” he says.
The most important thing for him, he says, is education. Training courses for infrastructure and security tooling, he explains, reduce the margin for human error.
Development teams, he continues, require immediate access to evaluate, and test tools, and their configurations.
“Time delays in obtaining a ‘safe’ environment for learning will result in inappropriate environments being used for testing, or tools that never get implemented,” warns Stewart.
He also highly recommends that the successful completion of security training should be recorded “and proudly displayed on a developer profile, so as to create a Cloud Security culture in the company.”
And finally, there needs to be increased transparency and communication within the company. “In this world of ‘everything-as-code’, teams should have easy access to view the configuration code for systems that may affect their overall deployment or runtime activities,” he says, noting programs like Slack and Github can make that code accessible to an entire organization.
“What we can see emerging from all of these reports on problems and solutions, is a new set of strategies that must develop if companies are to protect themselves, and their clients, from being compromised on the public cloud.”