Two Laws of Cloud Security
By Andrew Roberts, Chief Cybersecurity Strategist, cStor
As more and more workloads are shifted to the cloud, there is growing concern about the best ways to secure cloud assets. Media reports about cloud breaches don’t help alleviate these concerns.
When asking about ways to improve cloud security, “It Depends” is the most common answer. That is not very helpful. Rather than add to the litany of “best practices” that may or may not be best for you, I propose Two Laws of Cloud Security. The laws may seem contradictory at first glance, but upon reflection, you will find that both are always true. When both are properly considered and implemented, the cloud will be a more secure place.
The First Law of Cloud Security:
The cloud is an extension of your data center infrastructure and should be secured as such.
How quickly we forget. For decades, IT professionals have been learning lessons (often the hard way) about making data center infrastructure more secure. Gone are the days when most IT admins had domain administrator rights just because it made their job easier. When we moved to the cloud, too many of us have forgotten those lessons and failed to implement simple, time-tested best-practices within our cloud infrastructure.
In 2016, Uber suffered a breach in which 57 million user records and 600,000 driver records were stolen from servers on AWS. How did this happen? The credentials for the AWS account were found on GitHub. Did we forget about the lessons we learned about keeping passwords on spreadsheets stored in shared drives?
In 2018, Timehop had 21 million records stolen from their cloud infrastructure. Again, valid credentials were used.
In both cases, multi-factor authentication (MFA) was turned off in the cloud infrastructure. We all know MFA is important in our data center; why don’t we remember that lesson in the cloud?
Here are some common cloud mistakes that could be avoided by learning from the past:
Not patching – Cloud servers are still servers. They run operating systems just like their physical counterparts. They still need to be patched. If you don’t know who is responsible for patching your cloud servers, then the answer is simple: you are.
Using a root account for everything – When creating a cloud environment, that initial user account has access to everything, kind of like a Windows Enterprise Admin, Schema Admin and Domain Admin all rolled into one. We tightly control those on-prem Windows accounts; so, why do we keep using the initial root account to manage our cloud infrastructure?
Leaving MFA turned off – Multifactor authentication is one of the best ways to improve the security of an account. While not infallible, it does greatly reduce the risk of compromised credentials. Cloud services offer MFA and it’s easy to turn on. Why don’t we?
Forgetting the principles of least-privilege – Inside the data center, the principle of least privilege is an actual “thing.” What about the cloud? See “Using a Root account for everything”.
Neglecting network ACLs – Network Access Control Lists (ACLs) have long been an important part of the data center defense strategy. Do you know how your cloud ACLs are configured? They are just as important in the cloud.
Failing to log and monitor – Logs are critical to data center operations and just as critical in the cloud, but all that is lost if those logs are not monitored. Cloud infrastructure can generate logs if you just turn logging on. Once logs are being collected, get them somewhere they can be monitored, like a SIEM.
Storing clear-text data – Tremendous investments have been made to encrypt data in the data center to protect it against a breach. That is just important in the cloud – just ask either of the two companies in the earlier breach examples.
The Second Law of Cloud Security:
The cloud is nothing like your data center infrastructure and should be secured as such.
While it’s important to remember the lessons learned from decades of operating data center infrastructure, we must also recognize that the cloud offers some unique security challenges. We have all heard stories about data breaches that occurred because of a poorly implemented (and globally exposed) S3 bucket. Misconfigurations like that in the data center might expose data to more of the company than is appropriate, but it rarely leads to global exposure. Just ask Exactis, a data aggregation and marketing firm that had 340 million records exposed because of a misconfigured AWS server.
All cloud infrastructure operates under some model of shared responsibility. In the data center, the responsibility is always yours. In the cloud, “I thought they did it,” is a statement that is used far too often. Know where your responsibility lies and if you are uncertain, assume the responsibility is yours.
Some common cloud mistakes include:
Globally exposing data – Global exposure in the cloud means it is exposed globally in the very literal sense. Make sure your configurations are appropriate; start with no access and add only what is needed.
Using on-prem ACLs in the cloud – Earlier we stressed the importance of ACLs, but that does not mean you can just copy your on-prem ACLs to your cloud infrastructure. That environment is different. The ACLs should be as well.
Assuming traditional security tools will work – Making a virtual instance of your traditional security tool and running it in the cloud is not always a good choice. With the autoscaling, immutable servers and availability zones, these on-prem solutions may not know how to cope. Consider a solution that is built for the cloud or, at the very least, test your solution thoroughly before trusting it to give you the same protection you have come to expect.
Launching services without thinking – One of the value propositions of cloud services is the ease with which new services can be started and implemented, but that is also one of the pitfalls. It does not take much thought to check a checkbox and a mindless click may open unintended holes.
If we can remember the lessons that we have learned in the data center while acknowledging that the cloud also has critical differences, we can do a lot to improve our security.
A mistake in the data center would also be a mistake in the cloud…but the stakes are higher.