You are here
The cloud is getting darker
WE are living in a cloud generation powered by a fundamental shift in the way enterprises, employees and customers use technology. The traditional corporate security perimeter is being transformed by the dominance of hybrid IT infrastructure, growth in personal devices, ubiquitous high-speed Internet and cloud-based computing platforms.
Now more than ever, cloud is playing an increasing role in organisations. This does not come as a surprise given the greater speed, the ability to scale, and improved performance and productivity that cloud apps such as Office 365, Google and Dropbox bring. However, with cloud usage by both enterprises and consumers becoming mainstream, its appeal to attackers has naturally increased. Businesses need to ensure they're guarded against the new forces of cybercrime.
While cloud attacks are still in their infancy, 2016 saw the first widespread outage of cloud services as a result of a denial of service (DoS) campaign, serving as a warning for how susceptible cloud services are to malicious attack. Widespread adoption of cloud applications in corporations, coupled with risky user behaviour that the corporation may not even be aware of, is widening the scope for cloud-based attacks.
Overall, the interest and awareness on risks of the cloud generation has gone up, but a lot more needs to be done on the policies and procedures surrounding how users in an organisation use cloud services. A lack of policies and procedures increases the risk of cloud app use. By the end of 2016, the average enterprise organisation was using 928 cloud apps, up from 841 earlier in the year. However, most chief information officers (CIOs) think their organisations only use around 30 or 40 cloud apps.
As cloud adoption continues to increase, organisations are becoming more aware of the importance of securing these infrastructures and platforms. Symantec's Cloud Security Survey revealed that cloud security is a top concern that is keeping chief information security officers (CISOs) in Singapore awake at night. Singapore CISOs estimate that, on average, 32 per cent of cloud-based applications used at their company are unsanctioned, or "shadow apps". The vast majority (77 per cent) also believe that their chief executive officer has probably broken internal security protocols at some point - either intentionally or unintentionally.
According to the Symantec Cloud Security Survey, the top cloud security concerns that CISOs in Singapore face are:
- 90 per cent: Ensuring cloud applications meet compliance regulations is one of the most stressful aspects of their job.
- 23 per cent: Governance of corporate-owned mobile devices.
- 21 per cent: Broad sharing of compliance-controlled data in cloud applications.
- 20 per cent: Employee use of unsanctioned cloud applications.
- 19 per cent: Tracking of activities in sanctioned cloud applications.
- 17 per cent: Country and region-specific data residency and control regulations
The need for data security, compliance and residency is also driving Singapore CISOs to look for encryption and/or tokenisation solutions to support their Software-as-a-Service (SaaS) initiatives. Symantec's survey revealed that while 94 per cent of CISOs in Singapore believe tokenisation of cloud data is the best way to meet data residency and control regulations, only 59 per cent use tokenisation while 78 per cent use encryption and less than half (37 per cent) use both encryption and tokenisation - the fewest among all the countries surveyed.
Despite such measures, security challenges remain. Cybercriminal groups are opportunistic in the way they operate, using flaws in legitimate operating systems, tools, and cloud services to compromise networks. To effectively counter such behaviours, CISOs require unparalleled visibility and control over sensitive content that users upload, store and share via the cloud. Rather than relying on one-off fixes and reactive patches to protect confidential information, successful CISOs are eradicating exploitable vulnerabilities by deploying proactive, end-to-end solutions.
Cybercriminals may see small and medium enterprises (SMEs) as easy targets because they often have weaker cybersecurity defences as compared to larger enterprises. In 2016, one in 145 companies with 250 employees and below received malware. SMEs with limited budget on IT infrastructure do not have the capacity to build up their security requirements. To ensure cost-savings and efficiency, they often have less robust IT infrastructure, less manpower dedicated to upkeep cybersecurity solutions such as having the latest firmware. In some cases, SMEs even do away with cyber security practices entirely - believing that their small size would not make them attractive targets.
By shifting their infrastructure into the cloud, SMEs could enjoy the levels of agility and security to help store their data, akin to that of an enterprise environment. Of course, it is equally important that SMEs select the right cloud service provider, one that can provide adequate security provision to ensure that their data is protected from basic vulnerabilities.
DIGITAL WORKSPACE ENVIRONMENT
Enterprise customers are also moving to the cloud with the business objective of sharing information with their business partners, or to allow their employees to be more agile in their work. Rather than spawning an Internet-facing server and building a security stack around it, they subscribe to cloud services with a high level of security, and focus on their business objectives in a digital workspace environment.
Increased use of cloud services by organisations and their employees means that companies' data governance is being eroded and they are susceptible to weaknesses that exist outside of their organisation. This could be very serious. Symantec analysis found that 76 per cent of websites contain vulnerabilities, 9 per cent of which are critical.
The Dyn attack last year is an example of attackers targeting one organisation but affecting services provided by numerous enterprises including Amazon Web Services, SoundCloud, Spotify and GitHub. It underlined the risks businesses take when using cloud services.
The Dyn attack, which occurred in October last year, targeted systems operated by Domain Name System (DNS) provider Dyn. It involved multiple distributed denial-of-service (DDoS) attacks which resulted in Internet services being affected in large areas of Europe and North America.
A number of ransomware attacks against cloud-based services demonstrated the susceptibility of cloud-based data to cybercrime attacks. A recent high-profile case was when tens of thousands of MongoDB open source databases were hijacked and held for ransom. The incident occurred after older MongoDB databases were left open by users in a default configuration setting. While there was no inherent security vulnerability in MongoDB itself, and the company alerted users about this issue, numerous older implementations that had not applied security practices remained online, with more than 27,000 databases reportedly being hijacked. These attacks underlined the need for users to remain vigilant and ensure any open source software they are using is secure.
There was also a report in early 2016 from a California firm that ran its entire operation through a managed cloud solutions firm. After one of its employees opened a spam e-mail, it found that no one in the company could access the more than 4,000 files it had stored in the cloud. The company had fallen victim to ransomware, specifically TeslaCrypt (Ransom.TeslaCrypt). Fortunately, the cloud provider kept daily backups, but it still took a week for the company's files to be restored. This is just one example of the amount of disruption ransomware can cause to businesses.
The rush to bring any and all devices online has meant that security is often an afterthought. This was patently evident in the case of CloudPets, Internet-connected teddy bears. Spiral Toys' CloudPets are soft toys that allow children and their parents to exchange recorded messages over the Internet. However, researcher Troy Hunt found that the company stored customer data in an unprotected MongoDB that was easy to discover online. This exposed more than 800,000 customer credentials, including e-mails and passwords, and more than two million recorded messages. Mr Hunt said that even though the credentials were secured using secure hashing function bcrypt, a large number of the passwords were weak enough to make it possible to decrypt them.
This case illustrates how the combination of IoT and cloud can put customer data at risk. Many IoT devices gather personal data and rely on cloud services to store that data in online databases. If those databases are not adequately secured, then customer privacy and security are being placed at risk.
Increased use of cloud services also helps facilitate a trend of attackers opting to "live off the land" instead of developing their own attack infrastructure. Two of the most high-profile cases of 2016 - the hacking of the Gmail account of Hillary Clinton's campaign chief John Podesta, and the hacking of the World Anti-Doping Agency - were facilitated through the use of cloud services. Attackers used social engineering to acquire the password for John Podesta's Gmail. They reportedly used cloud services to exfiltrate the stolen data rather than build custom infrastructure for this purpose.
ATTRACTIVE TO ATTACKERS
The cloud is attractive to attackers as, depending on how it is used and configured, it allows them to bypass local security. Data stored on the cloud can be more easily accessible to attackers than data stored on local servers. Targeting cloud services also allows attackers to cause maximum disruption with relatively little efforts - as seen with the Dyn DNS DDoS attack. As the usage of cloud services becomes increasingly common, it stands to reason that attacks on such services will also become more commonplace in the future.
Limiting employees to using secure, popular file-sharing apps like Office 365 and Box cannot fully mitigate risks to this data from employee misuse or account compromise by hackers. Enforcing smart cloud data governance practices, such as identifying, categorising and monitoring the use of all cloud data, is critical in preventing data loss.
There are safeguards that can be practised:
- Build a cloud security programme aligned to both the organisation's business and security requirements.
- Re-orient the organisation to take a security-first approach in the cloud and regularly include users in continual process enhancement - leverage in application coaching where available.
- Extend sensitive data monitoring policies and workflows to cloud-based services by integrating on-prem and cloud-based data loss prevention.
- Integrate a multi-factor authentication solution with the Cloud Applications and CASB to leverage device and behaviour profiling to block risky login attempts.
Symantec's cloud security life cycle follows a series of repeatable steps that organisations can follow to drive awareness of the importance of security in the cloud with executive management and cloud users. By refining and repeating this process, organisations can begin to build this awareness. Over time, risky cloud usage will decrease due to better controls and a deeper understanding of how users can safely use cloud apps and services.
- Identify: To identify cloud apps, uncover and classify cloud data, identify risky data, activities and users, and plan cloud security strategy.
- Detect: Monitor for policy violations, detect anomalous user behaviour that could indicate account compromise, data destruction or data ex filtration, and monitor/detect incidents, malware, and data loss.
- Protect: Block non-secure apps, define cloud policy, set risk thresholds, communicate policy and enforce policy.
- Respond: Quarantine data and user, encrypt and tokenise sensitive content, adjust login requirements when ThreatScore is elevated, block downloading of sensitive content, remediate risky exposures in file shares, and take appropriate action with HR or legal as necessary.
- Recover: Investigate violations and exploits, revise policy, and educate users.
Failure to ensure appropriate security protection when using cloud services could ultimately result in higher costs and potential loss of business, thus eliminating any of the potential benefits of cloud computing. To ensure success, organisations require a new model of integrated security which provides stronger protection, greater visibility and better control of critical assets, users and data.
Addressing cloud security holistically creates operational efficiencies and allows Singapore CISOs to take full advantage of the cloud. This approach guarantees their critical information is secure and protected, giving them the peace of mind they need to lead their companies in the data-driven era.
Here are questions to consider when defining a cloud security strategy:
- How can I build a cloud Security Advisory Board? Do I need one?
- What are my riskiest cloud apps and services?
- What are the most critical data types in my organisation?
- Who are my riskiest cloud users?
In today's digital age, data is a critical asset. With the need for quick access to information from anywhere at users' convenience, the vector of access to critical assets have since expanded. We now find sensitive data stored in cloud services, such as Dropbox and Office 365, and there has been a convergence of tools used for work as well as personal use. As a result, it is no longer sufficient to adopt a traditional approach of building a strong perimeter around data assets and relying on firewalls or data loss prevention solutions to confine sensitive data and activities employees to company-issued laptop or desktop.
While there is no silver bullet when it comes to cybersecurity, there are best practices that an organisation can adopt to drastically reduce the risk of exposure:
- People: Educating the users to look out for malicious activity and best practice in handling of sensitive data. Share with them the right way of using cloud application
- Processes: Challenging the IT and cybersecurity teams to always be ready for an attack. Having proper processes in places for users to easily and quickly report malicious activity. Adopt a framework approach (such as US-based National Institute of Standards and Technology) to holistically review the organisation strategy against threats.
- Technology: Adopt an integrated cybersecurity approach where technology integrates into business strategy. In the landscape today, it is no longer enough just to have a technology to address a singular cybersecurity problem. This is because security threats have evolved to multi-dimensional that could involve many factors such as cloud, devices and apps. It is important to build an integrated platform or strategy, where security technology need to have telemetry between each other.
- The author is chief technology officer, Asia, Symantec