Author: Michael Nadeau / Source: CSO Online
The march toward the cloud for data and services has many companies rethinking their approach to cyber security. Do they need a cloud security strategy? What is different about a cloud security strategy? Two recent surveys have shed light on how security strategies are changing, and more important, how they should change.
Placing more IT infrastructure in the cloud is in some ways more secure than having it in house. For instance, you can be reasonably sure that the system is running the latest version with the proper patches in place. However, it also presents new risks, some of which is the result of misunderstanding how to manage cloud security.
It is important to know how a company’s cloud IT strategy—whether it’s hybrid, private hosted, or public—affects its cyber security strategy and the tactical execution of that strategy.
[ Read reviews of today’s top security tools and bookmark CSO’s daily dashboard for the latest advisories and headlines. | Sign up for CSO newsletters. ]
What is the cloud security risk?
Data from cloud security provider Alert Logic shows the nature and volume of risk for each form of cloud environment as compared to an on-premises data center. For 18 months, the company analyzed 147 petabytes of data from more than 3,800 customers to quantify and categorize security incidents. During that time, it identified more than 2.2 million true positive security incidents. Key findings include:
- Hybrid cloud environments experienced the highest average number of incidents per customer at 977, followed by hosted private cloud (684), on-premises data center (612), and public cloud (405).
- By far, the most common type of incident was a web application attack (75 percent), followed by brute force attack (16 percent), recon (5 percent), and server-side ransomware (2 percent).
- The most common vectors for web application attacks were SQL (47.74 percent), Joomla (26.11 percent), Apache Struts (10.11 percent), and Magento (6.98 percent).
- WordPress was the most common brute force target at 41 percent, followed by MS SQL at 19 percent.
Whether it’s a public, private or hybrid cloud environment, web application threats are dominant. What’s different among them is the level of risk you face. “As defenders, at Alert Logic our ability to effectively protect public cloud is higher as well, because we see a better signal-to-noise ratio and chase fewer noisy attacks,” says Misha Govshteyn, co-founder of Alert Logic. “When we see security incidents in public cloud environments, we know we have to pay attention, because they are generally quieter.”
The data shows that some platforms are more vulnerable than others. “This increases your attack surface despite your best efforts,” says Govshteyn. As an example he notes that “despite popular belief,” the LAMP stack has been much more vulnerable than the Microsoft-based application stack. He also sees PHP applications as a hotspot.
“Content management systems, especially WordPress, Joomla and Django, are used as platforms for web applications far more than most people realize and have numerous vulnerabilities,” says Govshteyn. “It’s possible to keep these systems secure, but only if you understand what web frameworks and platforms your development teams tend to use. Most security people barely pay attention to these details, and make decisions based on bad assumptions.”
To minimize the impact from cloud threats, Alert Logic has three primary recommendations:
- Rely on application whitelisting and block access to unknown programs. This includes doing risk vs. value assessments for each app used in the organization.
- Understand your own patching process and prioritize deployment of patches.
- Restrict administrative and access privileges based on current user duties. This will require keeping privileges for both applications and operating systems up to date.
How to secure the cloud
According to a survey by market researcher VansonBourne and sponsored by network monitoring solutions provider Gigamon, 73 percent of respondents expect the majority of their application workloads to be in the public or private cloud. Yet, 35 percent of those respondents expect to handle network security in “exactly the same manner” as they do for their on-premises operations. The remainder, while reluctant to change, believe they have no choice but to change their security strategy for the cloud.
Granted, not every company is migrating sensitive or critical data to the cloud, so for them there is less reason to change strategy. However, most companies are migrating critical and proprietary company information (56 percent) or marketing assets (53 percent). Forty-seven percent expect to have personally identifiable information in the cloud, which has implications due to new privacy regulations such as the EU’s GDPR.
Companies should focus on three main areas for their cloud security strategy, according to Govshteyn:
- Tools. The security tools you deploy in cloud environments must be native to the cloud and able to protect web applications and cloud workloads. “Security technologies formulated for endpoint protection are focused on a set of attack vectors not commonly seen in the cloud, and are ill equipped to deal with…
Click here to read more