In early April 2019, several Facebook app developers exposed millions of Facebook user records to the world. Forbes magazine reported that in many instances the software makers used Amazon Web Services (AWS) to store the data. The discovery has prompted much finger-pointing, as discussions between web services providers, enterprises, and the departments within organizations have moved into high gear about just who should be responsible for protecting corporate data in the Cloud.
Has the Perimeter for Cybersecurity been Pushed Out for Cloud Computing?
Just five years ago, the implementation of firewalls and other security measures like antivirus software had proven very effective. Security, though, is no longer a static affair. Security experts nowadays have to consider and take into account threats from a host of new vectors. It is no longer just about keeping unwanted personnel outside the perimeter.
IT departments and cybersecurity professionals have their security responsibilities expanding significantly with cloud computing. Now, they have to keep have a web of new threats to consider to ensure the safety of the enterprise network. They have to weigh who is allowed to access the network and how much access should be granted to a particular person, as well as analyzing abnormal user behavior to detect and preempt potential threats.
Russel Walker, CISO for the Mississippi Secretary of State, makes the point that the traditional conventions of the perimeter for cybersecurity are less applicable in the age of cloud computing. He observes that “You cannot provide security using a model that was designed for a much more static and enclosed environment.”
Cybersecurity perimeters were put in place for more static IT environments that exist in enterprises today. The new normal is an ever-changing and evolving technological ecosystem that can morph in a matter of days instead of months, as in the past.
The cybersecurity challenge for departmental-level application rollouts has become even more of an imperative than ever before. “Shadow IT” efforts now include departments licensing cloud services on their own and hiring consulting staff to implement applications — without the knowledge of the IT department. So without departments understanding the implications of their business-driven decisions, they have created larger, more porous attack surfaces through which cybercriminals can access corporate networks.
What stakeholders should be involved with departmental instance-rollouts?
Business department managers understand that ensuring a proper and timely implementation or rollout of a cloud system must include their IT department. Indeed, everyone who will be impacted in some way by the new cloud-based system should be involved.
Collaborating in the rollout and mapping opinions, thoughts, concerns, and solutions should be encouraged. Top managers, departmental leaders, and end-users need to be involved in cloud-infrastructure and -application rollouts. Cybersecurity and IT staff need to identify potential network vulnerabilities and configure the department-level cloud platform and applications accurately. Many threats nowadays come from inside an enterprise.
One of the most important cybersecurity threats facing organizations is the ‘insider threat’. CEO of Securonix, Sachin Nayyar, tells Cyber Security Hub how insiders within a company can be become a liability, either because of ignorance or negligence or outright ill-intentions.
Sachin Nayyar proposes the idea of Zero Trust, a policy that directs that no one is to be trusted with cybersecurity-related access, and everything has to be always verified before granting any sort of permission. It is important to understand, though, that the concept of Zero Trust is not just related to the technologies and corporate behaviors that are in place. Rather, it is more of a holistic approach, Nayyar counsels, wherein IT staff and also the end users of systems have internalized cybersecurity practices and apply them as a matter of security hygiene.
What Are the Responsibility for Cloud Vendors?
It is easy to point fingers and blame someone when security has lapsed. But how much did the person getting blamed have to do with causing a problem? Cloud vendors are surely responsible for the security of their platforms, but the question is to what extent?
The cloud vendor should ideally be responsible for its platform’s infrastructure security. The vendor is expected to ensure that unauthorized access is not granted to the hardware and software that support their cloud services, and should have adequate safety measures to enforce that.
Managing access to the account and protecting the data within should be the responsibility of vendors and the enterprise: vendors provide the security functionality and customers configure the controls appropriately. Vendors provide data encryption methods, while data encryption configuration and access control should be done at the enterprise level. Fundamentally, the customer should be aware of who they are giving access to.
At the end of the day, cloud security is a two-way deal. The vendor should be responsible for providing a safe and secure service or platform, whereas the user should take security configuration with the utmost seriousness.
Testing the integrity of cloud security in protecting the network
Proper testing of security is a crucial step before deploying any form of network or working with any type of SaaS (Software as a Service). There are several ways for departments to do this, preferably with the IT department’s support.
- The first line of defense starts even before you implement the network or start using a SaaS application. If you are using a hosting company you would want to give the contract a thorough read and look out for any discrepancies. Make sure all possible elements are covered and accounted for; for example, how much traffic the departmental cloud application may have to support, what Intrusion Detection (IDS) and Intrusion Prevention (IPS) technologies are being used to protect the implementation.
- Check to see if there any vulnerabilities at any of the access points, like the user interface, APIs, etc. Users should try to break into them themselves to test the application and network security itself.
- Another way to test for security loopholes is to create simulated attacks. Local attacks on the implementation should look for hidden bugs in the systems and security threats that might have slipped past the cracks somehow.
- Test the network at the logical and even architectural levels to further ensure the security of the system.
Software solutions for testing and managing configurations across the enterprise
Configuration management tools are the tools that make the process of managing configurations much easier. Think of a typical enterprise: there are hundreds of computers and systems that need to be monitored and also managed.
Without proper and efficient management software, monitoring and remediating networks would take very long to perform. This is where configuration management tools and software’s come in. These applications enable a number of features such as:
- Administration: The basic and primary feature of any configuration management software. It lets you check the network and see if everything is configured the right way to ensure optimum performance. Admin tools also enable users to adjust the environment as usage changes.
- Cooperation: Given how immense an enterprise can get, configuration management software can aid in collaboration for administering and testing the configuration across the whole infrastructure.
Two popular configuration offerings include Kamatera and Ansible. Kamatera is free. There is also no commitment fee either, so if in the future organizations change their mind and choose to use another tool, they can switch easily at no additional cost.
One of the stand-out features of Ansible is that tasks can be automated by the use of playbooks which are written into an easily readable configuration file.
The New Normal
Cloud computing has brought a great many benefits but has also presented enterprises with new challenges, especially regarding security. As enterprise computing grows in complexity and the network perimeter balloons, it will take technology, coordination between IT departments and business units, and extensive communication to keep potential intruders out of corporate business.
Coranet is a certified Woman-Owned Information Technology Organization that has been meeting the requirements of Enterprise and Government entities for over 30 years. Network Engineering and Technical Support is part of our foundation and we continue this proud tradition with a 360-degree approach to technology solutions and services in the areas of Audio Visual, Network & Physical Security, IT Infrastructure, and Consulting/Project Management. Coranet is ISO 9001 registered, Lean Six Sigma and WBENC certified.
Please contact us at Sales@coranet.com for more information