When asked to name their top concerns for 2023, it is unsurprising to find cloud security on most security teams’ list. We’ve seen a number of high-profile cloud breaches, and one impact of the pandemic, and the resulting move to a hybrid workforce, is that businesses have become more reliant on using cloud services for their core business functions. Many teams believe that they are now more vulnerable to cyber-attacks as a result, and one question we see a lot is ‘how can I identify vulnerabilities in a cloud environment and protect my business?’
We were pleased to discuss this topic during a recent webinar, where we were joined by Simon Vernon, who is Head of Research and Development for SANS Institute and teaches the SANS SEC488: Cloud Security Essentials course and associated GIAC certification.
Of course, every business has a unique risk profile and there is no ‘silver-bullet’ that will work for every organisation, but our experienced panel discussed a number of steps you can take to test your cloud set up and improve your organisation’s cyber maturity.
Why are we talking about cloud security?
- During the Covid era we saw a rush to the cloud and an acceleration of adoption, so businesses now rely on these services more than ever and any disruption is likely to be highly impactful.
- Any accelerated adoption is likely to introduce more vulnerabilities and mistakes, for cloud suppliers as well as consumers.
- There is currently a skills shortage in the industry, compounded by churn and the great resignation, with knowledge lost in the process.
- Adversaries have seen our greater reliance on the cloud, as well as the increase in vulnerabilities, and the cloud has become a key target.
- As we move into a time of economic uncertainty, now is a good time to pause and refocus on your cloud strategy.
- Businesses and governments are prioritising cloud, with many introducing cloud-first strategies, but are lacking the people and talent to properly secure it.
- Covid accelerated the use of the cloud and put businesses under pressure to create an environment where their team could work from home.
- The cloud operates very differently to on-prem. The ingredients are the same, but the way we go about it in the cloud is very different.
- We store our crown jewels in the cloud, a space that is theoretically and technically public, and involves setting up perimeters using identify & access management only.
- There have been several recent high profile cyber-attacks, including Okta.
What techniques can you use to identify vulnerabilities?
- It all comes down to visibility and implementing the 20 critical controls, which is nothing new, but the way that we implement them in the cloud is very different.
- When we're operating in the cloud we no longer have responsibility over the underlying infrastructure or security of the data centre, but by leveraging shared security models we can use systems to identify potential issues, solve configuration problems and build out our infrastructure to be as secure as possible.
- A tip tip is to use cloud provider documentation in conjunction with the Computer Information Security Hardening guides.
- Encourage your wider engineering teams to revisit their approach to threat modelling and how it fits into their work.
- Following the principles of DevOps and DevSecOps, leverage automation and standardisation. Consider building out templates and automating basic or common cloud security processes.
- Cloud security testing is not the same as standard testing, and often doesn’t get as much attention. As with pentesting, there is no 'one size fits all', but you should have a robust testing strategy in place with testers that know your tech stack and the cloud services in use.
How can you remediate these vulnerabilities in the cloud?
- Deploying infrastructure as code gives you a lot of options, it supports the streamlining of your processes, shortening the time it takes to deploy remediations and providing numerous opportunities to interrogate and test changes before they have an opportunity to introduce active vulnerabilities.
- Pentest and security review reports should also offer remediation advice, as well reporting on vulnerabilities.
- For a summary of the 7 steps to test & secure your cloud environments, download our cloud security checklist.
- Zero trust is theoretically a good idea, but we have yet to see a fully controlled implementation of it that works well. Introducing too many barriers will slow teams down and are often circumvented.
- Instead, create an informed cloud strategy about how you want to handle your users and data. Create an online catalogue and monitor all of your activity.
- One of the primary blindspots in the cloud is the API.
- Cloud providers provide documentation regarding regulations and compliance standards, and provide toolsets that allow you to choose which services you can use, depending on which regulation you need to comply with. They also provide SOC reports which include financial information, the controls that they employ and how well they are doing against their measurements and metrics.
How can Secure Impact help?
Setting a new industry standard
- If you're thinking about starting your cloud journey.. Avoid the mistakes others have made with the cloud - our experts can help you get it right the first time, or find the flaws others miss that are unique to the cloud. It’s a different place to test security and not the same as the standard enterprise network.
- If you're in a fairly mature organisation but would value an external sounding board.. Our experts can take a step back to identify areas of improvement, bringing experience from many other businesses to make actionable changes to your overall security posture.
- We are disrupting the industry with business-oriented cyber security services. CISOs and security teams have real challenges which likely won’t be solved with ‘silver bullet’ products, automated scans, or generic reports. Our penetration tests are business-oriented, bespoke to your risk profile, and geared to creating learning outcomes for your team.
- Our reports are tailored, accessible and will provide you with the insight and roadmap to make both immediate and longer term changes to improve your security maturity.
- Our GIAC certified team are the best of the best in the industry and have worked with defence, intelligence, FTSE 100 and Fortune 500 companies on some of the world’s highest profile cases. They will work with your team to create actionable shared learnings.
If you have cloud security needs, or would like to have a chat with the team to learn more, please get in touch!