Page 42 - EE|Times Europe Magazine

Page 42 - EE|Times Europe Magazine - December 2020

P. 42

42 EE|Times EUROPE

Shifting to Cloud Makes Security More Difficult

Organizations had is publicly accessible and provided by the
storage services without 65%
encryption turned on CSP.”
Organizations had
databases without 85% An IBM cloud security study found that
encryption turned on
cloud-based applications were the most
Organizations had databases 13% common path used by cybercriminals in
open to the internet
penetrating cloud environments, constitut-
Organizations had storage
services with public read/list 18% ing 45% of incidents in cloud-related case
permission enabled
studies. “The ease and speed at which new
0% 20% 40% 60% 80% 100%
cloud tools can be deployed can also make
it harder for security teams to control their
Accidental data exposure through misconfigured storage services continues to plague usage,” IBM reports. In addition to configu-
organizations. Sophos found that 60% leave information unencrypted, which makes it easy ration errors, attackers were helped further
for attackers to search for and identify new targets. Encryption is a key tool in preventing by employees’ setting up new cloud apps
cybercriminals from seeing and reading stored information, and it is a requirement for outside of approved channels, with vulnera-
many compliance and security best-practice standards. bilities that remained undetected.
(Source: Sophos, “The State of Cloud Security 2020”)
SHARED RESPONSIBILITY MODEL
“The top-level takeaway issue from [the
Verizon’s latest “Data Breach Investigation Therefore, “businesses should rethink their Sophos] report is that in migrating to
Report.” And a recent cloud security study by security strategy via the adoption of a zero- the cloud, there’s been confusion about
Sophos found that 91% of organizations had trust approach — reexamining how they whose responsibility it is to secure it,” said
overprivileged IAM access roles. In addition, authenticate users and the extent of access Shier. “Amazon likes to say that they’re
two-thirds of attackers enter via a misconfig- users are granted,” the company said in a responsible for everything of the cloud,
ured resource, such as a port accidentally left statement. but companies are responsible for what
open to the public internet, and one-third An “initial step toward understanding they put in the cloud. So really, many of
via stolen cloud provider account credentials. security challenges in cloud systems” has these responsibilities are with companies
These last two findings are “very signifi- been taken by the U.S. National Institute of themselves.”
cant,” Sophos senior security advisor John Standards and Technology (NIST) in pub- The Cloud Shared Responsibility Model
Shier told EE Times. “The size of that second lishing “General Access Control Guidance for clarifies who’s considered responsible for
category may speak to a lack of security Cloud Systems.” The new guidance analyzes which security tasks: the CSP or its cus-
hygiene elsewhere in the environment that’s access control issues in the three cloud tomers. The model is described in the U.S.
not being addressed, like maybe no two- service delivery models — infrastructure as National Security Agency’s guide to miti-
factor authorization or a susceptibility a service (IaaS), platform as a service (PaaS), gating cloud vulnerabilities. Although CSPs
to phishing.” Another possibility is that and software as a service (SaaS) — and gives often provide tools for configuring cloud
employee credentials could be stolen design recommendations and potential pol- security and monitoring systems, actual
elsewhere and then used for access to the icy rules for each. configuration according to a customer’s
enterprise network, because people often organizational security requirements is up
reuse the same password. EASY = VULNERABLE to the customer.
After stealing those credentials and What makes shifting to the cloud easy also Yet this model is still not widely followed
getting inside, attackers navigated the makes it vulnerable. CSPs make it relatively and can be difficult to implement. “Even
compromised accounts using IAM roles straightforward for organizations to quickly among companies that do know about [it],
and permissions. develop and deploy code and they often don’t have the tools and visibility
“Managing access to systems for their platforms. they need to understand where the prob-
cloud accounts is an But this ease and speed also lems and risks lie,” said Shier.
enormous challenge, make it relatively easy for This is especially true in multi-cloud
and yet only [a] quarter attackers, once they’ve gotten environments. “This can mean not only
of organizations in access credentials, to use those public plus private clouds, for example, but
our survey saw it as a same tools to quickly target also even across cloud platforms, like a little
top area for concern,” and exploit a company’s cloud bit of Microsoft Azure here and a little bit
the Sophos report environment. of Amazon Web Services there, so there are
states. “The scale and Unlike the more common IT also manageability issues that need to be
interwoven nature of environment, where disparate addressed,” said Shier. “For me, one surprise
individual and group and often proprietary technol- in our ‘State of Cloud Security 2020’ report
access to services ogy is cobbled together for each was in the wider distribution of usage across
means that organi- Sophos’s John Shier enterprise, customers generally cloud platforms.” Nearly three-quarters of
zations often simply all use the same standard cloud respondents in the Sophos study reported
can’t accurately see APIs to provision cloud services using two or three public cloud providers,
how their services can be accessed, and this and manage their use. while also experiencing more security
lack of visibility is exploited by attackers.” That makes cloud environments eas- incidents than organizations using a single
IBM’s 2020 “Cost of a Data Breach Report,” ier to attack. “The ability to access these platform.
released in July, found that last year, more cloud-native tools also removes the need for Public cloud security, especially, contin-
than 8.5 billion records were exposed, and in sophisticated backdoors or custom tool- ues to be a major challenge. Three-quarters
one-fifth of those breaches, attackers used ing,” states FireEye’s Mandiant “M-Trends of respondents to Check Point’s “2020 Cloud
previously breached emails and passwords. 2020” study. “Everything the attacker needs Security Report” were concerned or very

DECEMBER 2020 | www.eetimes.eu

37 38 39 40 41 42 43 44 45 46 47