How to Manage Risks in Cloud Environments
Published 06/20/2023
Originally published by BigID.
Written by Tyler Young.
For the last decade, organizations have been planning to – or already have – moved all of their data to the cloud. On the surface cloud computing sounds great: lower operating costs, endless geographical deployments, and exponential compute power (and data storage)… but what about the risks associated with securing data in your cloud environment?
Let’s take a look at some of the potential risks of throwing all of your data in the cloud without proper visibility, knowledge, security strategy (or gates), or a risk remediation plan.
One Click deployment (or Infrastructure as code deployments)
Cloud computing has allowed for infrastructure to be deployed in a seamless fashion (including datastores). Template systems are easily deployed and at scale it makes it very easy for engineering teams to build complex cloud environments. With all of this ease of deployment comes the risk of a simple misconfiguration leaving access to databases/datastores (AWS s3) wide open or an attacker getting access to your build pipelines and injecting malicious code.
Over the last several months we have seen an uptick in Threat Actors – like TeamTNT compromising AMI (Amazon Machine Image) templates at companies and injecting them with cryptominers. When engineering teams automatically pull the templates in their build pipelines, they were often deploying compromised templates. While this was just one instance of cryptominer, this could have just as easily been a remote access malware or an express route to the attacker IP.
Knowledge gap
With any new technology or platform there will, inevitably, be growing pains. Cloud computing is no different. Every cloud provider has a different name for compute (EC2 v. VM), storage (s3 v. Blob), and networking (Route 53 v. DNS) which can make it difficult to find engineers that are well versed in configuring both. There is already a talent shortage for highly skilled engineers, which leaves companies training up resources (or being understaffed) on the fly. In the meantime, they are continuing business as usual while pumping terabytes or petabytes of data in cloud storage that are not securely configured.
Look at the Optus Data Breach that was just reported a few days ago… “ An employee intended to open Optus’ customer identity database via an API, yet required no authentication and it was left accessible via a test network”. This ultimately resulted in a hacker compromising approximately 11milion customer records and threatening to release the data if Optus does not pay $1 million (USD).
What can you do to combat the cloud risks?
So while this all sounds like you are doomed… you don’t have to be. If you put your data in the cloud, it doesn’t have to be all doom, risk, and vulnerability. Cloud providers have upped their game when it comes to their security capabilities and there are several security capabilities that need to be table stakes in your cloud security stack. Believe it or not, at the end of the day all attackers (the 99%, at least) want is either your data or your computing resources. The attackers’ endgame is equating to financial gain for them.
1. Data Visibility
- If you do not know where your data is, how can you protect it? It’s no longer acceptable to assume your data is only on the S3 bucket you thought it was on or stored in that database.
- You need full data visibility into your cloud environment and the ability to remediate when you find unencrypted, externally facing, or stale data.
2. Cloud Security Posture management (CSPM)
- Do you even know what is being deployed?
- …and when you do know what is being deployed, are you aware of vulnerabilities or misconfigurations?
- This is where a CSPM is crucial. Being able to scan systems in real and determine vulnerabilities/misconfigurations is absolutely critical to being able to secure your Cloud environment.
3. Controlled Access
- Who in your organization has the ability to access your cloud environment?
- Who has the ability to deploy systems/workloads?
- Controlling access can be done by using your Identity provider and implementing Role Based Access Control (RBAC). It is extremely important to limit access to your cloud environment and who can deploy systems. Ensuring proper approval for workload deployments needs to be in place. It’s very difficult to manage cloud systems if everyone can access your cloud environment and spin up a workload.
- If you are a SaaS company hosting a product(s) for customers: I highly recommend self service/just-in-time access solutions that allow for specific access based on roles (i.e Support) and ensure access is revoked after a defined period of time.
4. Infrastructure as Code (IAC) Scanning
- As cloud deployments have become codified, it is important that the templates, files, modules and variables are being scanned by an IAC scanner in your build pipelines for misconfigurations and vulnerabilities before they are pushed to production.
The cloud is a wonderful thing. Embrace it. But be intelligent about it: make sure that you’ve got your bases covered – from the data that you’re storing to the cloud, to the configuration, to the controls that you’ll put in place to manage risk.
Related Articles:
Texas Attorney General’s Landmark Victory Against Google
Published: 12/20/2024
10 Fast Facts About Cybersecurity for Financial Services—And How ASPM Can Help
Published: 12/20/2024
Winning at Regulatory Roulette: Innovations Shaping the Future of GRC
Published: 12/19/2024
The EU AI Act and SMB Compliance
Published: 12/18/2024