Data breaches continue to make the headlines with the cost of breaches reaching a record high in 2021. According to the IBM Cost of a Data Breach Report 2021, the average cost of a stolen data record now stands at $161, and the average overall cost of data breach incident stands at $4.24 million. Not only are the costs of data breaches skyrocketing, but organizations and the service providers that protect them are more vulnerable to breaches than they’ve ever been before ¬– which is why a joint security strategy between these two players is so important.
These escalating market trends are being driven in large part by the dramatic shift in operational models during the last year as well as the resulting gap between getting the right infrastructure in place and deploying the right security to protect it. Moving to the cloud, or adopting a hybrid model, was pivotal to sustaining business when the pandemic hit. The cloud offered greater flexibility, scalability, and more cost-efficiencies, with the option to pay only for the capacity used. To take advantage of these benefits and make the shift, many companies turned to or extended their partnerships with service providers. While this decision helped companies get their infrastructures in place, it also left them vulnerable to new threats.
It’s clear from the situations that we’ve seen across our own client base that service providers offer one of the best hunting grounds for malicious actors. Through this high-value channel, criminals can compromise a single service provider and gain access to the infrastructure of multiple clients, particularly if they share the same credentials and management tools.
It’s a huge risk to bear, but strategically companies don’t reverse their cloud strategy even though they can’t entertain security breaches and risk both revenue and reputation. The way forward is to address and mitigate the security challenges, which requires a collaborative strategy between service providers and their clients.
What does this look like? There are six tactics service providers, and their clients, need to keep top of mind when developing a joint security strategy.
Multi-factor authentication (MFA) is a must both for the client and employees of any service provider connecting to the cloud. An even better option is to employ the services of an identity provider to verify users, store their details and facilitate single sign-on.
To connect to the cloud environment, you can also use access keys – this is very common in the cloud. Another good practice is to use access keys that function like a password and can be rotated and reset regularly. This is an especially good tool to use if you have highly sensitive data on the network.
But keys only work if they are applied consistently across all your cloud environments and all users. That’s because of the interdependency between business functions. For example, in the cloud, firms typically have multiple environments for quality assurance, development, production and so on. If a security strategy is only applied to part of the business and not to others, there’s a higher propensity for risk. That’s because attackers who infiltrate a non-production environment can leverage it to gather valuable information about the setup of the production environment. A potential attacker, for instance, could enter a development environment because it is less secure and move into production accounts, where there is real data. Closing any gaps like this must be a priority.
2. Access permissions
If a service provider has access to a customer’s cloud environment, then the diligent management of permissions is critical. For example, if an admin-level user working for the service provider has full control of a customer’s environment, including the network settings, databases, and workloads, then that admin user has the capacity to make changes, and worst case, sabotage the company.
Permissions must therefore be set for each user according to their role, both within the company and the service provider. A fundamental rule of security is to grant users the minimum level of access they need to do their jobs. This is known as the principle of least required privilege.
If this standard is supported by a regular review of the access privileges of current and departing users, then there is more certainty that the right permissions will be maintained —or revoked in a timely way.
3. Internet-facing resources
Mitigating risk across an external attack surface is an important component of a cloud security strategy. To strengthen their security posture, organizations should ask themselves questions like: Which of my resources are publicly accessible in the cloud environment? Are they public by design? What sensitive information might be exposed?
During the pandemic, we saw many organizations take shortcuts in their journey to cloud. This was a common scenario. A developer needed to deploy an urgent hotfix in the cloud environment. A DevOps team lead responded by opening direct access to servers or databases deployed in the cloud. The developer got to work, and the fix was applied. However, no one was responsible for closing the access.
The end result? A hole that can be exploited by attackers. Hackers are continuously scanning for vulnerabilities like this. It’s a veritable gold mine if they can find an unsecure portal that provides access to information that shouldn’t be on public view.
To properly monitor and audit security practices, it is essential that logs are enabled and stored in a central location. It’s now common practice for cloud SLAs to include logging capabilities. The logs record network traffic as well as actions taken by users and machine identities in the cloud to help identify and address anomalies in user behavior and network activity.
However, time and again we hear of firms that have overlooked significant parts of their cloud environment and only enabled logs for specific elements or locations. This creates security blind spots and makes a single complete view of a security infrastructure impossible.
It’s a security best practice to centralize logs and store them in one location in a special vault account with restricted access to avoid accidental or deliberate deletion by an attacker.
5. Threat detection and response
Every security strategy should be built around this premise: Determined hackers will get in. For example, they could exploit a vulnerability in an internet-facing server, use stolen credentials or use one of the initial access techniques from the MITRE ATT&CK framework for Cloud.
Therefore, service providers and businesses alike should continuously monitor the activity happening in the cloud environments so they can detect anomalies in known patterns of behavior both within the data plane and the control plane of the cloud. They also should monitor the activity of both human users and machine identities – often, however, monitoring tools track one or the other.
When preparing the incident response plan, the strategy should clearly define the responsibilities of all the parties involved, as well as understand the impact of the shared responsibility model, including the roles and responsibilities of the Cloud Service Providers (CSPs).
6. Cyber-awareness training
And finally, it is essential for service providers and their clients, to have regular training updates on cloud security. This should cover phishing and social engineering, along with other topics such as common errors and misconfigurations in the cloud. Cyber awareness training should not be viewed as a tick box exercise; rather it should be repeated regularly to ensure existing and new employees are kept up to date with the threat landscape.
For example, service providers sometimes create generic tools that will work for many of their clients and publish the code in a public code repository. It sounds fantastic, but not if you forget to remove customer-specific details such as account IDs or resource names that would identify the end customer.
Samsung was a victim of this oversight when it was subject to a code leak. It could easily have been prevented with the proper training and underlines why it is imperative to ensure the code has no access keys, machine names, or IP addresses included.
The value of dedicated strategy
When combined, the six steps above can be used to underpin a cloud security strategy and ensure that the benefits the cloud will bring to operational performance and productivity are never undermined. But it will take dedicated collaboration between a service provider and its clients, plus a cohesive joint strategy, to ensure a security posture that is not just fit for today’s threats but also for those of tomorrow.
Eyal Arazi, cloud security products, Radware