Cloud security requires operational preparedness

With the tsunami-like move to cloud, most cyber defenders have heard the phrase “the cloud is more secure than your legacy data center”. The cloud offers unique opportunities to eliminate legacy technical debt, implement new controls, and apply automated enforcement of security requirements. However, an equally true statement would be “the cloud is only as secure as you configure it."  

Each new cloud service has a myriad of options, from connectivity to encryption to net new native-identity paradigms, to help protect the workload and its data from threat actors. Automated secure cloud control enforcement – also known as policy as code – manages many of these considerations, but threats are constantly evolving. Building cyber resilience requires understanding the successful attacks and threat actor objectives and taking an enterprise-wide view of potential kill chains that include cloud assets and cloud-native security services.

It's not the front door, it's the side window

With many companies shifting their "crown jewels" to the cloud, threat actors are increasingly targeting workloads and data living in the cloud. However, many successful attacks are not targeted directly at the cloud. Threat actors don’t focus on the distinction between what's hosted in the secure cloud and the legacy environment. They look for the path of least resistance toward their targets, be it business process disruption, data exfiltration, or something else, wherever it is hosted. In many cases, the weak point in the armor around the cloud environment isn’t within the cloud itself but remains in the legacy environment.

A successful cyberattack  against workloads or data hosted in the cloud might look like the graphic below, where the initial compromise is targeted at an end-user workstation on-premises. Through privilege escalation within that environment, the attacker obtains cloud administrative rights. From there, the threat actor can execute a variety of actions on objective.

Breaking down an attack on the cloud

1. Identifying a cloud target: Threat actors are always looking for targets, and social media is a great place to start. Be sure to establish acceptable disclosures when moving to cloud. Announcing "we're going to be the first to put X in cloud" communicates innovation, but also gives threat actors knowledge on when, where, and what data you're moving.
2. Compromising a cloud administrator: Spearphishing remains one of the most common vectors for initial compromise in breach events. User hardening is key to defending against all spearphishing attempts, but heightened enforcement and monitoring is a must for highly privileged access to the cloud.
3. Moving laterally to the cloud: The cloud is often considered little more than a data center somewhere else, but it holds the promise of a fresh start. As services and data move to the cloud, retire the technical debt. Enforce security, as opposed to hoping for it on the back end.
4. Actions on cloud objectives: Many actions on objectives in the cloud focus on lack of awareness of what's deployed where in cloud. Ransomware focuses on data sprawl, resource hijacking focuses on unknown resource requirements, etc. Security should be involved from day one with an understanding of how the business will be using the cloud.

Actions you can take to build cyber resilience when moving to the cloud

While threat actors are constantly evolving, there are some key actions companies can take to stay ahead of the curve with attacks against their cloud assets:

1. Leverage cloud-native security. Although nothing can prevent 100% of cyberattacks, the cloud offers unique opportunities to remediate technical debt and implement preventative controls that aren't available or are cost prohibitive in a legacy environment. Leading practices like zero trust, micro-segmentation and automated compliance enforcement can become reality. Use the best of what cloud has to offer when implementing applications in the cloud. In most client environments, this is an and conversation between native cloud security services and third-party security technology providers. The glue that binds is the process, integration and orchestration you only get by looking at the entire picture.
2. Build secure pipelines. As companies move to cloud, they often undertake modernization efforts to refactor applications for cloud. They also typically want to accelerate development compared to the legacy environment. Moving to cloud provides a perfect window to establish secure DevSecOps pipelines to test applications for security vulnerabilities before they're introduced to production and to embed "secure by design" principles into the new application landscape. Developing a limited set of sanctioned, secure application deployment patterns and the code that goes with it is a great way to enable the application development community on the front end and get the predictability and consistency when it comes to the back end (security operations).
3. Prepare for the worst. The cloud introduces many changes to security operations, and foremost among them is the shared responsibility model. One of the key tenets of successful crisis management is clearly defined roles and responsibilities. Know (and document) when and how to contact your cloud services providers (CSPs) regarding a breach. During a cloud migration, incident response plans and playbooks should be updated to account for CSP involvement, and incident responders need to be trained on how to use cloud technology to mitigate threats. When was the last time you did a dry run of your incident response plan, with everyone in the RACI (responsible, accountable, consulted, and informed) matrix, for your cloud environment?
4. Test your defenses. Regular testing is critical to validating that secure cloud controls, both preventative and detective, are effective. When conducting this testing, consider not only testing the cloud hosted applications and infrastructure, but also broader testing of the enterprise-wide ecosystem to understand how threat actors might target your cloud workloads and data and to identify weaknesses across the entire kill chain. Evidence as a service is an emerging offering that provides validation of controls, streamlined audits and lower cost for many companies.
5. Evaluate cloud security during mergers and acquisitions. While some companies have adopted multi-cloud strategies, many still have a preferred strategic cloud provider. An important component of cyber due diligence is developing an understanding of the technology architecture of the acquired company’s landscape, including cloud-hosted environments. These environments should be assessed against the acquiring company’s cloud security standards. Additionally, companies should evaluate the readiness of the new company’s team (capacity and skillset) to manage the security of these new providers and subscriptions.
6. Educate your users. Users are still the first line of defense against cyber threats. Beyond just training end users to report phishing emails, make sure that all users – including third parties, contractors, end users, IT admins, security operations, etc. – are aware of their roles in protecting the company. This includes making sure that your IT administrators are aware of the security requirements in the new cloud environment, that developers understand secure coding practices and that the security organization understands how to manage the controls in the new environment.

Embedding security into your cloud journey from day one helps assure that the cloud is more secure than your legacy data center. That said, don’t forget that the cloud is only as secure as you configure it, and that defending the cloud from cyberattacks requires continuous verification and ongoing readiness testing to prepare for a cyber event.