Visibility is Likely the Greatest Deficit That a Move to the Cloud Brings to a Security Organization
Talk of the cloud seems to be everywhere these days. I can’t recall the last conference, event, or meeting I attended where the subject didn’t come up. While a discussion of the cloud can involve many different issues and perspectives, I’d like to focus on one in particular. When the topic of the cloud comes up in discussions I’m involved in, it’s generally in the context of a broader security discussion. More specifically, the topic often comes up often during strategic discussions around improving an organization’s security posture.
Opinions regarding the cloud vary widely. In fact, it can even be difficult to get people to agree on a definition of what the concept of the cloud even means.
Over the course of my career, I have seen many topics that struggle to be defined precisely. But, I have also seen that true progress most often results from an application of the general concept to one or more specific business use cases. The cloud is no exception. Rather than get hung up on definitions, I would like to focus on one specific use case that most organizations are dealing with quite regularly. It involves the hosting of business processes, technologies, and applications outside of the organization, and the associated diversity of endpoints that comes with it. It is a use case that has several ramifications for the security organization.
With many businesses looking to move to the cloud or actively moving many business processes, technologies, and applications to the cloud to save money and gain efficiencies, where does that leave that business’ security organization? Or, to put it another way, if the business is shouting “To the cloud!”, what ramifications does that have for the security organization? In the past, we as a community have often learned quite painfully that we can either work with and support more secure business operations, or we can be discarded as a casualty of progress. So, as security professionals, the question we ought to be asking ourselves is “Now what?”.
Now, if you think what I’m saying is “give the business carte blanche to do whatever it wants in the cloud”, then you have misunderstood me. Rather, what I’m saying is this: Although there are exceptions, most businesses are going to or have already begun moving various business processes, technologies, and applications to the cloud. Along with that move comes a wide variety of endpoints that users leverage to access those services. For example, it’s not uncommon for an employee who is traveling to complete many or all of his or her work tasks from a smartphone or tablet without ever once connecting to the VPN. I do this quite regularly in fact.
Given the simple reality of the world we live in, I would suggest that we partner with and work together with the business to ensure that this new way of doing business is done in the most secure way possible. Most of the discussions I am privy to involve concerns around maintaining continuity for security operations and incident response as various parts of the business move to the cloud. So, given that context, what can organizations do to ensure that they retain the capabilities necessary to perform security operations and incident response on aspects of the business that have already moved to the cloud?
When business functions move to the cloud, there are two high level capabilities that the security team loses. The first is the ability to collect application logs from the applications that are hosted outside of the organization. The second is the ability to have visibility into the activity on the endpoints used to access the various business functions. Why are these two points important? Let’s imagine a situation where one or more hosted applications contain sensitive, proprietary, or confidential data (such as intellectual property, customer data, or payment card information). Let’s further imagine that this information is breached at some point (not terribly difficult to imagine in today’s environment sadly). This situation presents a number of immediate challenges.
1) Detection of this breach within the organization will be almost impossible. The breach will almost certainly need to be detected by a third party, and may not be detected for quite some time. Why is this the case? With proper logging, it is possible for analysts to study anomalous and suspicious application activity, thereby increasing the chances for timely detection. Even in cases of extremely thorough logging, timely detection can still be a challenge (though a more detailed discussion of these challenges is beyond the scope and length of this piece). Without proper logging, timely detection is nearly impossible.
2) Response to this breach will be extremely difficult. Once it becomes known that a breach of sensitive, proprietary, or confidential data has occurred, responding to that breach becomes of the utmost importance. Unfortunately, in order to assess damage and contain and remediate the breach, the organization needs to fully understand what has occurred. This necessitates analyzing log data detailing who has accessed an application, from where it was accessed, what information was accessed, and many other important details. If proper logging is not in place, it will be nearly impossible to piece together the puzzle showing the picture of what occurred.
3) The wide variety of endpoints used to access hosted business functions (such as smartphones, tablets, and other devices) have access to an incredible amount of information. Unfortunately, whereas most organizations have some level of visibility into laptops, desktops, and servers within the organization’s perimeter, almost no visibility exists into newer types of endpoints. This issue is further compounded by the fact that these newer endpoints almost never traverse the corporate network, spending almost the entirety of their lives outside the perimeter. If one of these endpoints should become compromised, it presents the attacker with an almost entirely unmonitored channel upon which to access an organization’s coveted information and exfiltrate it into the attacker’s control. Detection of malicious activity becomes a large challenge in this type of environment.
As we can see from this discussion, visibility (whether into log data or into newer endpoint devices) is likely the greatest deficit that the move to the cloud brings to a security organization. Businesses have moved, are moving, or will move various functions to the cloud in the near-term. Given this, wouldn’t it make sense for the security organization to work cooperatively with the business to ensure visibility into hosted applications and processes, as well as the endpoint devices used to access them?
If we as a security community have learned anything in recent years, it’s that fighting the business, rather than working collaboratively with it, will quickly put us on the wrong side of history. The move to the cloud is underway. Rather than panic, we simply need to understand the implications for our respective organizations, enumerate the risks that go along with the move to the cloud, and mitigate those risks accordingly.