Tackling Cloud Security Challenges: A real-world approach

Cloud Security challenges you will come across and how to overcome them.

Whether they’re already using cloud services, or still on the fence about adopting them, there are many security challenges and barriers that organizations should never ignore. In this podcast, our host Karl Culley asks Lee Newcombe, our cloud security expert, about why it’s so important to choose the right cloud governance model, which specific security threats organizations should focus on, and what trends currently drive cloud security vendor and provider perspectives.

Transcript

Karl Culley:
Welcome to this Capgemini podcast on cloud security. I’m your host Karl Culley, and this podcast is part of a series, a podcast series on cybersecurity. It’s my pleasure to be joined today by Capgemini cybersecurity expert Lee Newcombe. Welcome, Lee.

Lee Newcombe:
Hi, Karl. Thanks for that. Yeah, my name is Lee. I sit within the Center of Excellence for Capgemini’s UK cybersecurity unit. My primary focus is on cloud security. I’ve been working in infosec since ’98 and cloud since 2008. Outside of Capgemini, I’ve also chaired the UK chapter of the Cloud Security Alliance for around the last 18 months or so.

Karl Culley:
Great. Well, thank you for the introduction, and it’s great to have you on board, of course. So perhaps we could start off by talking about governance and ownership. It’s often right at the top of the list of cloud concerns for organizations migrating into the cloud and driving their cloud strategy. Could you talk about some of the issues, Lee?

Lee Newcombe:
Sure. They’re definitely great places to start. Unfortunately, it’s not always where organizations adopting cloud actually do start. Too many jump straight to the technology, and the problem with not having the appropriate governance and ownership structures in place, and by ownership I’m talking things like ownership of cloud strategy and cloud risk, is that you end up with no consistency across the enterprise. Different business units will adopt different cloud suppliers and different security models.

Lee Newcombe:
Now, I’m not saying that adoption of different technologies to achieve different business outcomes is wrong, by the way. Just that these decisions need to be made within some kind of agreed governance model rather than just by the personal preference of whichever individual is currently driving a project. Without those structures in place, you will often see duplication and huge problems with shadow IT, and I think we’ll get onto that in a little bit more detail later on.

Lee Newcombe:
Governance structures are also an issue for information security capabilities. Traditionally, we’ve had discrete, centralized information security functions, creating standards, dictating what is and is not acceptable via quality gates and then operating technical security controls. But in the new world, we see different approaches, with security resources being embedded within DevOps teams, and the centralized functions focusing much more on a standard setting and becoming more of a trust-but-verify function, more of a we-will than a thou-shalt approach.

Karl Culley:
Well, it seems like it’s had the word flung about too often, I think, but this holistic approach, right? It’s a nuanced approach that an organization needs to make.

Lee Newcombe:
Yeah. You can’t just focus on the technology. And obviously, if you just focus on the governance, then you don’t have any services to rely upon. But you have to get all the different stakeholders on board. So, agree on the process from the top. Get the buy in from your senior stakeholders and then get them to push that down onto the individual project teams.

Karl Culley:
Okay, and you made reference to shadow IT. This is an intriguing sounding thing, but as far as I understand it, well, it’s also known as stealth IT or client IT. While my knowledge is, of course, limited in comparison to yours, but [these are] systems built and used within organizations without explicit organizational approval. It sounds a bit rogue to me. Would that be accurate to say that or not?

Lee Newcombe:
Yeah, I think it’s fair. I don’t think it’s usually done maliciously, but shadow IT is where business users or in some cases business units go off and procure their own IT services without going through the standard IT and procurement channels. As I said, it’s not usually done maliciously, it’s just because individuals want to get on with their job and they’ll see the standard processes as being too slow or maybe too cumbersome. And in some ways it’s very much a symptom of not having the appropriate governance structures in place that I mentioned earlier on because, if you’ve got those structures right, then people can go off and spin up their own services using those appropriate structures rather than feeling like they have to go off and do it by themselves.

Karl Culley:
Okay, and what kind of problems can this lead to?

Lee Newcombe:
Well, I am aware of one global organization which discovered that they were operating something like 4,000 different SaaS services.

Karl Culley:
Wow. Wow.

Lee Newcombe:
They were aware of 400 of them. They did have 400 in their configuration management database, but that did leave something like three, three and a half thousand SaaS services they didn’t really know who’d done it. They could just see that data was going out there and that people were accessing their services via the interwebs. So, it’s a massive area of risk from a GDPR perspective, because it’s very hard for organizations to claim control over their usage of personal data if they have no idea the whereabouts in the internet that data sits.

Lee Newcombe:
So, for example, if this is shadow IT and it’s just an individual business unit or business user going off to procure a system, they wouldn’t have gone through the Data Privacy Impact Assessment process. They probably wouldn’t really be aware of Privacy by Design processes either, which just exposes the organization to that kind of regulatory risk.

Karl Culley:
So, could we go on to talk a little bit about, well, I touched upon it, but some of the technical issues resulting from cloud security concerns and some of the latest methods employed to combat these threats?

Lee Newcombe:
Yeah. As just mentioned, I’ve been doing cloud security since about 2008 and there are probably three key issues when it comes to cloud that crop up with just about every client. Those are identity management, security monitoring, and the management of encryption keys.

Lee Newcombe:
Now, the management of identity is key when it comes to securing cloud services. So where is your master source of identity going to sit? Do you have an existing identity management solution that you’re going to extend into the cloud? Or are you going to go away and build a new one from scratch? Then you have to start thinking about your privileged users. So how are you going to manage the identity and entitlements of your administrator to users? And how can you keep track of what it is that those guys are doing on the cloud services that they operate?

Lee Newcombe:
Now, the major cloud providers do offer native capabilities in these areas, but some of the terminology and functionality differs from the on-premises equivalent. So, if you start thinking about your active directory, it’s not the same as traditional on-premises active directory. So, there’s a really good example there in terms of the authentication mechanisms supported by both of those two products. So, active directory can do all of the traditional Windows authentication mechanisms, whereas your active directory is much more focused on the newer web-style authentication mechanisms.

Lee Newcombe:
Security monitoring is also a fun topic. If you’ve already got a trusted security-monitoring solution for your on-premises kit, are you going to be happy to take an event from a semi-trusted cloud service over the internet? I’m seeing more organizations moving towards a distributed approach to security monitoring, where the initial collection analysis takes place within the cloud platform, but with key incidents then being passed back towards the central monitoring solution that’s maybe on-premises or could indeed be on the cloud itself.

Lee Newcombe:
Now, this approach also allows cloud consumers to take advantage of the rapidly evolving native capabilities. So you’ve got things like GuardDuty on Amazon and Sentinel on Azure. So, GuardDuty is very much about threat intelligence, whereas Sentinel is pretty much a fully functional security-monitoring solution based on Azure.

Lee Newcombe:
Now, the last one I mentioned, though, is encryption keys. Many cloud providers offer native encryption for data at rest and data in transit, but the security of that encryption relies upon the security of the keys used to encrypt the data. Consumers of cloud services can choose to rely upon the key-management capabilities of the cloud providers or they could perhaps look to manage their own keys outside of the cloud provider, then input those keys into the cloud to encrypt the data. This is typically the case where consumers have a requirement to ensure that the cloud provider staff can’t access their data. I’d usually try to avoid managing my own keys as the potential availability outage if I lose them will usually outweigh that perceived, marginal gain in theoretical confidentiality, because the problem with encryption keys are if you lose them, then you can’t access the data that you’ve encrypted.

Karl Culley:
I see. I see. What is the percentage of organizations now relying on these native capabilities of Sentinel and so forth. Is it burgeoning, and more and more are organizations doing that?

Lee Newcombe:
It’s an interesting one. So, you have to think about the different models that the cloud providers are taking. So, when you start thinking about Microsoft and the Azure and Office 365 capabilities, if you go with their top license, the E5 license, then you get an awful lot of security goodies thrown in. So, you get a cloud access-security broker via cloud app security. You get lots of fancy identity-management capabilities. You get the Azure Security Center. And that’s all built into the E5 license at that point, so you’ve paid for it. So organizations feel like they should probably make the most of that and go off and use it.

Lee Newcombe:
The Amazon model is slightly different, but what you do see is all of the major cloud providers starting to step on the toes of security vendors, be that monitoring, be that identity management. You’ll probably see it going into other areas soon as well. Particularly on things like cloud-security assessments, where you can do things with AWS Inspector or Azure Security Center to go off there and start doing the vulnerability management that you might typically go off and buy a third-party product for. So it’s an evolving picture.

Karl Culley:
Okay. So, people sometimes talk about cloud security as if it’s a separate discipline to traditional security. Do you think that’s fair, is that a fair thing to do?

Lee Newcombe:
Yes and no. The overall principles of security remain the same. You’ve got to protect the confidentiality, integrity, and availability of business services and the data they rely upon. However, security models are changing, so we’re moving more towards a zero-trust approach, which sounds very fancy, but it’s essentially about context-driven security where you grant access to services on a per-request basis depending upon the context of the user, their device, and the data or service it is that they want to access, rather than relying upon the more traditional static network-perimeter-based security models.

Lee Newcombe:
So, cloud security also does offer small automation and dynamic security capabilities that we’ve traditionally had on-premises. So, there are some differences coming down the line there. Got to recognize that there isn’t necessarily that clear delineation between consumer responsibilities and cloud-provider responsibilities, because if you, for example, went ahead and did an application-level penetration test, you might pick up the SSRF but not really figuring out how that could be used. And if you just focus on infrastructure-level testing, then you won’t really be aware of the risk that’s posed to that infrastructure via the SSRF.

Lee Newcombe:
So, going back to that point you made earlier on about holistic security, this is a really good example of where you have to be aware of both the traditional security issues and the more cloud-focused ones as well.

Karl Culley:
Okay. Well, perhaps we could finish up by talking about the future of cloud security and something in particular, the FaaS, or I don’t know if I’m pronouncing it correctly, but F-A-A-S, Function-as-a-Service. Lee, am I pronouncing it correctly?

Lee Newcombe:
I tend to go FaaS, but I’m from the North of the UK, so my pronunciation is always a little bit regional. So FaaS is Function-as-a-Service. So, with Function-as-a-Service, you’re building your application a function at a time. So, you don’t just have a single monolithic application set running at all times. Instead, you’ve got a set of functions that are executed on demand.

Lee Newcombe:
So, these functions can be triggered by events like the receipt of an HTTP request, maybe somebody wants to access a webpage, or maybe by a file being dumped in a storage repository, or any other number of events. The different FaaS offerings have got lots of different triggers that could be used to trigger them, the key being that a function is triggered. It executes and then it exits. And these things are all truly ephemeral, with a default timeout for Amazon Lambda, which is the best known of the FaaS services, to be honest, being around 15 minutes. I think with Azure functions, it might be 10 minutes, but configurable.

Lee Newcombe:
But this obviously has implications for the security approaches you can take because you just dump your function code into these services and they’ll run, but you don’t have access to the underlying operating system, so you can’t install your security tooling into the host. And you don’t particularly want to be adopting security tooling that calls out to the internet to do fancy machine-learning checks because you’re going to be time-latency and connectivity constrained within these functions.

Lee Newcombe:
We need to think about which security controls need to be embedded within the actual code that’s being run, with instrumentation of that code to provide the observability we need being a key factor. So we need to make sure that the code we’re running emits all of the events that we need to make sure that we know exactly what’s happening with the functions that were running.

Karl Culley:
Great. Great, and you touched upon machine learning, so what kind of a role do you think machine learning and AI have to play in the future of cloud security?

Lee Newcombe:
When you start thinking about the scale of the services that we’re putting onto the cloud, in some ways that kind of anomaly detection that machine learning and AI can give you is going to be necessary because it can identify what normal good behavior looks like and then call out events and incidents that sit outside of that known good baseline, at which point you do have to have trained analysts go in there and make sure that this is something that actually needs to be worried about rather than being a false positive. But if you have certain types of anomalies that you know are malicious, what you can also do at that point is then automate how you respond to them, going back to the Functions-as-a-Service point.

Lee Newcombe:
What you can do is if you identify an event in the logs that you know is malicious, you can use that event to fire off a function and then automatically respond to that using something like a Lambda, or an Azure function if you’re working in the Azure space. So the AI and the machine learning gives you that ability to scale up without necessarily having to have lots more security analysts on board doing this stuff.

Karl Culley:
Well, it is a fascinating topic. And I think that brings us pretty much to the end of the podcast, but thank you so much for joining us, joining me and our listeners.

Lee Newcombe:
Thank you, Karl. It was a pleasure.

Karl Culley:
So please tune in next time when I’ll be talking to a very special guest, Luis Delabarre on Zero Trust Architecture.