Hey, You. Get Off of My Cloud

The Rolling Stones wanted to protect their space; we, as security practitioners, need to protect ours. Data ‘castles’ in the cloud are out there, and they’re constantly under siege. By drawing inspiration from a band that embodied personal freedom, we can draw some – okay, very stretched – parallels to modern cloud security.

Nonetheless, they work. And we all knew this blog was coming. And if you read the blog backward you can hear the name of the latest malware family…

Maybe.

“Hey, you. Get off of my cloud!”

We’re quite certain the real meaning of the Stones’ pinnacle lyric was the importance of strong access controls and authentication. And we couldn’t agree more.

In the free-sharing world of cloud computing, it’s important to draw some boundaries. Who has the authority to access certain resources in a cloud environment? For companies that are cloud-native or cloud-only, this question is the same as asking “Who has access to certain resources,” period. While the cloud is good for sharing, not everyone can go backstage. Without checking IDs, you don’t know who’s going to enter your venue, steal stuff, and leave in the back of a cop car. Better to harden the guest list and protect what’s most important.

Strong access controls dictate who can enter (VIP list), and strong authentication makes sure those guests are who they say they are (identification). Now, we can party. Plus, access controls allow you to stay on the right side of data privacy compliance standards, which is always exciting.

“Don’t hang around ’cause two’s a crowd”

This lyric clearly demonstrates Jagger’s concern over the dangers of oversharing data and permissions. And it’s a concern that we share.

The problem with even sharing data in the cloud is that it is still an environment relatively unmastered by security professionals, much less non-technical employees. This means there are a million ways to go wrong and myriad ways to hide, lose, or otherwise mishandle cloud-based data, either knowingly or unknowingly. Since cloud computing still must be done, we can at least minimize its inherent risks by employing the Principle of Least Privilege and only sharing permissions with those who need to access specific data to do their jobs. Otherwise, curious paparazzi must be left out back.

In Ponemon’s recent study, the risk of insider threats and credential theft has risen by 44% over the past two years, and 52% of enterprises label cloud security as one of their biggest risks. If there are plenty of places to hide on-premises, there are infinitely more in the cloud. You can’t have small-venue security for a stadium tour any more than you can have brown M&Ms at a Van Halen concert. Make sense?

“I was sick and tired of everything”

Were the aptly named Rolling Stones referring to being exhausted by the pressures of fame and a life on the road? Not likely. Chances are they wanted to use their platform to sing about the risks of complacency and outdated cloud security practices. Truly, a band ahead of its time.

So, what doesn’t work in the cloud? What are these outmoded security trends we grandfathered in from our parents’ on-premises generation that just give us no satisfaction?

1. “Our vendor will do it” | There is a big difference between cloud vendors and cloud security vendors. Even then, cloud security vendors also have their limitations. Know what you’re getting and remember, the buck stops with you when it comes to securing your cloud-based assets, whether on a public or private cloud.  
2. “This is just copy-paste from on-premises” | We all know the perimeter was lost a long time ago and certainly isn’t found in the cloud. However, an expert at on-premises security, while experienced, isn’t automatically an expert in cloud security. This is probably old news to most. However, bear this in mind when searching for cloud security solutions – you’ll not only need the technology, but employees with the expertise to staff them.
3. “We can monitor for security in production” | Nowadays, shift-left policies are a must, especially when dealing with the cloud. Vulnerabilities and therefore threats can originate at any point in the CI/CD pipeline for cloud-based applications, and mandated security policies early in the development cycle are needed to catch them early on. If allowed to persist, these vulnerabilities have special power to affect even more devices and services because they are not confined to one on-premises environment, but the cloud-using world. Remember Log4j?

Gimme Shelter from Poor Cloud Security

You can’t always get what you want, but if you try sometimes, you just might find – you get an improved cloud security posture instead. Here’s how to check:

1. Is your cloud properly configured? Safety starts with the basics. Check that what you think you did was done properly before looking for extra signs of weakness. A security configuration management solution can help.
2. Are you using multi-factor authentication? This is a prime, and fundamental, way to make sure only your authorized personnel are A) able to access your cloud-hosted assets, and B) are indeed those trusted people and not cybercriminals pretending to be them.
3. Are you encrypting in the cloud? Because the cloud is still a relatively unmastered environment by most users today, it is more important than ever to encrypt the data itself and not trust people to save it and classify it in the right location. Protecting a cloud storage area is good, but encrypting the data stored there is even better. Not even a Jumpin’ Jack Flashdrive could exfiltrate anything of value then.

These questions are just the tip of the iceberg. The main thing to bear in mind is that the cloud is a different beast (… I’ll refrain) altogether and must be treated and understood differently. Different rules apply. New experts and stricter policies are needed. If something was at risk in an on-premises environment, accessible only by your enterprise and a few motivated threat actors, it is exponentially more at risk in the cloud with its proverbial ports open to the world. In short, the mindset must be different, and then the policies will change accordingly.

The cloud is getting crowded, but with the right solutions in place, we can get unwanted visitors “off of our clouds” and live to safely disrupt another day.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire.