+44 20 3290 3020 [email protected]

Cloud security threats require improved IT collaboration, governance, not necessarily new technology

Summary: Migrating your on premise security controls to a completely new cloud environment isn’t enough. Even cloud organisations with years of experience behind them are vulnerable. As enterprises expand their use of cloud services to include critical business applications and data, the risk of security breaches, such as the one perpetrated on Capital One that I detailed last week , becomes a C-level concern. Heedlessly migrating internal systems designed for on-premises infrastructure and security controls to a radically different cloud architecture, often without fully understanding cloud security features, controls, network design and user responsibilities, is a recipe for disaster. When even organizations like Capital One, with years of AWS experience providing a deep appreciation of the cloud’s technical nuances, can be exploited by a hacker, it’s evident that every cloud user needs to redouble their security efforts. Thankfully, there is an organization like the Cloud Security Alliance (CSA) dedicated to improving the security of cloud environments by developing policies, recommendations and threat research. As the corporatized version of the DEF CON hacker conference, the Black Hat event has become a required stop for most security vendors and researchers. Like most security conferences, it’s full of scary announcements of previously unknown software vulnerabilities, new attack methods and creative demonstrations of the hacking craft. Unfortunately, like most security events, the preponderance of Black Hat content describes threats and vulnerabilities, not countermeasures and software fixes. CSA follows the script in using the event to release a new report on cloud threats, but counters with another report detailing structural improvements that improve an organization’s security posture by integrating security into the software development and IT operations First, the threats Like the Capital One incident demonstrated, using cloud infrastructure and applications opens up new avenues of cyber attack while simultaneously complicating the responsibility for application and data security by splitting responsibility for security policies between the cloud provider and user. While last week’s column focused on the demarcation of responsibilities, a new CSA report highlights the new threat vectors the cloud introduces. The CSA Top Threats Working Group regularly releases its assessment of the most significant security issues facing enterprise cloud users. Over time, it found that traditional threats to core infrastructure like denial of service attacks or exploits targeting hardware and OS vulnerabilities are so effectively defended by the cloud provider as to be outranked by problems higher in the software stack which, as last week’s column illustrated, are the cloud user’s responsibility. As the introduction to a new CSA report on the top threats to cloud computing notes (emphasis added), New, highly rated items in the survey are more nuanced and suggest a maturation of the consumer’s understanding of the cloud. These issues are inherently specific to the cloud and thus indicate a technology landscape where consumers are actively considering cloud migration. Such topics refer to potential control plane weaknesses, metastructure and applistructure failures, and limited cloud visibility. This new emphasis is markedly different from more generic threats, risks and vulnerabilities (i.e. […]

Send this to a friend