As we all know, cloud is blowing up.
Every customer we talk to is in the cloud, going to the cloud or leveraging the cloud for some aspect of their business. Setting aside for now any notion of what kind of cloud we’re talking about—whether private, multi-cloud or hybrid cloud—it’s clear that Forrester’s projection for public cloud revenue to reach $411 billion in three years is conservative, if anything.
This blow-up of the cloud—and all the complexity it entails with a mashup of IaaS, PaaS, microservices and orchestration technologies—is a good thing. According to Dr. Sunnie Giles’ recent book, The New Science of Radical Innovation, “Leaders should not be afraid of complexity, but rather increase complexity to use it to their advantage.”
She recommends operating at ‘”the edge of chaos.”
But this very same notion can terrify information security teams.
"Where are the threats? What risks are we accelerating? How can I see through this complexity?"
The Cloud Security Alliance (CSA) has been following this conflict for years. The CSA is a not-for-profit organization with a mission to “promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.”
As part of this effort, they’ve developed the Cloud Controls Matrix (CCM), a framework of cloud-specific security controls mapped to leading standards. The goal of the CCM is to help InfoSec professionals establish and monitor controls in this often chaotic, cloud-happy world.
Recent survey highlights 11 egregious errors
The CSA recently interviewed 241 industry experts and issued a report specifically focused on the need to understand cloud threats and—more importantly—not leave the remediation of these threats to cloud providers. The result was a new August 6 report that “rated 11 salient threats, risks and vulnerabilities in their cloud environments.”
11 salient threats, risks and vulnerabilities in the cloud
As this blog post is focused on machine identities and their effective management, I won’t go into all 11 threats, though I do encourage the full read. As far as machine identity management is concerned, however, three of these risks are worth calling out.
#2.Misconfiguration and inadequate change control:
”Companies should embrace automation and employ technologies that scan continuously for misconfigured resources and remediate problems in real time."
In the cloud world as well as in our traditional on-prem world, configuration mishaps are a leading cause of errors and outages. As the report states, “Misconfiguration of cloud resources is a leading cause of data breaches and could allow deletion or modification of resources and service interruption.” (Italics added.)
Misconfiguration of cloud resources is a leading cause of data breaches
As a case in point, a misconfigured AWS S3 cloud storage service exposed private information of 123 million American households in 2017.
But rather than just calling out the error, the “Egregious Eleven” report lists CCM controls that can shore up these instances: specific controls requirements for change control, configuration management, and encryption and key management are listed, with references.
#4. Insufficient identity, credential, access and key management:
“Limit the use of root accounts. Practice the strictest identity and access controls for cloud users and identities."
Limit the use of root accounts
It seems obvious that this would be an area of concern, but the CSA report makes a clear point of calling out the management of machine identities as part of the solution here: “a lack of regular automated rotation of cryptographic keys, passwords and certificates is cited, as well as important tips:
Again, this seems obvious, but the report does the legwork of listing a number of applicable CCM controls to help build a policy:
- EKM-01: Entitlement
- EKM-02: Key Generation
- EKM-03: Sensitive Data Protection
- EKM-04: Storage and Access
#10. Limited cloud usage visibility:
“Mandate companywide training on accepted cloud usage policies … All non-approved cloud services must be reviewed and approved by the cloud security architect or third-party risk management."
"the CCA report does a great job of detailing what shouldbe made visible"
Obviously, you can’t protect what you can’t see. But the CCA report does a great job of detailing what should be made visible, including both “Un-sanctioned app use,” where non-approved apps, services and even CAs are used to support cloud environments, and “Sanctioned app misuse.” In the latter case, the report details responses to both internal actors and external threat actors, who target services using methods like credential theft, SQL injection and DNS attacks.
A policy for hope
I hope that the three callouts I have featured will pique your interest enough to read the entire report. Obviously, I feel that it is worth the time to download and read. But it might cause InfoSec leaders to wonder if they can really operate in that “edge of complexity” that Dr. Giles describes in her book.
But all hope is not lost. Fortunately, the book also points out a way to do this: develop a loose but well-monitored set of rules. In Venafi vernacular, we would advise you to develop a policy that will help you ensure best practices. You may want to start with NIST 1800-16 (see our latest blog post here) or even CSA’s well-thought-out Cloud Control Matrix, and use these as blueprints for a world where there’s just enough control to keep us safe, but where we haven’t stifled innovation.
How secure are the machine identities that your organization uses to secure machine-to-machine connections and communications in the cloud?
- Another Key Unlocks Crime in the Cloud: OneLogin Breach Traced Back to Attacker’s Theft of a Highly Sensitive Key
- Dynamism in the Cloud Complicates the Task of Securing Machine Communication
- Federal Contractor Leaves SSH Keys Unprotected on a Public Cloud Storage Server
- Half of Survey Respondents Say Lack of Security Skills Slowing Down Cloud Adoption Plans