Here’s how we can take cloud security more seriously, according to Don Shin.
The shift to cloud computing has been sweeping across businesses for some time now, and with good reason. The benefits are undeniable. Organisations adopting cloud are subject to agility, scale and speed on an unprecedented level.
With these benefits, the adoption of cloud will surely only rise. Earlier this year, Gartner forecasted that the worldwide public cloud services market would grow 18% in 2017, and Forrester said global cloud services revenues totalled £100bn in 2016, up from £50bn just two years ago — that’s annual growth of 30%.
Yet, with companies shifting to cloud on a grand scale, and the constant fear of cyberattacks targeting businesses in all industries, it is paramount that effective security is in place.
So what makes the cloud vulnerable?
First, exposed APIs. Unfortunately, what makes APIs useful also makes them exploitable. They are built with controls to support management, orchestration, automation and integration between solutions and applications. But the catch is they are fully exposed.
Passphrases don’t have to be grammatically correct and they can also use numbers and symbols to make cracking them that much harder.
Businesses are used to traditional on-premise perimeters that have greater boundaries, but APIs bring about another dimension of security challenges for organisations due to the fact that their high exposure makes them a sought after target for exploitation.
It’s often noted that attackers will take the path of least resistance, and employees – sometimes even those in IT organisations – will unwittingly help them, often by using lax identity practices.
How can we secure the cloud?
It’s important to have a strong understanding of how applications are performing and their security posture can provide insight into levels of access and potentially flag a possible security issue before it’s too late. These analytics and the ability to detect security anomalies in the cloud are valuable.
Integrated, rich, per-app analytics let you quickly understand your application’s performance and security posture so you can take immediate action if there is an anomaly. Per-app analytics and security data coupled with strong identity hygiene will help ensure your cloud and cloud applications are both high-performing and secure.
Another issue that allows for easy exploitation is employees. Unfortunately, there will always be employees who fall prey to phishing attempts, surf exploited websites, use unsecured free Wi-Fi networks in public and download other sketchy material. As a result, the door is opened to potential attackers.
On top of this, common infrastructure weaknesses are seen by attackers as the exploit of choice to land a beachhead within an organisation, such as using a SQL query to find cached credentials or finding an unpatched, publicly exposed server to exploit.
Above all, bad password practices are always enticing to criminals and there are no shortage of employees who use the ‘trusty’ first initial-last name or password1234 as their password of choice. These identity weaknesses can open the door to full control of the API.
As we’re already aware, there is no 100% watertight way to stop criminals intruding through identity exploitation, but you can certainly put barriers up to slow them down. How, you ask? By implementing good identity hygiene. You can apply this through using multi factor authentication, or by using passphrases over passwords.
Once upon a time, a password was the only necessary way to authenticate to a network or applications. That worked well for a while. Not anymore. Additional layers of defence are imperative. Threat actors can easily crack passwords, so the use of additional types of authentication, such as biometrics and tokens ensure tighter security.
However, passwords which are weak are undoubtedly cracked. So, a passphrase, which has a much longer character length and commonly contains underscores to separate words in the phrase will more likely stop an attacker in their tracks.
Passphrases don’t have to be grammatically correct and they can also use numbers and symbols to make cracking them that much harder. Other ways of implementing good identity hygiene are to depreciate former employee accounts and monitor access logs.
Leaving accounts open for former employees or for services no longer in use opens a hole that is easily exploited. A good rule of thumb is to shut down expired employee accounts immediately to dramatically reduce the chance of a disgruntled former employee accessing the network.
It sounds like a no-brainer, but knowing who accesses what and when can avoid catastrophe. Monitor access logs frequently for anomalies and to ensure end-users have the correct levels of access.
The industry is currently making improvements in identity by implementing multi-context analysis strategies that include time of access, country of origin, host computer in use and other behavioural analyses to add weight to identity.
For example, in his keynote at the AFCEA Defence Cyber Operations Symposium (DCOS), Lt. Gen. Alan Lynn, director of the Defence Information Systems Agency (DISA) and commander of the Joint Force Headquarters–Department of Defence Information Network (JFHQ-DODIN), outlined how assured identity will be critical to cloud and network security and access.
Lynn said assured identity goes beyond traditional common access cards for authentication and access and leverages biometric authentication such as facial and voice recognition, fingerprint, eye scanning and gait; and behavioural authentication, including travel patterns, location by time, device handling, speech patterns and keystroke cadence.
“When you start getting all of that data…your identity score goes up and it will determine how much access you have to different portions of the network,” Lynn said.
“So the future I see will be not only a network that’s mobile that you’re bringing devices into your building, but it will determine what’s your level of access based on the amount of identity that’s been provided to your device. That’s a future we’re currently working on.”
About the author
Don Shin is senior product marketing manager of A10 Networks.