Dark territory: addressing cloud security issues
January 2023 | COVER STORY | RISK MANAGEMENT
Financier Worldwide Magazine
January 2023 Issue
With more companies embracing the cloud, related security issues can create headaches. As cyber criminals become bolder and more resourceful, attacks are more prevalent – and the cloud is an attractive target. More than 80 percent of organisations have experienced a security incident on a cloud platform during the past 12 months, according to research from Venafi. Most concerning, almost half of those organisations reported at least four incidents during the same period.
“Although the top organisational vulnerabilities, such as misconfiguration and inadequate change controls, lack of cloud security architecture and insecure software development, are still matters that are within an organisation’s control, a change in the threat actor’s profile has rendered cyber attacks increasingly violent and difficult to predict,” says Danielle Miller Olofsson, a senior associate at Stikeman Elliott. “In the last five to 10 years, the threat actor’s profile has changed from the troublemaking cyber geek, to that of a seasoned professional.
“Two factors are largely responsible for this trend,” she continues. “The first is financial. As a result of the exponential increase in the amount of ransom organisations are willing to pay to have their systems restored, cyber crime has become a very lucrative business model. The second is geopolitical. Certain nations offer safe harbour to cyber criminals provided they help the nation in question attack its enemies.”
The growing business reliance on cloud-based connectivity means cyber threats pose a real concern for all connected businesses. The coronavirus (COVID-19) pandemic had a significant impact on organisations, many of which were already moving to the cloud; however, the health crisis accelerated this transition. With the normalisation of remote working, many companies now provide support and critical services to an off-site workforce.
Cloud complexities and vulnerabilities
According to Check Point, over 98 percent of organisations use some form of cloud-based infrastructure, and 76 percent have multi-cloud deployments composed of services from two or more cloud providers.
Meanwhile, there has been a dramatic increase in security and operational complexity connected with cloud deployments. The scale of cloud environments is creating new challenges for even the most sophisticated security teams. Attackers have become experts at exploiting new kinds of vulnerabilities associated with the cloud. There is constant pressure to design platforms to be inherently secure.
“The obvious risk to cloud architectures is that a malicious actor can exploit a single access point in order to infiltrate a wide and varied range of systems, and that in a shared environment, the potential access point exists in many different places,” points out Arvind Dixit, a partner at Corrs Chambers Westgarth. “Cloud security needs to be considered as one aspect of an overarching security framework. In that regard, it cannot be separated from concepts relevant to traditional security – security needs to be considered holistically across the whole technology architecture of an organisation.”
However, insider threats – whether malicious or accidental – are also a major concern for cloud security. As an example, remote working and cloud platforms give rise to ‘shadow IT’, whereby users bypass procurement protocols to access IT solutions without the company’s knowledge.
“The growth of cloud-based consumer applications has likely increased the adoption of shadow IT by employees, as cloud-based file sharing and communications services are readily available for free,” points out Mr Dixit. “Where an employee uses one of these services to share the company’s data, it circumvents the extensive security measures the company has likely put in place for the use of its approved IT.
“Not only does this expose the company to a greater risk of a security breach, it also may increase the company’s liability to claims that it has not taken reasonable steps to protect the data it holds,” he warns.
According to Ms Miller Olofsson, shadow IT is pernicious and potentially very dangerous to an organisation because, at best, one can only protect what one knows. “If employees are downloading or configuring software that is not approved by the organisation this can create new entry points for threat actors and new data that may not be adequately protected,” she says. “Although organisations can attempt to dissuade these practices through training, policies and sanctions, the most effective way to prevent the widespread use of shadow IT is to design systems that are simple to use, that meet the needs of the users, and for which the organisation provides adequate and continuous training and support.”
Too often, companies fail to provide adequate software for employees to do their job as efficiently as possible. This is a problem when countless applications are available online, ready to be downloaded and installed in minutes. It can be too easy for employees to access unvetted solutions they believe will help them fulfil their job requirements. “If you do not give people the technology they want or need, they will find it elsewhere, thus creating shadow IT,” says Frank Jennings, a partner at Teacher Stern LLP. “This can create security holes in the network and the data. Implementing zero trust might be one way of regaining control over security. But treating the network as hostile is effectively treating your people as hostile too, and they might look outside the network. So, the network will be secure but not necessarily the data.
“Security is about people, process and technology — and managing all three effectively. The key is to adopt the processes to ensure security, so the people can get the technology they want,” he adds.
In response to the changing habits and ambitions of cyber criminals, cloud security efforts have also evolved. Cloud environments host critical business applications and store sensitive company and customer data. As such, cloud security architecture allows companies to define how to configure and secure activities and operations within the cloud. This includes assessing threat posture and overall security, identity and access management, controlling and protecting applications and data, physical infrastructure security components, policies and governance to meet compliance standards, and instilling security principles into cloud services development and operations.
“There is often a perception that the use of cloud-based architectures is less secure than local systems,” suggests Mr Dixit. “In recent years though, this perception has shifted due to the investment of many cloud providers in world class security systems and technologies, given its criticality to their offerings. This has led to organisations utilising cloud systems as a means of actually increasing their security posture.”
Where does responsibility for cloud security lie?
Meanwhile, the question of responsibility for securing cloud-based applications continues to shift. For many companies, the issue remains ambiguous. In the Venafi study, no consensus emerged, although the most popular option was to share responsibility between cloud infrastructure operations teams and enterprise security teams (24 percent). Next was having multiple teams share responsibility (22 percent), followed by assigning responsibility to the developers writing cloud applications (16 percent), then DevSecOps teams (14 percent).
For Mr Dixit, the responsibility for cloud security must lie with both the cloud provider as well as the organisation utilising that architecture. “The responsibility for securing different aspects of the architecture should lie with the organisation most able to control the relevant risk,” he says. “A critical risk mitigation step is ensuring that there is contractual and technical clarity as to each party’s responsibility.
“In many circumstances, the issue of security responsibility is not considered by the parties, and this leads to gaps and vulnerabilities. Any organisation implementing a cloud computing component within its technical architecture should ensure that it understands the boundaries of the security provided by the cloud provider, and then builds any necessary uplifts into its own systems to address gaps,” he adds.
According to Mr Jennings, responsibility for cloud security depends on the situation. “It might be the customer or it might be the cloud provider,” he says. “The customer owns business sensitive and personal data which it places in the cloud. Infrastructure as a service (IaaS) providers typically exclude liability for loss, leakage, corruption or damage to data. Their rationale is that they make infrastructure available and it is up to the customer to implement security.
“Platform as a service (PaaS) and software as a service (SaaS) providers will usually take more responsibility and include security in their offerings,” he continues. “The customer might be able to outsource certain aspects of security to the provider through the contract. But the customer is ultimately responsible for the security of its cloud. If data leaks because of poor security, the customer will suffer the most. Its clients, the regulator or data supervisory authority will look to the customer.”
In Ms Miller Olofsson’s view, there is a case to be made for regulating certain cloud security services. “There is a conversation that needs to be had around the industry that is growing up around cloud security that is driving up the cost of preventing and dealing with breaches without any obvious advantages to society as a whole,” she says. “Some examples of this are ransom negotiators, bug bounty hunters, or credit monitoring services that are often being paid by several different organisations, all of which have suffered a breach, to monitor the same account.
“The question that follows from this is whether governments will continue to leave these services unregulated. Or is there a case to be made for making them part of a public cyber security infrastructure, in the same way that judges, police and public healthcare are pillars of the traditional public security infrastructure?” she asks.
Mitigation measures
Given the scale of the threat, and the financial and reputational harm that a breach may cause, there are steps companies should take to mitigate an attack. External and insider threats, either malicious or accidental, present a substantial cloud security risk. As such, it is essential that companies develop a comprehensive cloud security strategy in tandem with their cloud service provider. This should include company-wide cloud usage and permission policies based on multifactor authentication, and data governance processes that enable centralised logging to track activity.
According to Mr Dixit, companies should, first and foremost, ensure they have a sound understanding of the cloud service provider’s security and information handling practices. “This should be a key part of due diligence in respect of any potential cloud provider,” he notes. “The company should also consider whether the cloud provider has been certified against relevant information security standards, and that the cloud system is subject to regular auditing and penetration testing. Reliance on compliance with recognised and approved standards can provide companies with a degree of comfort, but this should not replace thorough technical due diligence.”
Also important is to specify the details surrounding responsibility in the contract with the cloud service provider. “The relevant contract for the provision of cloud services should clearly set out the responsibility of the cloud provider in the event of a data breach, and the extent to which the company is able to direct the response adopted by the cloud provider, given that the impacted individuals will often be the customers of the company, and the company ultimately sits with much of the reputational risk,” explains Mr Dixit. “This is also critical where the company is in a heavily regulated sector or is operating critical or significant infrastructure.
“Companies often seek to adopt a multi-cloud strategy across a range of different cloud providers to mitigate the operational risk of one cloud provider’s services being compromised. This is also often adopted in a backup context to mitigate the risk of a primary system being compromised,” he adds.
Going forward, Mr Dixit expects to see a rise in jurisdictional and data sovereignty requirements compelling more types of data to be stored in the country in which it was collected. As this trend develops, it is likely to limit the commercial and delivery models of cloud vendors, he notes.
“We expect to see more ‘AI as a service’ offerings, which cloud storage providers utilise as a means of differentiating their hosting offerings,” says Mr Dixit. “For example, in addition to simply storing data on behalf of a company, the cloud provider will also offer deep analytics as part of that storage offering. This use of AI, and the insights that it is capable of deriving, will increase the value of cloud systems to hackers and may lead to these systems continuing to be targeted, potentially by highly sophisticated actors.”
Evolving technologies are set to play a critical role – both good and bad – in future security solutions. Blockchain, for instance, can provide high levels of assurance in ownership and responsibility. Another key area is quantum computing. According to the Cloud Security Alliance (CSA), a quantum computer will be able to break present-day cyber security infrastructure by 14 April 2030. As such, all modern algorithms used for global public key infrastructure will be vulnerable to quantum attacks.
As malicious actors avail themselves of the latest technologies and tactics, companies must strengthen their current cloud infrastructure and prepare for tomorrow. To survive the fallout of future attacks, they need to focus on the basics. By implementing good data hygiene, strengthening access controls, frequently updating software and automating compliance, among other measures, companies can prepare for the worst.
© Financier Worldwide
BY
Richard Summerfield