Cloud Security threats during Covid19 & common mistakes to avoid

by Shoaib Qureshi

1. What are the main challenges facing cloud security?

From a customer perspective, security has always been a challenge for those customers that want to adopt cloud technology, not just because cloud is a new type of technology, but also because it’s not a software that you're developing internally or buying like when you buy Microsoft Windows and you get a little box with installation instructions and that’s all there is to it. There are guides for Windows and for Linux on how to harden those environments and make them secure, but a lot of the new services that these cloud providers offer don’t have any guides available. That’s the challenge.

For example if you are an admin and you have a development team that wants to move their application to the cloud, not only could they set up the Microsoft Windows server that they requested, but there are also hundreds of other services that are now available to them without your knowledge. You might only verbally approve them to use Microsoft Windows or a certain version of Red Hat Linux operating system that are set up properly to prevent fraud, but they may see a new SQL database that Google has developed, or a big data analytics tool from Amazon, or some other new solution from Google or Amazon or Microsoft that has just been announced. There are really are no hardening guides that can help you secure those new environments.

For a lot of government and financial institutions, there are regulations around compliance with security policies that they must follow. Banks, for example, need to prove that only authorized people have access to the customer data. Some banks go as far as having surveillance teams set up for when they access a customer's account, where they discuss what is going to be recorded so they can prove that the customer didn’t give them their password or VISA card information, so it’s clear the bank is not going to steal anything from the customer, and the customer can’t accuse them of something.

That's the heart of the problem and why companies like ours exist. We help customers ensure that only authorised services are being used, and if unauthorised services are being used, that they're used in a proper manner.

2. What are the top security threats during Covid19?

A number of our customers, including banks and governments, are having to cut back on manpower. A lot of people have already been made unemployed or are losing their jobs, but, for a bank at least, they need to maintain their customer database.

Some projects, such as migration projects expanding into a new area, can be put on hold, but if they had already started a migration project in the last few years they’re now left with a vacuum of skills where they have a new technology being used, but the people that know how to operate it and secure it may be gone, or are no longer available, or overworked. Whenever humans are involved, there's opportunity for human error and making mistakes, and we’re now going to see an increase in these breaches because of COVID-19.

Plus, as you know, people are having to work from home at the moment, so a lot of the familiar controls that were in place because people were required be in the office to do certain work are no longer working. We've had to make temporary bypass exceptions to allow a trader, for example, to work from home or a computer security person to work from home, and that means the danger of sensitive information leaking out of the Business Network into the home network has increased.

A lot of people that we work with actually didn't even have proper home computer setups. So you have employees that have been told to go out an buy a new laptop, or borrow one from a spouse or friend or even use one of their kid’s laptops, and who knows what kind of viruses or spyware might be on those laptops. You can also have data loss that way.

Remote work situations are a big problem for companies during the COVID lockdown, but that’s another area where we have technology available to help companies ensure their people can work from home smoothly, in a frictionless environment, and still maintain the integrity and safety of their data so we don't have any data leakage.

3. What are the most common mistakes businesses make with their cloud security?

The most common mistake is to not include security from the start of the project. In many cases companies are worried about the technical capabilities of the new cloud environment.

For example, if an admin gets access to a cloud organization, sets up a new cloud account, maybe on a credit card, or they might allow an employee to create their own cloud accounts with their credit card, and play around in a sandbox. The employee might be a SQL Server database administration expert who wants to understand the implications of creating a similar environment in the cloud from a functionality perspective:

  • Will the tools and features that he's used to working with continue to work properly?
  • Will the data migration work?
  • Can he export his data from the onsite database to the cloud database?

To the employee, security is an afterthought, a layer that you put on after you know it’s working, but this is missing the whole point. Security is supposed to break things. The vendors like Google, Microsoft or Amazon have sales and support people that have already told you they can support your SQL database in the cloud, so you’ve already passed that bar, you don’t need to prove that it’s going to work, but you do need to prove that it’s going to work when you copy the same security controls you have on premise for your site into the cloud environment. My advice to these companies would be to build out the cloud environment in a secure manner first, then once those security controls are in place they can see about the functionality of the application.

Another huge mistake many organizations make is that they don’t have their on premise security controls well documented. We offer a security assessment as part of our service offerings to document and assess current on premise security controls.

4. Tell us a bit about your company & the main services you provide

There’s a 3 step process to cloud security that we offer at SJUltra:

  • Assessment
  • Implementation
  • Operation

Our partners in the US, called Illumant cover the assessment phase, and at SJUltra we handle the implementation, then Hubbado, our partners in the UK, cover the operations phase.

Assessment

Illumant specialises in security assessments, analysis and design. They come in, document your cloud security environment and network environment, and even your physical security if you have buildings with locks and video cameras, and then they do an assessment.

Implementation

At SJUltra we handle the implementation of tools and security controls before we go to the operations phase. We deal with service transition design, which is building the service, deploying it, and transitioning it to operations.

We use the following tools among others:

  • Duo Security from Cisco for multi factor authentication
  • Splunk from Splunk or Microsoft Sentinel for Security Information Event Management (SIEM) tools that collect all the logs from the different tools
  • Okta and Ping for Identity Management tools (IDM) that offer multifactor authentication.
  • Prisma from Palo Alto Networks and Dome9 from Checkpoint help with cloud security management
  • Qualys and Nessus from Tenable we use for vulnerability management scans

Operations

The operations team can be based out of India, and would probably have at least two security analysts on board. If it was a 24/7 shop we’d probably need 11 people to follow the sun security model where there is somebody sitting in front of the computer screen all day long. Some customers may find that too expensive and would be OK with an 8-5 or 10-5 operation 5 days a week for 10 hours a day. During that time, the operations team would be logged into the web based Security Information Event Management (SIEM) tool such as Splunk or Sentinel and monitoring their network for events to determine what’s a real attack from the noise. If there is an attack they would open a ticket and inform the customer that, for instance, the Microsoft Windows Server that you installed SQL on is getting attacked or the somebody broke into the password or it's out of disk space. At SJ Ultra we can help train the team and get them up and running.

5. How do you usually kick off a project with a new client?

We offer a security assessment as part of our service offerings before we go in and start. We set up all the tools for you and get everything dialled in just right. It’s important that we don’t spend weeks or months setting up a new environment for you only to find out when the security guys audit it months later that we’re missing a bunch of security controls that they need to have in place. We usually create a spreadsheet with a list of tools, risks and controls, such as password or encryption policy, and we agree a plan as to what controls are to be implemented, who’s going to manage the keys, how often they should be rotated, types of password, multi-factor authentication and more. We need to document all the controls that are already in place for the on premise environment so that we have a guide we can give to the team implementing the cloud environment to make sure it’s set up in a secure fashion from the get go. That documentation process can take two weeks, because a lot of the time those details are not written down, so we need to interview people, capture controls and standards, and then disseminate them to the group for review and approval. We take that document and give it to the cloud team that’s going to set up the cloud environment.

6. What’s the biggest lesson you've learned on the job

It’s so important to follow the 3 step process: do an assessment and come up with a map, implement the technology, and then make sure you have a team set up to operate in the environment. It’s one thing to set up all this fancy technology, but if you don't have an operations team working with you during the setup process, there'll be no one to hand it off to and you're going to be left holding the bag. My mindset going into a customer is that I'm not going to be here forever.

It's no different than if you had something installed in your home. Let's say you want a new heating system or a new gadget in your kitchen, but if you don't know how to use it, it doesn't matter how fancy it is, it will be useless. That happens all the time with cloud technology, and any kind of new technology where customers buy a solution because they’re promised it will solve problems for them, and then when they try to use it, they can’t figure out how to use it, or it breaks.

7. What’s the next big threat to cloud security in 5 years?

Well, you hear this all the time, I would call it a threat and also an opportunity, and that’s automation, where basically robots are running your cloud now.

As companies leverage cloud technology, they've come to determine that automation is super important - these new environments are so complex that humans just can't build hundreds of servers, and cloud is supposed to scale up and scale down on demand.

For example at the end of the year during payroll season, if you're running a greater than usual number reports, the reporting system is going to need more servers. You don't want to have to build those out manually, you want it to automatically add more servers, and then when you're done processing your reports, you won't need the servers anymore, they should automatically go away. Going global, is also an automated function, where you are able to scale servers out to different regions of the world, based on international demand. So as we introduce automation into all our environments, it's becoming table stakes.

The biggest security threats to cloud that I see in the next few years is a runaway rule, where you have to program algorithms and develop rules to advise the cloud systems on what to do and when to do it.

I actually have this problem in my dev and test environment, as I've given my engineers access to use these services. What if they write something that is a runaway service that ends up consuming a lot of resources? There are a lot of examples where somebody wrote a program and ended up getting a bill for thousands of dollars because of some process that ran away, and you end up getting an astronomical bill at the end of the month.

So there's both a security threat and a financial threat from these automated rules, and it's very important to test and document them, make sure that they go through a proper regression test cycle, that you're vetting them properly, and they also need to be monitored and trained. So you still need humans to be involved running these rules so that they can operate properly. It takes tuning and adjustment to make sure that nothing bad is going to happen.

Iben Rodriguez helps financial services customers connect cloud security solutions using devops methods. Iben works with Center for Internet Security (CIS) as an editor on the Amazon AWS, Google GPC, and VMware ESX benchmarks. Together, though close collaboration with the cyber security and delivery teams, they build a more secure cloud that will pass compliance audits.

Get in touch to learn more or arrange a consultation