Cloud Computing Isn’t Easy
Securing the cloud has always been a problem.
Interestingly, I don’t recall anyone ever asking a CISO in an interview, what they are planning on doing about it, nor do I recall any CISO admitting that it might be their number one challenge and acknowledging the attendant flood of mis-configuration risks.
When the cloud was first introduced as a “cheaper” or “more efficient” solution to storage and processing, many smart folks questioned whether and how that might be true. Using an enterprise architecture built on delivering computing services over the internet clearly represents the introduction of a unique threat surface. Yet, for the most part, the threat has largely been ignored, causing some observers, including me, to wonder whether security practitioners have simply clung to the ride and/or are too embarrassed to raise a hand in protest?
But, what if they are wrong?
As a result, cloud computing has become a ubiquitous part of the IT landscape, and Gartner estimates that 95% of new digital workloads will be deployed on cloud-native platforms by 2025 – in spite of increasing reports that it may not be less expensive than on-premise alternatives and their complexity exposes its users to greater risks across an expanded attack surface.
It is estimated that the average enterprise uses almost 2,000 different cloud services, many of which are completely outside the purview of the CISO or any controlling organization, like IT or the security teams. Its ubiquity, popularity and ease of engagement (got a credit card?) have created the perfect shadow IT nightmare for many.
One of several specific cloud security threats centers on third-party risk.
A classic example occurred in December when a configuration vulnerability in an AWS Cloud instance used by a third party that provides Uber with tracking services was exploited, it exposed the PII of 77,000 employees.
Investigators think the attack stopped there, but a more ambitious crew could have taken the entry point as a passport across numerous interconnected and interdependent organizations and entities connected via that same cloud to additional targets.
That particular attack demonstrates the complexity of detection for the anomalistic activity that lives outside the targeted perimeter.
Thomas Gentsch, an expert in networking and cloud security, teaches a course called “Secure Cloud Infrastructure – Identity First” on our learning platform. The course addresses all of these issues and more, toward a secure journey with least privilege and zero trust riding across your cloud environment.
Managing Director, CyberEd
King, an experienced cybersecurity professional, has served in senior leadership roles in technology development for the past 20 years. He has founded nine startups, including Endymion Systems and seeCommerce. He has held leadership roles in marketing and product development, operating as CEO, CTO and CISO for several startups, including Netswitch Technology Management. He also served as CIO for Memorex and was the co-founder of the Cambridge Systems Group.