The purpose of this blog is to share from experience with both private and public organizations what is keeping CISO's awake at night following their digital transformation from on-premise to cloud hosted infrastructure.
As we get closer to 2020, the number of organizations moving from traditional on-premise infrastructures to fully cloud based, or hybrid-cloud solutions is rapidly increasing. In fact, Gartner are expecting that cloud market revenues for IaaS are likely to reach $67.4B by the end of 2020, up from $30B in 2017[1]. Such an increase suggests that earlier market scepticism of the benefits of moving infrastructure to the cloud is being allayed by Chief Information Security Officer (CISOs) in both public and private organizations as they realize the many benefits of such a model, such as:
Cost savings
- Removing the need to purchase, maintain and replace physical equipment
- Cheaper capacity planning for seasonal spikes
- Paying only for what you use
- Smaller internal staff required
Scalability
- Quickly being able to respond to changing business requirements
High availability
- The traditional need for remote site capacity is reduced
- Less technical expertise is required to manage the process
- Guaranteed uptime provided by the IaaS provider
This level of trust has not come without a cost to the service providers who now offer their clients transparency in terms of how they will secure their most sensitive data. The major players in the market, Amazon, Microsoft and Google spend vast sums on both technology and organizational security controls (as can be evidenced by the number of compliance certificates each hold) to the point that most private organizations cannot come close to matching the levels of security controls these organizations have in place for the physical data.
So, what is actually keeping CISO's awake at night following their digital transformation from on-premise to cloud hosted infrastructure?
Oversight of access to IaaS platforms
Many organizations have either some or all of their development services outsourced to other companies. Outsourcing software development provides obvious benefits to SMBs who may not have a requirement for a full-time development team. However, experience has shown me that the outsourced development teams in many cases have almost full autonomy over not only testing and development environments, but in some cases production environments as well. This generally means that they have privileged access to the production environment as they will often need to promote code, spin-up new servers and appliances, review logs etc. The level of access they have in some cases is a concern to the CISO who doesn't have the capacity internally to put in appropriate separation of duties.
A serious concern here for CISOs is not only the level of access that they have given their vendors, but how those vendors are managing such access. Research undertaken by North Carolina State University recently found that over a period of six months, over 100,000 code repositories on GitHub contained secret cryptographic keys or API credentials (including over 4,500 AWS Access Keys)[2].
Malicious actors are known to scan public repositories for regular expressions to find secret keys to IaaS platforms to either steal sensitive data or use the infrastructure to mine cryptocurrency. Such activities can lead to significant reputational damage or incurred costs for the use of the extra resources.
To help combat this, CISOs should be looking to available services that can help them to identify if their secret authentication details have been accidentally exposed on a public repository such as GitHub. A non-exhaustive list of such services includes:
Uncontrolled data loss and downtime
Considering the resilience offered by IaaS platforms, you would think that this would feature further down the list of concerns that CISOs have in relation to availability headaches that would have been encountered when data was held in on-prem environments. However, outsourcing this can still lead to services being offline for periods of time and as a CISO, you may have little no control over getting them back online again. In the best-case scenario, your users and clients have short term unavailability of your services but in the worst-case scenario you may suffer full scale, unrecoverable data loss.
Consider the example of Azure being so automated that it deleted client data due to a failure of a third-party service provider in January 2019. Reports have said that the root cause of the issue were a combination of both DNS issues and automated scripts. In this instance, Microsoft accidently deleted several Transparent Data Encryption (TDE) databases containing live client data. It is suspected that an automated process that drops databases if it cannot access its corresponding encryption key from the Azure Key Vault was triggered due to the DNS issue[6].
Database tables were able to be restored from a five-minute snapshot, but this was likely very little consolation to Azure clients who process large volumes of user transactions (for example: online gambling companies) where five minutes of downtime could mean the loss of thousands of client transactions.
To help combat this, CISOs should be looking at ways in which they can make their data more resilient so that even in the event of an outage that causes data loss, a carefully considered and planned infrastructure architecture provides recovery options to ensure that the impact to the overall business objectives is limited as much as possible.
Product misconfiguration
Ironically, the fast-paced nature of new features that are being implemented by IaaS providers means that organizations aren’t always getting the best value for money by using the features that are being made available. On top of this, the speed at which new products are being brought to market by the “Big 3” players mean there is a lack of qualified personnel with a sufficient level of knowledge to both manage and secure them appropriately. At the time of writing each of the “Big 3” players in the IaaS space were offering the following in terms of products:
|
AWS[7] |
Azure[8] |
Google Cloud[9] |
Product categories |
23 |
22 |
14 |
Product sub-categories |
182 |
244 |
153 |
The new product feature offerings that Cloud Service Providers (CSPs) are providing that enable the business are well worth the time and monetary investment, but the CISO needs to think strategically as to the pros and cons of implementing new features in a rushed or inconsistent manner.
We have seen recently how a lack of understanding in the secure configuration of provisioned cloud infrastructure has led to significant data breaches. Sophisticated hacking group “Magecart” of Ticketmaster and British Airways fame managed to compromise 17,000 domains over the past few months by scanning for misconfigured AWS S3 buckets, identifying JavaScript files and adding their own code to compromise credit card details. The worrying part about this is that AWS S3 buckets are secure “out-of-the-box”, which means that the misconfigurations have been made manually by the system administrators[10]. Again, this comes down to a lack of proper understanding of good practices and change management that should be instilled in organizations.
In conclusion, we have reviewed some of the common pain-points that CISOs are dealing with during the digital transformation from on-premise to cloud-based IaaS. Strong change and configuration management, supplier management, software development practices, system architecture planning, staff training, and external independent assurance are some of the ways in which CISOs can alleviate some of the problems that have become prevalent with respect to IaaS deployments over the past year.