Cloud Risk: Hype vs. Reality

By Michael A. Davis

Cloud service and channel providers can talk all they want about flexibility, reliability, availability, lower costs and future-proofed infrastructures. Until customer IT teams stop fixating on cloud’s perceived lack of security, we’re all just blowing smoke.

In survey after survey, when asked about inhibitors to cloud use, security and privacy dwarf concerns over performance, WAN cost, lock-in, integration, maturity of the model and pretty much everything else. Lately, as I’ve spent time speaking with partners and end customers about why that is, I’ve heard statements like, “All my data is comingled with everyone else’s!” and “I don’t want other people accessing my data!” and “Cloud services are public, I want my servers private!”

A lot has changed in the past few years, so let’s set the record straight: For the majority of small and midsize businesses, the cloud is a much safer place to store data than on-premises servers. That’s right, a security expert is saying that a move to the cloud actually enhances security.

Now, don’t run off with a copy of this article yelling, “See, I told you so!” just yet, because there are caveats. Partners have work to do in evaluating when a cloud implementation is secure and when it is not and explaining the customer’s responsibilities, as we’ll discuss. But overall, good security practices are in CSPs’ best interests. Just like a banking system, cloud is predicated on trust, and no provider can afford for customers to lose confidence. And so, as with banks, larger cloud providers invest heavily in the latest security technologies and the experts to run them. I’ve performed hundreds of security audits, and big CSPs consistently outperform even the largest enterprises in the world when it comes to implementing security consistently and thoroughly.

Not all cloud providers, especially smaller ones, do security equally as well, however. If you’re considering rolling your own cloud, whether for infrastructure, disaster recovery, VDI or what have you, I strongly advise you to ensure that security is up to par by commissioning external audits. If you’re building a service on top of a public IaaS provider such as AWS, Azure or SoftLayer, take steps to ensure that your security starts where its controls leave off. As a partner, before you recommend a boutique cloud provider, look long and hard at its investments in security products, processes and especially expertise. Do they compare with…

… a comparable service from a large provider?

Not that any network is bulletproof. Even the very biggest providers aren’t perfect. As a cloud reseller or implementer, it’s on you to verify that service offerings are configured properly. That entails an understanding of cloud providers’ underlying networks, which, as we discuss in “Want to Make More Rain? Squeeze the Big Clouds,” are constructed very differently and vary in how they implement security. A customer that depends heavily on Active Directory may be better off on Azure than AWS, for example, while an RHEL shop might prefer IBM SoftLayer, which incorporates OpenStack-based object storage.

Furthermore, the vast variety of cloud options make it entirely possible that a standard service, secure by default, could become vulnerable based on uninformed decisions. You can completely undermine the security of Amazon EC2 by choosing a poorly configured third-party Amazon Machine Image. To combat that, cloud providers are using security frameworks like the Cloud Security Alliance’s (CSA) Security, Trust & Assurance Registry (STAR), which has become the gold standard for cloud providers in terms of security controls and standards. Such guidelines have helped CSPs greatly enhance their default settings and what options are even available for configuration. For example, AWS offers a secure hardware security module to generate encryption keys and fine-grained access-control policy capabilities.

However, information security entails more than just what configuration settings you enable in the cloud or what encryption protocols may be used. Understanding where the cloud provider’s security stops and your responsibility starts is vital to understanding a customer’s cloud security risk.

Devil’s In the Data

Data security is an area where cloud providers push risk and responsibility back onto the customer. Do you sell email archiving? Then you’d better make sure that the service’s retention rules and encryption strength meet the customer’s compliance requirements. The cloud provider won’t. It may provide security at the network or system level, but your data is your data. Most contracts specifically limit the cloud provider’s liability in case it doesn’t do a good enough job and a breach occurs. Don’t expect an iron-clad guarantee of data security — or even that every provider will follow data-focused best practices mandated by regulatory agencies.

For example, very few cloud services encrypt by default because of the litany of decisions, including where keys and passwords are stored, who has access to the keys (and thus the data), whether data is encrypted in transmission and how any given application can access the encrypted data. Properly managing encryption is complex, but it’s critical. Just ask former Office of Personnel Management chief Katherine Archuleta, who was grilled by Congress in July as to why data on 4 million government employees was stored in the clear.

In many cases, a lack of transparency into what data security measures a CSP will and won’t provide makes it difficult for customers to understand …

… what liability they’re taking on when moving to the cloud. My advice is simple: Assume you or your end customer shoulders all liability and risk. For customers heavily invested in the cloud, recommend cyber-risk insurance as well as yearly assessments to ensure the environment is still as secure as when you set it up. I had a case where a client used a cloud provider that leveraged Amazon’s S3 storage service to provide the SaaS offering that the client purchased. The SaaS provider decided to move from S3 to a cloud storage provider (which shall remain nameless) without telling my customer. All the security reviews and assumptions we had made were now incorrect. The customer’s security changed dramatically with this unforeseen change and, without a yearly review, they wouldn’t have realized they now needed to encrypt their data, whereas before they did not.

Remember: The security of any data is ultimately the responsibility of the organization that collects it, regardless of who’s hosting or providing network connectivity. This separation of responsibility is a very important and often misunderstood portion of cloud security. A cloud provider may, and likely will, do a better job protecting data than an SMB could. But it does not assume responsibility in case of a breach.

A visual to help understand this transfer of risk is below. As you move customers from on-premises IT to a completely outsourced and managed infrastructure, the amount of responsibility the end organization owns is reduced and shared but never eliminated. As a partner, you always have some role in implementing security for customers.

Pull IT Shadow Into the Light

Speaking of risk, the biggest one is obliviousness. When executives or employees “go rogue” and use services without the business knowing, a data breach is only a corporate credit card and SaaS provider away. A client I worked with just two months ago ran a report on its Web filter for domains associated with cloud services. It had Dropbox and OneDrive in use by various employees — even though there was a corporation-wide agreement for everyone to get an approved Box document sharing account.

All of the security benefits we’ve discussed so far are applicable to consumer cloud services, but it doesn’t matter how well Dropbox hardens its network if end users don’t use encryption or strong passwords on their devices. One stolen tablet with easy access to a Dropbox account containing customer data could undo all your due diligence.

Now, we all hate passwords. They’re insecure, difficult to remember and usually shared among applications. To supplement passwords, two-factor authentication systems generate a second form of identity verification, such as an SMS text sent to a phone or a random number displayed in a mobile app. When end users log in and request access to certain data or cloud services, the 2FA provider validates the password and then asks for the additional text or numbers to validate the account further. It’s very effective at mitigating the No. 1 security risk for end users: phishing attacks that reel in valid user name and password combos. If the cloud service leverages two-factor authentication, the attacker won’t be able to get access to data even if the user did provide valid credentials.

This technology is beginning to go mainstream — Google has adopted it for all of its cloud services, and Amazon and Azure allow for a 2FA requirement for access to their portals, though not your customers’ servers or data. That leaves the reseller or end customer to implement and manage a two-factor method. Offerings such as Duo Security’s Push and Google’s Authenticator application integrate with many cloud providers’ networks and provide a massive risk reduction for little or no cost. My advice is to never spin up a cloud service without two-factor authentication.

Another cloud risk that customers don’t think about is …

… disaster recovery. Many assume that the cloud is automatically reliable and redundant, but that simply is not true. Outages at both Amazon and Google in the past year brought down some well-funded startups that didn’t plan appropriately. In some cases, end customers are stuck between a rock and a hard place, depending on cloud services that are stacked on top of one another. Now, there are miles of fiber and multiple regions, data centers and POPs in the mix. One outage at Amazon may bring down a few services, and all channel providers can do is wait. Any security audit should include reviewing disaster recovery strategies for all mission-critical providers; if a plan isn’t up to par for customer requirements, consider an alternate or supplemental service.

All of the risks we’ve discussed so far have rather straightforward solutions, whether via process, technology or evaluating different providers. There is one cloud risk, though, that simply doesn’t have a good answer: forensics. What happens if your customer’s cloud environment is hacked? Who do you work with to find out how it happened, who left the door open and what was taken? Who does the investigation and, maybe, prosecution?

Most of the forensics tools and processes used in the industry today are very on-premises focused. Some need disk or memory images, which might not be available from a cloud provider. For example, if a CSP doesn’t provide access to a raw disk image, you might not be able to work with the FBI or police. Since there is no easy way to solve this issue, the best bet is to maximize the logs available for any cloud service. Every time a user logs in or makes a change, that event should be logged and stored for review — outside the cloud and away from access by privileged, and possibly malicious, users within the customer’s company. While log files stored securely at a solution provider site may not be a perfect answer, it will help reconstruct the crime scene as much as is possible without forensic access to the CSP network.

When asked about cloud security, my stock answer is that it’s all about trade-offs, so confusion becomes the biggest risk. But that should not stop SMBs from heading to the cloud. Working with security-focused CSPs and knowledgeable solutions providers, including cloud brokers, makes all the difference. Where security is implemented, by whom, and visibility when it changes are all part of cloud security risk management, and end customers can’t be expected to have that level of technical knowledge. They’re trusting their advisers.

Channel partners cannot take this responsibility lightly. Knowing what type of security is required and when a custom solution is needed can add value to existing customer accounts in addition to being a differentiator when competing against other CSPs, just as banks use their security capabilities to stand out in a crowded market. Offering security services, including a brokerage practice with deep insight into CSPs’ offerings, yearly cloud security reviews, two-factor authentication and encryption management, will provide higher security, and ultimately, higher margins for your business.

As CounterTack‘s CTO, Michael Davis is responsible for driving the advancement of his company’s endpoint security platform, as well as leveraging his visionary approach to push defenders ahead of attackers. He has earned a reputation as one of the nation’s leading authorities on information technology.

LinkedIn: www.linkedin.com/in/michaeladavis

Twitter: @countertack