Are Your Cloud Accounts Easy Pickings For The Naughty People?

Today people across all areas of business are consuming cloud based services (CBS) at an increasingly faster pace, because of the significant benefits that adoption of individual and collective services provide.

We are no longer constrained by the time it takes to stand up new projects or crippled by the overheads of justifying capital expenditure. We pay for what we use by the minute, hour, day month or year. We can suspend or even switch off services when they are not needed and switch service providers when find better alternatives. We can also exploit the R&D efforts of market leaders in specific fields, and gain a competitive advantage and improve productivity by doing so, all without any of the risks and costs associated with trying to build them ourselves.

Many of these solutions start life in organisations as implementations of free version of a product and often go into production without the need for any funding or oversight from stakeholders in the business.

CBSs' are typically accessed from outside of organisations traditional security perimeter, just like any other service on the internet, so the setup, ongoing administration and user access is simple, convenient and fast. You can also easily connect services with other services to exchange data between them.

Once setup, CBSs' often contain highly valuable and sensitive data, related to the company, employees, customers, and suppliers, that could be exploited in a detrimental way should the data fall into the wrong hands. This could easily happen if security standards, for how CBSs' are implemented, administered and maintained, are not adhered to.

Unsurprisingly, it is not uncommon that many people involved in selecting, implementing and administering CBSs', in an organisation, are not even cyber aware. As a consequence standards and best practices are often not followed. Furthermore failures to comply with standards and best practices can also result because it is more convenient or faster not to bother, or simply because other priorities swamp the time of the responsible parties.

Tackling The Problem

The answer to this problem is simply NOT to say that the selection and administration of CBSs' falls under the responsibility of security practitioners. This would create many road blocks that would ultimately constrain the ability of IT and the business to innovate at speed.?This needs to be approached in a collaborative way with partnerships between security practitioners and stakeholders across all areas of the business that want to exploit CBSs'.

There are a number of important pillars that underpin this approach.

1. If organisations has not already done so, they should create security standards (guard rails) for the selection and administration of CBSs'.???
2. Ongoing cyber training should be provided for all personnel involved in vendor selection and service administration, because educated people make better decisions when they are better informed of the potential risks that could be exploited.
3. Ongoing governance is also critical because setting a bar and then having no mechanism to measure, enforce and maintain standards overtime is a recipe for disaster.?

In regard to the later point, we cannot simply rely on people to govern CBS security. In the world of physical security, to protect valuable assets, we deploy systems that continually check for security breaches using sensors and cameras.

If we rely on people?alone to undertake the hundred or even thousands of periodic CBS checks, manually or with scripts, we end up leaving coverage gaps where stakeholders cannot really put their hands on their hearts and categorically state that standards are continually being maintained. In turn is also creates windows of opportunity for bad actors to exploit vulnerabilities in the CBSs' that are being consumed.

Manual and scripted checks and audits are also time consuming activities and costly to support and maintain. The reliance on people to undertake this work and attest to the fact that things are being done correctly, is just not realistically possible in a consistent way.

At the end of the day people make mistakes, they have other things to do in their day that might take priority for them. Different people also carry out their work to different standards. People also take leave, go to offsite meetings and events and go sick, so the work might also simply get done when they are away from the workplace.

With this in mind we need a more systematic and continuous approach to support the process of security governance for CBSs, so we can capture the situations where the is risk exposure is high, and remediate these without delay.??

IT, security and business stakeholders also need visibility so they can understand when and where the business is exposed to the risk of security breaches, along with an understanding of the severity of the risk exposure, based on the importance of the data that different CBSs expose.

The Good News

Last month I wrote an article "Caught In A Storm In The Shift To Multi-Cloud? about software solutions that can help out in this space. This highlighted how Gartner recently called this out as an emerging product category. One that they refer to as, "Cyber Asset Attack Surface Management" (CAASM).

When looking into solutions in this space you will find that there are clearly differences in the domains of coverage of CBSs' that different CAASM vendors support, and it is unlikely you will find one solution that covers all of the services your organisation is consuming.

In my article l highlighted a company called Resmo that has built out a SaaS based CAASM offering. This started out with support for a very wide variety of popular cloud infrastructure services and SaaS based tools that are used to build, operate, support and secure modern application services in the dev/ops space. These are all areas where the impact of security breaches could have a profound effect on an organisations security posture, given the types of data that is accessible through these platforms.

Coverage quickly expanded to modern data platforms, collaboration tools and virtual desktops. Today they support more than 50+ CBSs' and this is rapidly expanding, enabled through the agile approach that built into the architecture of their platform and their development processes. They are also committed to rapidly accommodate new coverage requirements that arise for their customers.

I recommend taking a look at their offering if what I have described in this article is on your radar screen of challenges to address, or it has sparked an idea for a new initiative.