Blogs & Stories

Trustwave Blog

The Trustwave Blog empowers information security professionals to achieve new heights through expert insight that addresses hot topics, trends and challenges and defines best practices.

What a CISO and A 'Hacker' Really Think About Cloud Security

Utilizing the cloud in some capacity for your organization’s infrastructure – whether hybrid or public – has immense benefits. CIOs have essentially come to a consensus that the cost savings, flexibility and seamless collaboration that the cloud provides is hard to live without. And most recently, IDC has projected that cloud computing could help prevent more than one billion metric tons of CO2 emissions in the next three years.

The highly touted benefits seem like they should give all organizations the confidence to move the majority of their data to the cloud.

However, there is still one characteristic of the cloud that is overlooked in some circles – security.

The Market’s General Perception of Cloud Security

If you did some quick research on cloud security, you’d likely find far more content trying to promise you that the cloud is actually much more secure than on-premises infrastructure. And organizations are putting faith in what they’re hearing. A Deloitte survey of more than 500 IT leaders and executives revealed that security and data protection are their top drivers for initiating a cloud migration. Meanwhile, a 2020 Global Encryption Trends Study by the Ponemon Institute reports that more than half of almost 6,500 respondents indicate that their businesses use cloud technology to transfer or store data – regardless of whether it’s encrypted or protected via any security mechanisms.

But when you speak with pure security professionals, their take on cloud security still comes with some caution.

The Cloud Makes Business Easier But Brings Higher Stakes for Security

Trustwave CISO David Bishop and Mark Whitehead, global vice president of Trustwave SpiderLabs Consulting, come from two different sides of security. David is traditionally on ‘defense’ – his goal is to keep top global cybersecurity organizations safe from attackers looking to make a name for themselves or exfiltrate data from high-profile clients. Mark is on ‘offense’ – he leads a team of elite white hat hackers that are commissioned to conduct penetration testing and Red Teaming for enterprises and government agencies across the world. His team is tasked with emulating advanced hackers and their sophisticated techniques to find security holes before the real malicious hackers do.

We asked them to share their opinions on cloud security and take a hard look at the challenges and mindset required to make the cloud a secure place for organizations’ valuable data.

Is the transition to the cloud a dangerous time for organizations? How can organizations do it safely (outside of the basics)?

Mark: During the transition to the cloud, your organization is breaking things; you’re changing connections, permissions, and other built in security functions. There are a lot more alerts being flagged in the security operation center that are ‘mundane’. And all of that is the perfect cover for an attacker.

As ‘attackers’, we know that there will be more eyes-on-glass fatigue during this environment change period. So if we catch wind of this shift, we can bank on IT folks likely by default attributing those additional alerts or issues to be all part of the migration.

David: Complexities exist in every facet when transitioning to the cloud. It’s a massive project. Some have adopted a hybrid environment to transfer data to the cloud and explore its capabilities gradually. This way, you can execute on a big transition chunk, assess if anything is broken, and either move forward or revert quickly. During this time, it’s important to have a dedicated workforce – whether in-house or third-party – who are capable of recognizing configuration requirements and identifying needs for compliance and security at each phase of the transition. Otherwise, attackers that aren’t as ‘friendly’ as Mark’s team could take advantage of where you are in the migration and potentially go undetected until sometime later. Advanced actors will begin assimilating usual and normal traffic patterns and go undetected from anomalous behavior in the environment.

It is imperative to do in-depth security testing and Red Teaming once architecture backbones are in place along the way to ensure you don’t have a false sense of security.

We frequently hear about the mass scale and traffic the cloud produces. Does more scale and traffic mean more opportunities for hackers?

David: From an attacker’s standpoint, the cloud has made it much easier to launch attacks that blend into regular, everyday traffic. A handful of free cloud provider resources can give a hacker a free account with no or obfuscated attribution that becomes a needle in a haystack against otherwise normal traffic.

Mark: In general, the cloud has drastically increased hacker anonymity through the ability to chain these resources David mentioned to make detection and attribution much more challenging. This used to be challenging to implement, but now it is easier than ever and executable at a much lower cost for attackers.

How important is it to understand the changes in identity and access management in the cloud?

Mark: Very. Everybody thought that the cloud was going to fix identity and access management, but it really just introduced a different model of problem sets that we have to worry about. And whether the data is in the cloud, native, or is hybrid located, all three of those scenarios rely on common fundamental components. These fundamental components have the same strengths and weaknesses of the technology we relied on for 20+ years, i.e., Active Directory, permissions, passwords, and known and unknown exploitable vulnerabilities.

In the cloud, organizations are now potentially handing over the keys to their data and networks to third parties, and that’s a big security risk no matter who it is. We’ve seen this play out in the SolarWinds attack.

David: Anyone who is doing cloud security must look at the shared responsibility model as well as configuration models and fully understand their components because security obligations have dramatically shifted in the cloud. Software-defined environments enable limitless options and capability – while they introduce, similarly, security configuration oversights and misgivings.

I always look at it from the standpoint of simplicity to complexity. As the cloud becomes more prevalent, with additional easy-to-spin-up solutions and elastic capability, agility and complexity make security more difficult. To secure the cloud and combat this complexity, you must layer multiple protections and fail-safes, continually monitor for anomalous behavior and patterns that indicate attack techniques, and have robust visibility and policies for identity and access management activities.


Trustwave Cloud Security Services

Trustwave helps organizations securely navigate their journey to the cloud. Consulting services help organizations design an effective program and deploy technologies. Managed security services ensure ongoing protection. With our flexible service delivery model, organizations can ask Trustwave to be the provider for all their security needs, or to augment existing resources.

Download Now