Merlin Labs Memo -- Week of October 31 - November 4
SaaS – the New Shadow IT
Software-as-a-service (SaaS) is the new shadow IT according Phyllis Woodruff of Global Payments as shared in a recent interview. The adoption of remote workforces has accelerated this change, rapidly introducing an onslaught of “wild wild west” types of hybrid environments and leveraged 3rd party SaaS services. It also presents new challenges for security leaders overseeing cloud and hybrid systems. Software development for the cloud is also discussed as an important potential attack vector. All of these changes mean compliance must shift left, leveraging traditional disciplines and frameworks in new ways, and establishing a master control inventory to prepare for and respond this new threat landscape. It’s “no longer one set of rules, but one set of controls,” as well as education and discipline needed to mitigate the risk associated with SaaS solutions. –Via: Data Breach Today
Our Take: Without a doubt, the explosion of cloud service offerings (CSOs) has dramatically changed the threat landscape and eroded the traditional network perimeter - rendering many traditional cybersecurity approaches inadequate at best. The FedRAMP program was actually built specifically to address cybersecurity for cloud-based IT services, and the FedRAMP baselines are a great place to start when assessing cybersecurity controls around your leveraged cloud services. And while it’s true that the landscape has changed, the basic tenets of what needs to be managed has not. Basically it all boils down to knowing and controlling the following:
Employing the concept of shifting left, not just for cybersecurity but also for compliance means that cybersecurity leaders must consider not only whether the right tools are in place and the right controls have been defined, but that the ability to implement, measure, and manage to those controls is baked into a system beginning with the define/design stage of software development through the SDLC and into the operations, maintenance, and continuous monitoring activities that operate and protect IT systems. ?– Sarah Hensley, MS-SLP
Additional Reading:
Spelling Counts in Cybersecurity
The RomCom RAT group has a new way to spread its malware. It has created websites to mimic KeePass and SolarWinds official websites in order to get victims to download cracked versions of those vendors’ installers. The installation of the software proceeds normally, but with malware included in the process. With the malware on the systems, the attackers are able to gather more information for use in phishing emails. The installation process even includes legitimate registration of the vendor software – vendor sales personnel follow up with the victims, exactly as if it was a legitimate download, which further obscures the attack from notice.
Our Take: It’s ultimately down to us humans to check everything we’re clicking on or typing into our browsers. A single letter missing or switched spells the difference between safety and danger, pun very much intended. Having protections in our security tools only goes so far, as they can’t always catch every new trick attackers come up with. That’s why it is so important for all of us to sharpen our security instincts and to always read twice what’s in the link before we go to it. – Dean Webb
Additional Reading:
领英推荐
Why Developers Hold the Key to Cloud Security
By freeing teams of the physical constraints of the data center, the cloud is bringing the biggest shift in the IT industry in decades. But it’s taken years for organizations to start unlocking the true potential of the cloud as a platform for building and running applications, as opposed to using it as a platform for hosting third-party applications or those migrated from the data center. When the cloud is used simply as a “remote data center,” the classic division of labor is carried over, and much of the potential of the cloud goes unrealized.
But the shift to using the cloud as a platform for building and running applications is disrupting security in profound ways. From the perspective of the cloud customer, platforms like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud are 100% software, and developers are now programming the creation and management of their cloud infrastructure as an integral part of their applications. That means developers are designing their cloud architecture and setting security-critical configurations—and then changing them constantly. –Via: InfoWorld
According to a recent report,?most?large enterprises across industries (92%) now use or intend to use multiple cloud providers, and government agencies are no exception. Multi-cloud environments enable agencies to choose the best cloud for each workload, control costs and avoid vendor lock-in.???
These are important attributes to help the federal government continue to migrate off unsecured and inefficient legacy systems. However, the downside is that every cloud provider has its own architecture, security model and service. That reality—coupled with legacy security approaches, including virtual private networks and firewalls—creates management and security challenges for agencies as they build a cohesive, efficient and secure multi-cloud environment.?–Via: Nextgov
Our Take: The shift to application development for Cloud environments presents tremendous opportunity for innovation while challenging the long held notions of how to properly secure applications and environments.?The author provides a thorough and thoughtful?review of developing and securing applications in the traditional data-center environment, how it has shifted to an "Infrastructure as Code" (IaC) approach in a cloud environment, along with how it has disrupted the traditional division of labor.?He defines what is meant by "developer" in this new paradigm and advocates for empowering this team so they can innovate faster than ever before.
However, organizations are using, or intend to use, a multi-cloud approach.?The complexities of securing your organization's cloud environments are exacerbated by the differences in each cloud provider's services, architectures, and security models.?In these IaC environments, there is a tremendous responsibility on the customer's developers to design the appropriate cloud security configuration.?This is important, because each government agency, like each private organization, will have their own requirements that they understand better than any cloud provider could.?The cloud providers are responsible for the framework and the physical security for the infrastructure and services they provide, but give responsibility to the customer for configuring these services to their requirements.?This is defined by the cloud providers as "Shared Responsibility".??
CISA seeks to alleviate some of that strain with?the Secure Cloud Business Applications (SCuBA) project to help secure federal civilian executive branch (FCEB) information assets stored within cloud environments through consistent, effective, modern, and manageable security configurations.??The baselines published recently are the first of many to come.?These guidelines should be considered by all organizations?to manage their?information assets.?(See?CISA Seeks Feedback on Baseline Measures to Secure Cloud Configuration - Nextgov)
The opportunities for innovation presented by the shift to the cloud are coming to fruition.?The key is to build and empower a team of cloud engineers with diverse skills to control this cloud architecture, embrace a security first approach, and equip the team with tools from your cloud provider(s) and third-party providers.?Keeping abreast of the latest security trends and guidance from governing bodies is important to making this shift quickly?and fostering innovation?while maintaining security.?– Joe DiMarcantonio, PMP
Additional Reading:
Readers of our Newsletter:?What’s working, what’s not, and what’s on your mind? Leave a comment below or email?[email protected]. Thank you!