Cloud App Security: Foggy With Low Visibility
Cloud services have been under the security gun in the past few months. Code Spaces had to close its doors after someone apparently gained access to its AWS management infrastructure and wiped away customer data. Dropbox reportedly was being used as a command-and-control infrastructure as part of targeted attacks on government organizations. Heartbleed exposed cloud service vulnerabilities.
While the cloud promises faster time to market and reduced costs, it also presents a new landscape for hackers to attack and achieve their goals -- namely, to find and gain unauthorized access to data and information. Attackers follow the data they are after, and if that data is residing in the cloud, then they are going to start operating in the cloud as well.
For many organizations, these recent events are a wake-up call to take a closer look at which cloud services are being used, by whom, and which actions are being performed within them. The current generation of enterprise tools -- firewalls, Web proxies, endpoint management -- are still necessary, but they are no longer sufficient, since they don't address cloud app threats.
The first item in Gartner's "Top 10 Technologies for Information Security in 2014" relates to cloud security; it stresses the importance for "visibility and control" between cloud service providers and the consumers of those services -- employees.
Let's first address the visibility issue. The trend toward the cloud is introducing new complexity for organizations, since it creates blind spots for IT when employees commission and use any of their own cloud apps.
These employees are focused on innovating around business tasks, without being aware or concerned about the visibility and security challenges these apps pose to the organization. The ramifications associated with lost patient records, Social Security numbers, or other confidential information don't get factored into the so called "Shadow IT" equation.
Furthermore, the various methods available for accessing cloud apps and services -- from a browser at the office or via a mobile device -- or from a native app on a mobile device -- make things even more complicated. Primarily because each approach works slightly differently under the hood, it is more difficult for IT to monitor activity and protect applications from being compromised or abused.
It's generally accepted that you can't manage what you can't measure. Visibility -- or measuring, in the context of Software as a Service apps -- is about monitoring and reviewing user behavior related to each application in a consistent and reliable manner.
In simple terms, this means determining who, what, when, why and how information for any application and any user. It also may mean performing risk analysis to determine whether applications are adhering to corporate security policies, or which user behaviors require immediate attention.
Tools and Training
There are new tools available in the market designed to sit between the cloud app and the user to enable visibility without impeding the end user experience. Gartner refers to these new capabilities collectively as "cloud access security brokers," and Forrester refers to the broad category as "cloud data protection."
By now, everyone understands that a stolen username and password can provide the proverbial keys to the kingdom within cloud apps. Unfortunately, there are many ways to obtain these credentials maliciously; Heartbleed is a good example.
Credentials also can be compromised via much less sophisticated attacks, such as an insider stealing a written-down password or an employee succumbing to a phishing attack. One of the challenges is that users have so many credentials to remember and use. Credential sprawl has created more avenues and opportunities to attack and take advantage of unsuspecting users.
End user security awareness and education are more important than ever, as the industry moves to a cloud model. IT Staff, for their part, can implement recommended new technologies to provide visibility and control over cloud apps.
Since employees with ubiquitous access to cloud apps from an expanding set of devices represent the weakest link, a hybrid approach to security is needed. Technology or training alone won't solve the problem -- both are required. Security fundamentals don't change in the cloud, but how they are implemented does.