Cyber Security - The Design perspective: Reimagining the organisational interface to Public Cloud

In my previous article, I wrote about my learnings from the mapping organisational controls to the Lockheed Martin Kill Chain framework. This preceded a presentation at the AISA conference in Canberra where I presented in a Security Strategies session on a related topic. A happenstance from that event is a paper I'm drafting at the moment which touches upon some interesting scenarios, particularly regarding reimagining the organisational interface to multiple Public Cloud service providers. Today's article is an extract from that draft.

We are continuing to witness a proliferation in the number of technologies and tools across the software and security industry, both from engineering and operational standpoints. While it has been beneficial insofar as the points of visibility are concerned, to a certain extent, the need to consolidate viewpoints across multiple technologies and tools is growing. Notwithstanding, organisations have continued their movement into or away from Public Cloud with a large swath of developmental investment and effort being dedicated for Zero-Trust access while ensuring seamless connectivity. Multi-factor authentication is being mandated across the software spectrum and its implementation is well underway in the industry, given recent spurt in identity & data breaches.

While organisations have not shied away from rearranging the internal architecture to reinforce the crucial properties to their infrastructure, their appetite for shiny tools has not abated [2]. This is perhaps not without reason; one challenge organisations regularly face is the existing solutions are often too cumbersome to adapt to an evolving threat or organisational alignment, new tools that address a specific issue are often better aligned. However, this offer comes with its own challenges.

Organisations have also continued to perpetuate their interests in custom agents collating event data streams across endpoints, networks, enterprise and cloud into multiple data lakes, each catering to requirements varying from compliance and regulatory obligations to custom policy evaluations and anomaly detections. Each stratum of requirement can necessitate specialised skills in developing, managing and governing the use of policies, in its grounded form, on such technologies. This also entails a layer of abstraction when data is extracted in the form of event data streams into one or more data lakes for consolidation. Irrespective of whether native or third-party agents are utilised for this purpose, it is notable that many tools require continued and periodic status information to track the state information for entities, be it endpoint, networks, enterprise or cloud. Such tracking mechanisms can require periodic API calls which utilise authenticated sessions to collect and assimilate status information. In a Public Cloud context, this activity can entail significant operational costs.

One of the challenges hampering the advancement of security posture is the ongoing sustenance of engineering upkeep to keep abreast of operational and workload requirements. Such specialised technologies require skills which can often remain in specialised quarters. Besides, the stumbling block can be in the form of technology skills which are niche and not spread across the organisations to provide dynamic management to support business requirements. If visibility is further segregated into pockets of knowledge and understanding, then holistic understanding can be found wanting [1, 3]. In the absence of holistic understanding, organisations may find it quite challenging to thwart advanced and surreptitious attacks.

The rapid adoption of Public Cloud over the past decade has brought with it significant levels of third-party tool integration into Cloud based tenancies for a variety of purposes, including application monitoring, performance evaluation, availability, scalability, security, governance among other functions. Organisations also have native capability to access the cloud tenancies from their respective environments. Consequently, the confluence of these activities has resulted in multiple and repeated API calls from organisational and third-party led services to the Public Cloud environments to request and receive the same information, often several times in a day! Not only does this cost an organisation in terms of its operational expenses, but it could also have debilitating effects on the services by throttling bandwidth for legitimate services and not to mention, expanding the attack surface by virtue of the increased number of identities accessing relevant infrastructure or recording the information in multiple data stores.

Given organisations typically utilise multi-cloud approach, it might be helpful to consider a design wherein there is a consistent organisational overlay that could interface with different cloud environments on behalf of native and third-party services. While it could entail re-orienting network traffic via this overlay, the benefits can perhaps offset any additional efforts in implementing this architecture; these benefits are manifold; firstly, it can provide immediate reduction in the number of API calls made to Public Cloud to receive the status and account information which can thence be cached for a fixed time window across all native and third-party services. Secondly, it can result in unthrottled service access which would allow services to perform at full capacity without limitations. Thirdly, associated costs from the additional costs can be culled resulting in efficient use of operational expense. Fourthly, it can drop the number of independent identities required to service the API calls reducing the number of exposed identities to malicious takeover actions. Fifthly and finally, it can reduce the number of stores where collected information is stored thereby reducing the attack surface.

Until next time...

1.??????? Reflection on Davor 2024: State of Cyber security, available at https://www.weforum.org/agenda/2024/01/reflections-on-davos-2024-the-state-of-cybersecurity/

2.??????? Cybersecurity futures 2030: New foundations, available at https://www3.weforum.org/docs/WEF_Cybersecurity_Futures_2030_New_Foundations_2023.pdf

3.??????? Global financial stability is at risk due to Cyber threats, IMF warns, available at https://www.weforum.org/agenda/2024/05/financial-sector-cyber-attack-threat-imf-cybersecurity/