Insider threats and cloud deployment
By Taylor Armerding, Senior Info-Security Expert at Synopsys Software Integrity Group
Insiders can easily be more of a cyber threat to organisations than outside attackers, for the obvious reason — they’re already inside. Whether malicious or simply clueless or careless, they can pose a bigger risk since they don’t have to breach external security barriers and simply being present won’t raise any red flags — they’re supposed to be there.
But apparently those threats aren’t as obvious as they should be for some organisations—especially when it comes to the cloud.
In the recent Threatbusters: Bitglass’ 2019 Insider Threat Report, the cloud access security broker (CASB) company found that 68% of 437 IT professionals surveyed considered their organisations to be moderately to extremely vulnerable to insider threats. Survey respondents came from Cybersecurity Insiders, a community of 400,000 information security professionals.
Rising risk of insider threats in cloud
Perhaps not surprisingly then, given that level of vulnerability, 73% of respondents said insider threats are becoming more common. That’s a significant jump — up from 56% in the company’s 2017 report by the same name.
Another factor that heightens the insider threat is that survey respondents reported “only 50% of organisations provide user trainings about insider threats, and a mere 31% implement secondary authentication to defend against them.”
Yet another factor is the reality that migrating some or all of their applications, storage and workloads to the cloud is already a reality or a near-term goal for the large majority of organisations.
There are good reasons for that. The cloud is now a mature, reliable technology that involves the mega-players — Amazon, Cisco, Microsoft and others. It saves money — storage is easier and less expensive, it is scalable without breaking the budget, it lets organisations do more with less downtime, cost and loss, and it reduces infrastructure overhead.
And besides the economic incentives, it is highly available and allows remote employees access and ability to work online.
Why the cloud is vulnerable to insider threats
But all that comes with risk. A cloud environment interfaces with just about every application and corresponding infrastructure stack in existence.
The list of possible vulnerabilities that are common to both on-premises and cloud environments is well known but worth repeating. It includes weak identity, credential, and access management; insecure APIs; insufficient due diligence; lack of encryption; and yes, malicious/clueless insiders.
All of which should be yet another of the proverbial wake-up calls for organisations to improve their security initiatives for both the cloud and insider threats.
According to the survey, 41% of respondents said cloud migration makes insider attacks harder to detect and defend if organisations don’t have tools for monitoring “abnormal user behaviour across their cloud footprints.”
That behaviour doesn’t have to be malicious either. Kinnaird McQuade, Senior Consultant at Synopsys, said while malicious insiders are a legitimate concern, it is far more likely that employees will unintentionally “do something bad or stupid, which is more likely to open up avenues for other attacks.”
How to mitigate insider threat risks in the cloud
But there are ways to mitigate those risks. When it comes to insider threats, organisations should follow the advice experts have been issuing for decades — limit employees’ access and permissions to what they need to do their jobs — the principle of “least privilege.” It’s called identity and access management (IAM), and it’s a security fundamental.
“Organisations should prevent users from having permissions to open up new attack surfaces and time-box access to sandbox environments,” McQuade said.
“For instance, opening up a network address translation (NAT) gateway from a hybrid networking environment in AWS isn’t necessarily bad — in fact, it’s necessary in some cases — but it introduces the possibility of a server using that NAT gateway to pull packages or content from any remote resource. Users shouldn’t be the sole bearers of responsibility — the organisation should build in preventive measures.”
Among those preventative measures are:
Make sure the cloud platform is correctly configured
“Enhancing automation of configuration management and infrastructure provisioning activities significantly reduces vulnerabilities linked to misconfiguration, mismanagement, missing patches and mistakes,” he said.
Put “guardrails” in place
Secure-by-default landing zones can help prevent new attack surfaces from opening in new environments like development, staging and production, McQuade said, “by preventing potentially dangerous calls to the cloud provider’s APIs.”
“Landing zones provide enough guardrails at creation time to support innovation but ensure enforcement of organisation security requirements such as network architecture and log aggregation.”
Supplement the guardrails with monitoring
“Have an internal team provide a top-level view of all cloud-related risks, determine visibility and prevention requirements, and turn those requirements into programmatic policies to manage IAM,” McQuade said.
Visibility requires proper monitoring and alerting, while prevention requirements include “programmatic definition of policies per environment, such as service control policies in AWS, and other controls that prohibit potentially dangerous actions,” he said.
Don’t forget detection
Even rigorous IAM — limiting access and enforcing encryption on all portable devices as well as data in transit — won’t entirely eliminate risk. So be prepared to find and mitigate breaches.
Matan Scharf, Product Marketing Manager at Synopsys, said early detection strategies should include controls such as data leak prevention, threat intelligence from third-party vendors that monitor the dark web (Pastebin etc.), and incident response capabilities coupled with business continuity and disaster recovery plans.
This is not a simple process, McQuade said, noting that it is “difficult to put all those controls in place before you give users or operations to a cloud environment. There will always be cleanup activities after embracing cloud as an organisation reforms its approach.”
But it is well worth the time, effort and money, to avoid turning your cloud deployment into a nightmare. “If you expand your cloud capabilities without a security story, things will spin out of control very quickly,” McQuade said.
Tim Mackey, Principal Security Strategist, Synopsys Software Integrity Group and Boris Cipot, Senior Sales Engineer, Synopsys Software Integrity Group have separately provided some tips on securing hybrid clouds:
What are some of the key challenges faced by companies and CIOs when securing a hybrid cloud deployment?
Mackay: Hybrid clouds by definition will have differing levels of security configuration within their underlying infrastructures. Minimising the impact of misconfiguration and data consistency are key items to consider when adopting any hybrid cloud initiative.
Of note, best practices for application security and cloud configuration will vary between public cloud providers and any private cloud implementation. Prior to migrating any application to a hybrid cloud, a full review of the application’s security expectations and threat model should be performed to ensure any implementation gaps in the hybrid strategy are properly accounted for.
What are the current pressure points CIOs are feeling around the security aspects of their hybrid clouds?
Cipot: In my conversations with CIOs, a trend that I’m coming across is that the role of a CIO seems to be changing from that of a service provider into a role supporting the entirety of the organisation’s agile, fast-moving DevOps environment. Security is being perceived less frequently as a hurdle now that security has been proven, through DevSecOps practices, not to negatively impact development velocity.
Information is key — knowing what applications and software components are in use within your organisation is becoming a pressure point receiving a lot of attention. After all, you can’t secure what you don’t know you have. Third-party security is also becoming a well-understood concern in terms of cloud security. Understand what your vendors are offering, how they’re deploying the offering, and how they’re securing it. Security isn’t a one-time audit; rather, it’s a continuous process. CIOs must keep a watchful eye internally and stay in close communication with third parties to maintain continuous innovation and security growth both within the cloud and throughout the organisation.
How are CIOs developing secure hybrid cloud environments for their DevOps?
Mackay: Hybrid cloud deployments are effectively a “day two” problem for organisations engaged in digital transformation towards a cloud strategy. Unless an organisation has defined and implemented strong security measures as part of their existing private cloud or multiple zone/region public cloud, then the complexity of a hybrid solution will introduce unneeded security risks.
For example, a hybrid strategy typically forms part of a disaster recovery plan, a desire to increase business agility, or a need to better serve a geography. In the case of increased business agility, a hybrid strategy might simply mean the use of public cloud infrastructure for testing or staging efforts, but even in this narrow case the security of test data should be part of the overall development paradigm.
Effectively, while DevOps principles are ideal when developing a cloud-native application, numerous examples exist of data leaks or breaches within highly agile application development teams – a case which can be prevented through strong security reviews.
How the security perimeter shifted as businesses expand their use of the hybrid cloud?
Mackay: When adopting any public cloud strategy, a transfer of risk from the organisation to the cloud provider occurs. For example, the risk of unpatched physical infrastructure is assumed to be addressed as part of the fees paid to the cloud provider. This transference of risk reverses when consumers of a public cloud fail to adequately secure their virtual instances and associated services.
In a hybrid cloud environment, the transference of risk becomes even more challenging as differences in provider APIs could easily introduce misconfiguration which are hard to identify. It is precisely the combination of cloud perimeters, ownership of risk, and configuration which defines the overall security perimeter for an organisation.
Given the goal of reduction of business risk is a key function within CIO/CFO/CISO roles, understanding the impact of privacy, data retention, data sovereignty, and security policies becomes a key component when identifying the overall security perimeter. In the end, the definition of a security perimeter moves from that of a network edge into the business rules governing the configuration of the hybrid cloud.
*A CISO is a chief information security officer.
'Day two' refers to a project which is of lower priority or which was not considered when the infrastructure was planned.
Insiders can easily be more of a cyber threat to organisations than outside attackers, for the obvious reason — they’re already inside. Whether malicious or simply clueless or careless, they can pose a bigger risk since they don’t have to breach external security barriers and simply being present won’t raise any red flags — they’re supposed to be there.
But apparently those threats aren’t as obvious as they should be for some organisations—especially when it comes to the cloud.
In the recent Threatbusters: Bitglass’ 2019 Insider Threat Report, the cloud access security broker (CASB) company found that 68% of 437 IT professionals surveyed considered their organisations to be moderately to extremely vulnerable to insider threats. Survey respondents came from Cybersecurity Insiders, a community of 400,000 information security professionals.
Rising risk of insider threats in cloud
Perhaps not surprisingly then, given that level of vulnerability, 73% of respondents said insider threats are becoming more common. That’s a significant jump — up from 56% in the company’s 2017 report by the same name.
Another factor that heightens the insider threat is that survey respondents reported “only 50% of organisations provide user trainings about insider threats, and a mere 31% implement secondary authentication to defend against them.”
Yet another factor is the reality that migrating some or all of their applications, storage and workloads to the cloud is already a reality or a near-term goal for the large majority of organisations.
There are good reasons for that. The cloud is now a mature, reliable technology that involves the mega-players — Amazon, Cisco, Microsoft and others. It saves money — storage is easier and less expensive, it is scalable without breaking the budget, it lets organisations do more with less downtime, cost and loss, and it reduces infrastructure overhead.
And besides the economic incentives, it is highly available and allows remote employees access and ability to work online.
Why the cloud is vulnerable to insider threats
But all that comes with risk. A cloud environment interfaces with just about every application and corresponding infrastructure stack in existence.
The list of possible vulnerabilities that are common to both on-premises and cloud environments is well known but worth repeating. It includes weak identity, credential, and access management; insecure APIs; insufficient due diligence; lack of encryption; and yes, malicious/clueless insiders.
All of which should be yet another of the proverbial wake-up calls for organisations to improve their security initiatives for both the cloud and insider threats.
According to the survey, 41% of respondents said cloud migration makes insider attacks harder to detect and defend if organisations don’t have tools for monitoring “abnormal user behaviour across their cloud footprints.”
That behaviour doesn’t have to be malicious either. Kinnaird McQuade, Senior Consultant at Synopsys, said while malicious insiders are a legitimate concern, it is far more likely that employees will unintentionally “do something bad or stupid, which is more likely to open up avenues for other attacks.”
How to mitigate insider threat risks in the cloud
But there are ways to mitigate those risks. When it comes to insider threats, organisations should follow the advice experts have been issuing for decades — limit employees’ access and permissions to what they need to do their jobs — the principle of “least privilege.” It’s called identity and access management (IAM), and it’s a security fundamental.
“Organisations should prevent users from having permissions to open up new attack surfaces and time-box access to sandbox environments,” McQuade said.
“For instance, opening up a network address translation (NAT) gateway from a hybrid networking environment in AWS isn’t necessarily bad — in fact, it’s necessary in some cases — but it introduces the possibility of a server using that NAT gateway to pull packages or content from any remote resource. Users shouldn’t be the sole bearers of responsibility — the organisation should build in preventive measures.”
Among those preventative measures are:
Make sure the cloud platform is correctly configured
“Enhancing automation of configuration management and infrastructure provisioning activities significantly reduces vulnerabilities linked to misconfiguration, mismanagement, missing patches and mistakes,” he said.
Put “guardrails” in place
Secure-by-default landing zones can help prevent new attack surfaces from opening in new environments like development, staging and production, McQuade said, “by preventing potentially dangerous calls to the cloud provider’s APIs.”
“Landing zones provide enough guardrails at creation time to support innovation but ensure enforcement of organisation security requirements such as network architecture and log aggregation.”
Supplement the guardrails with monitoring
“Have an internal team provide a top-level view of all cloud-related risks, determine visibility and prevention requirements, and turn those requirements into programmatic policies to manage IAM,” McQuade said.
Visibility requires proper monitoring and alerting, while prevention requirements include “programmatic definition of policies per environment, such as service control policies in AWS, and other controls that prohibit potentially dangerous actions,” he said.
Don’t forget detection
Even rigorous IAM — limiting access and enforcing encryption on all portable devices as well as data in transit — won’t entirely eliminate risk. So be prepared to find and mitigate breaches.
Matan Scharf, Product Marketing Manager at Synopsys, said early detection strategies should include controls such as data leak prevention, threat intelligence from third-party vendors that monitor the dark web (Pastebin etc.), and incident response capabilities coupled with business continuity and disaster recovery plans.
This is not a simple process, McQuade said, noting that it is “difficult to put all those controls in place before you give users or operations to a cloud environment. There will always be cleanup activities after embracing cloud as an organisation reforms its approach.”
But it is well worth the time, effort and money, to avoid turning your cloud deployment into a nightmare. “If you expand your cloud capabilities without a security story, things will spin out of control very quickly,” McQuade said.
Tim Mackey, Principal Security Strategist, Synopsys Software Integrity Group and Boris Cipot, Senior Sales Engineer, Synopsys Software Integrity Group have separately provided some tips on securing hybrid clouds:
What are some of the key challenges faced by companies and CIOs when securing a hybrid cloud deployment?
Mackay: Hybrid clouds by definition will have differing levels of security configuration within their underlying infrastructures. Minimising the impact of misconfiguration and data consistency are key items to consider when adopting any hybrid cloud initiative.
Of note, best practices for application security and cloud configuration will vary between public cloud providers and any private cloud implementation. Prior to migrating any application to a hybrid cloud, a full review of the application’s security expectations and threat model should be performed to ensure any implementation gaps in the hybrid strategy are properly accounted for.
What are the current pressure points CIOs are feeling around the security aspects of their hybrid clouds?
Cipot: In my conversations with CIOs, a trend that I’m coming across is that the role of a CIO seems to be changing from that of a service provider into a role supporting the entirety of the organisation’s agile, fast-moving DevOps environment. Security is being perceived less frequently as a hurdle now that security has been proven, through DevSecOps practices, not to negatively impact development velocity.
Information is key — knowing what applications and software components are in use within your organisation is becoming a pressure point receiving a lot of attention. After all, you can’t secure what you don’t know you have. Third-party security is also becoming a well-understood concern in terms of cloud security. Understand what your vendors are offering, how they’re deploying the offering, and how they’re securing it. Security isn’t a one-time audit; rather, it’s a continuous process. CIOs must keep a watchful eye internally and stay in close communication with third parties to maintain continuous innovation and security growth both within the cloud and throughout the organisation.
How are CIOs developing secure hybrid cloud environments for their DevOps?
Mackay: Hybrid cloud deployments are effectively a “day two” problem for organisations engaged in digital transformation towards a cloud strategy. Unless an organisation has defined and implemented strong security measures as part of their existing private cloud or multiple zone/region public cloud, then the complexity of a hybrid solution will introduce unneeded security risks.
For example, a hybrid strategy typically forms part of a disaster recovery plan, a desire to increase business agility, or a need to better serve a geography. In the case of increased business agility, a hybrid strategy might simply mean the use of public cloud infrastructure for testing or staging efforts, but even in this narrow case the security of test data should be part of the overall development paradigm.
Effectively, while DevOps principles are ideal when developing a cloud-native application, numerous examples exist of data leaks or breaches within highly agile application development teams – a case which can be prevented through strong security reviews.
How the security perimeter shifted as businesses expand their use of the hybrid cloud?
Mackay: When adopting any public cloud strategy, a transfer of risk from the organisation to the cloud provider occurs. For example, the risk of unpatched physical infrastructure is assumed to be addressed as part of the fees paid to the cloud provider. This transference of risk reverses when consumers of a public cloud fail to adequately secure their virtual instances and associated services.
In a hybrid cloud environment, the transference of risk becomes even more challenging as differences in provider APIs could easily introduce misconfiguration which are hard to identify. It is precisely the combination of cloud perimeters, ownership of risk, and configuration which defines the overall security perimeter for an organisation.
Given the goal of reduction of business risk is a key function within CIO/CFO/CISO roles, understanding the impact of privacy, data retention, data sovereignty, and security policies becomes a key component when identifying the overall security perimeter. In the end, the definition of a security perimeter moves from that of a network edge into the business rules governing the configuration of the hybrid cloud.
*A CISO is a chief information security officer.
'Day two' refers to a project which is of lower priority or which was not considered when the infrastructure was planned.
Comments
Post a Comment