CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.
With the upsurge of data created in the information age, the International Data Corporation (IDC) has estimated that the volume of data worldwide will grow to 175 zettabytes (or 175*10²¹ bytes) by 2025.
It is no wonder that businesses and government institutions alike are scrambling to store data in cost-effective and secure ways. Meanwhile, new developments in cloud computing are promising big data storage capabilities without compromising the security of their contents. In this issue, we will explore the current landscape and challenges of cloud security, as well as tips for enterprises to adopt cloud infrastructure with robust security practices.
WHAT IS CLOUD SECURITY?
Cloud security refers to a set of policies, controls, applications and procedures that oversee the protection of cloud-based infrastructure. This includes the configuration of security measures for data protection, from identity management systems to ensuring physical and personnel security for the associated cloud services. Encryption policies to secure sensitive and important information - such as credit card numbers - also help to ensure customer privacy.
Ideally, cloud security should be carefully customised for each individual cloud infrastructure, tailored specifically to meet the needs of the business. Theoretically, the main benefit that cloud security confers to businesses is security centralisation; as cloud security rules are configured and managed centrally, administration overheads are reduced due to the streamlining of processes and consolidation in the monitoring of network events. Additionally, it removes the need to manually install software updates and patches across multiple different systems, ensuring that each system has the most up-to-date security features to fend off cyber threats.
Read more at Forcepoint
CURRENT LANDSCAPE FOR CLOUD SECURITY
A key question with regard to storage is whether storing data in on-premise (on-prem) servers safer than in the cloud? Whichever side you might be on, an increasing number of businesses, institutions, and even government agencies have been storing data in the cloud, given recent technological advancements that have made cloud infrastructure a much more cost-effective (and some say, safer) choice than storing data on-prem.
The current cloud landscape is dominated by the ‘Big Three’ cloud service providers:
- Amazon Web Services (AWS) AWS currently holds the data of the US federal government, with a contract worth US$10 billion signed in August 2018. The company has successfully met the prerequisites laid out in the Security Requirements Guide from the Department Of Defense (DOD), meeting the US government’s standard and obtaining DOD’s authorisation for secure classified data storage. In addition, AWS has hosted classified data from the Central Intelligence Agency (CIA) since July 2014; it has also developed a US$600 million computing cloud to service all 17 agencies that comprise the US intelligence community. These agencies will be able to tap on a suite of on-demand computing and analytic services from the CIA and National Security Agency, bridging intelligence gaps and sharing critical information.
- Microsoft Azure Microsoft Azure hosts 95% of the Fortune 500 companies’ data wholly or in part, and invests some US$1 billion per year in security to protect customers’ data. According to Azure’s 4-part blog post series, the platform’s security is derived from a secure network infrastructure that isolates management and customer networks, coupled with privileged access workstations that only allow user access on a ‘needs’ basis. Azure also boasts state-of-the-art hardware and firmware, and has over 200 cybersecurity professionals actively conducting vulnerabilities testing through red and blue team exercises.
- Google Cloud Platform (GCP) The smallest of the ‘Big Three’, Google Cloud Platform has nevertheless been growing rapidly, winning lucrative deals and adding notable companies such as Spotify, Twitter, Snapchat, HSBC, Coca Cola and Ubisoft to its platform (largely at the expense of AWS). In 2018, archrivals Apple also acknowledged that it was using Google’s public cloud for its iCloud storage service. All data is encrypted in transit between Google, its customers, and data centers by default. Google has also consistently kept up with the latest enterprise security standards and certifications such as ISO 27001 (Managing information risks), ISO 27017 (Controlling cloud-based information security) and ISO 27018 (Protecting Personal Data).
Read more at Medium, AWS, Azure and Google.
GROWING CONCERNS FOR CLOUD SECURITY
Concerns over cloud security have grown in tandem with the adoption of cloud computing services. In 2016, the Cloud Security Alliance released a report that provided an overview of the 12 major security issues (dubbed “The Treacherous 12”) faced in cloud computing:
- Data Breaches
- Weak Identity, Credential and Access Management
- Insecure APIs
- System and Application Vulnerabilities
- Account Hijacking
- Malicious Insiders
- Advanced Persistent Threats (APTs)
- Data Loss
- Insufficient Due Diligence
- Abuse and Nefarious Use of Cloud Services
- Denial of Service
- Shared Technology Issues
Other than highlighting these key security issues, the report also suggested that the latter form a frame for cloud users and providers to develop mitigation measures and controls for managing cloud security risks. These top cloud computing threats should also factor into the research priorities of cybersecurity agencies.
Read more at Cloud Security Alliance.
IDENTIFIED CLOUD SECURITY VULNERABILITIES
There have also been a number of well-documented security vulnerabilities on the Big Three clouds as well as other smaller service providers, implying that cloud security has still some way to go in keeping up with cyber threats:
- It was reported in June 2019 that a hacking group ‘APT10’ had been running a large-scale and sustained global cyber espionage campaign called ‘Operation Cloud Hopper’ over the past few years. The APT group targeted tech and manufacturing firms through their cloud service providers via spear phishing attacks, to steal sensitive intellectual property and technologies
- In 2016, an Amazon S3 server owned by Deep Root Analytics, a US-based marketing firm, was found to have exposed the personal details of over 198 million US voters due to a misconfiguration. Anyone with an Internet connection who guessed Deep Root Analytics Amazon subdomain “dra-dw” could view these records, and more than a terabyte of private information was exposed without even the most basic security precautions such as a password.
- In Sept 2017, Accenture, one of the world’s largest consulting firms (that also comprised a cybersecurity division), was discovered to have left at least four cloud storage Amazon S3 buckets unsecured and configured for public access, exposing secret API data and decryption keys, authentication credentials, and customer information. According to an Australian cybersecurity agency UpGuard, this cloud leak had a CSTAR cyber risk score (a score rating that helps businesses measure the risk of data breaches due to misconfigurations and software vulnerabilities) of 790 out of a possible 950, showing that even some of the largest companies in the world are still susceptible to making basic errors in cloud security settings.
Read more at Financial Times and UpGuard.
KEY TAKEAWAY: CLOUD SECURITY IS A SHARED RESPONSIBILITY
Cloud security is a shared responsibility between the cloud provider, business and the user. While Cloud providers such as AWS, Azure and Google Cloud offer deep technologies in cloud security, the business owner and end users must also be responsible in securing their own data. In fact, the latest reports from Cyber Security Alliance have further identified an “Egregious 11” cloud security issues, suggesting that traditional system vulnerabilities as brought forward in the previous “Treacherous 12” have since taken a backseat. Instead, these “Egregious 11” cloud security focused largely on concerns regarding the business owner and the user themselves, citing user misconfigurations of the cloud server, insider threats and the lack of enforcement in cloud security policies.
Read more at ZDNet.
SOURCES INCLUDE: Forcepoint, AWS, Azure, Google Cloud Services, Medium, ZDNet, Cloud Security Alliance, Financial Times, UpGuard