ELITECISOs BAD CLOUD SECURITY ADVICE

Last week ELITECISOs Delhi/NCR group had fun activity where we started to compile list of BAD SECURTY ADVICES, what started as fun become a huge list of BAD ADVICE that reflects on what organizations should not do to negatively impact their business posture. The list was well appreciated and welcomed by community, here is the link to list - https://www.dhirubhai.net/pulse/elitecisos-bad-security-advice-elite-cisos

This week we started with some BAD CLOUD SECURITY ADVICE, it is unfiltered, raw list as compiled by the group. The purpose is to highlight BAD ADVICE so that you can review the opposite and understand what GOOD ADVICE will look like.

We are sure there may be many BAD ADVICES that we would have missed, pls add those as comment.

EliteCISOs BAD CLOUD SECURITY ADVICE

1.Cloud Service Provider is 100% responsible of security of cloud and customer data

2. Security is not required on cloud

3. No cyber attack can happen on Cloud

4. Cloud is the safest solution available

5. Confidentiality, integrity and availability is responsibility of CSP

6. You don’t need to manage the cloud

7. No security management required at company level as Cloud vendor is iso27001/soc2

8. You don't need to encrypt you data on cloud as it's already secure

9. No need to bother which region I am using ( specially for regulated businesses )

10. Security is responsibility of AWS/Azure. We don't have to do anything.

11.Not knowing that security is a shared responsibility and Knowing the responsibility and limits of each

12. No need to sign SLA or any contracts

13. Hackers live on earth so no hacking possible on cloud as they require to fly for this

14. Security awareness training is not required as all data is on cloud now

15. No need to inform my regulator that I am using cloud . He will never come to know where my data is

16. NIST security framework doesn't apply on cloud

17. Automation of security on cloud is a bad strategy

18. GDPR is not applicable as data is in the cloud

19. Backup of data on cloud is not required as its automatically backed up

20. All required logs/logging is enabled by default

21.No IDS/IPS required

22. No secure channel is required for data access as cloud technology caters for it.

23. Data disgaussing not possible on cloud .

24. Servers hardening and patching is responsibility of CSP

25. don’t plan for replacing CSP

26. No need to know where my data is , in which country

27.Auditing of privileged accounts not required .

28. No need to integrate SIEM solution , CSP takes care of that .

29.NO DR/BCP required as Cloud is available 100% 24X7..

30. Allow access of all VPCs from every where .

31. You are secure now bcs all data is on cloud. Cloud is complete secure

32. Cloud infra does not require capacity planning

33. VAPT not required , infra is safe on cloud

34. Load balancing / failover not required on cloud

35. Cloud is safe from dDOS attack since its scalable

36. My data is fully secured on cloud

37. Don't restrict corporate/private application access from corporate network only .

38. Avoid all sorts of account policies

39. My in-prem admin can administrator cloud easily , no additional skills are required

40. Access keys and secret keys should be made public

41. Use kali and hacking tools as much as possible as VM on cloud

42. Cloud computing costs more than in-house computing.

43. Keep all passwords in text file in bucket and make it available to public , including private keys

44. The security I can set up and control in my own data centers is superior to the security on cloud.

45. MFA is time consuming for authentication , keep it disabled .

46. There is greater latency among applications running on cloud providers’ networks than there is on in-house networks.

47. Muti cloud is waste of resources and $$$

49. Managed devices will bound you with them and also you loose j sights if underlying hardware logs

50. Kubernetes only works on Gsuite.

51. DDOS attacks are not applicable on Cloud

52. Private Keys will always be managed by cloud providers

53. Cloud provides 100% uptime

54. Moving to cloud eliminates the need for an infrastructure organization

55. No need to check compliance reports of CSPs

56. The most effective way to transition to cloud is to focus either on applications or on entire data centers

57. Continuous monitoring and compliance check of cloud infrastructure is not required at all

58. To move to cloud, you must either lift and shift applications as they are today or refactor them entirely

59 . At least offer job now . Bahut type kar liya

60. If we shift technologies, I’ll be out of a job.

61. Restore/DR/BC test not required in isolated environment on cloud

62. Data on server is removed automatically after killing that VM .

63. The cloud is just a data center

64. Servers and data is protected protected against Ransomware attacks by default

65. EBS volumes should not be encrypted #AWS

66. The cloud providers will be accessing my data

67. Least privileges' on cloud is not required

68. All APIs are secured by default

69. We aren’t big enough to move to the cloud

70. Threat modeling not required for cloud deployments

71. Don't use federated sign in , will make authentication process difficult.

72. Use default admin credentials

73. Once we move to the cloud, we’re done

74. Don't hire cloud security professionals.

75 avoid WAF strictly.

76. Avoid role based access

77. It’s too hard to stay up-to-date with compliance requirements

78. Avoid Data classification and encryption

79. Avoid shadow IT

80. Avoid advance Malware protection (AMP)

81 avoid CASB usage

82 enable internet on all servers and don't use browser isolation.

83. Native cloud security tools like security hub, trusted advisor, amazon inspector are not effective enough #AWS

84. Avoid data protection policies

85. Transitioning to the cloud is complex and complicated

86. Don't use cloud vpn and allow all inbound and outbound traffic to and from all servers over internet

87. We need a one-cloud solution.

88. Avoid access control policies

89. Moving to the cloud automatically saves money

90.dont monitor cloud environment for any threats

91. Using organization to control security posture of accounts is not a good idea #AWS

92. Avoid due dillgence

93. Moving to the cloud automatically saves money

94.Avoid NDA to be signed

95. Don't plan for decommissioning

96. The cloud means surrendering controls

97. You don’t have to manage data in cloud, once it rains, it will wipe off all the white spaces

98. The cloud costs Jobs

99. There are 7 OSI, but can have 9 in cloud (invest and be on Cloud 9)

100. Using open source tools for cloud security automation is not a good idea