Securing the Hybrid Cloud: Data breaches, ransomware, phishing and more

Justin Dolly, Chief Security Officer and Chief Operating Officer at SecureAuth

Justin Dolly is Chief Security Officer and Chief Operating Officer at SecureAuth. Dolly brings 20 years of experience in advanced IT, infrastructure, web, application and product security, risk management, network engineering and design as well as leading IT and customer success initiatives at multiple companies. In his role, Dolly oversees information security, infrastructure, DevOps and information technology.

What are the critical challenges for securing a hybrid cloud deployment?

When a company uses a traditional on-premise deployment of applications or systems, it has the sole responsibility of protecting them. The business owns or leases all of the physical systems, networks, and datacenters, where the application or system is housed. This allows for the exact security controls and measures that they want or can afford. For example, if a business wants all data (in-transit and at-rest) to be encrypted, it controls all aspects of the servers, networks, and applications.

With a hybrid deployment, some of those responsibilities will now be outside of the company’s control. In some cases, such as Software as a Service (SaaS), they will have little or no direct control of many security controls. So, a company could request that the SaaS provider encrypts all traffic in-transit and at rest, but the SaaS provider may not be able to do it. If using infrastructure as a Service (IaaS), like Amazon Web Services (AWS) or Azure, they may have some control over the operating system and application, but they’re still relying on the IaaS vendor to provide the security of the hypervisor on the physical system, networks and physical datacenters.

This loss of control means there needs to be a high level of trust in the cloud services provider, as they will be using tools and practices that the client company has had no choice but to use.  When using applications or services that are outside of the traditional on-premise deployments, access to these systems increases in complexity.

Maintaining individual usernames and passwords for every site can cause security issues, so a single location for users to authenticate to is vital. Integrating external resources into common access control systems is not a new concept. However, the ability to utilize the same system for all logins – from the external third-party vendor system to the legacy internal system or applications that no one can remember how to access makes it not only easier for end-users but, brings more control back to the company. This ensures only authorized parties get access to external resources.

What are the current pressure points CIOs are feeling around the security aspects of their hybrid clouds?

Companies need to ensure they completely understand any end-user license agreements, master services agreements (MSA) or another legal contract that can be maintained with the cloud services vendor. While it’s challenging to ensure that the cloud services company will maintain proper security controls (or will not share, sell, or mine the data), legal contracts must have language that ensures the data is protected to the same level or better than the client company would. There should also be legal (monetary) implications should the vendor not maintain this level of trust or security.

How are CIOs developing secure hybrid cloud environments for their DevOps?

From a high-level point of view, the company must do its due diligence in selecting a cloud services provider to ensure they are reputable and have the appropriate level of security within their cloud environment. Businesses should also question any vendor regarding their security practices, review and redline MSAs and other contracts to ensure the vendor is legally obligated to maintain the security and integrity of the data they receive from customers.

On the technical side, businesses need to review all configuration settings that are available within the cloud product and set those settings to the appropriate level. If there are any questions or concerns, these should be brought up in the evaluation and selection process, before any contracts are agreed to or signed.

For example, if a business is sending personal data from its customers to a cloud services provider (or any third-party for that matter), they should ask questions such as “is the data encrypted when in-transit and at-rest? Can role-based access be set up to ensure only authorized users can access the data they need to access? How is our (the company) data separated from other vendor customers’ data and how would you (the vendor) detect and respond to a suspected attack or compromise of our (the company) data?”

How has GDPR impacted on hybrid cloud security?

GDPR has caused organizations to look more closely at the data they are obtaining, storing and processing. Before GDPR, many organizations had a general idea of what customer-related data they had, but not to a satisfactory degree of specificity. Businesses weren’t asking: “What are we doing with this data and do we need it?” Alternatively, “Should we even be collecting certain pieces of data?” Now, GDPR requires that a company identifies what data they are collecting on individuals, for what reason, and questions if they are protecting that data. There is also a requirement that they must be able to delete that data in a reasonable amount of time when requested.

For a company that is utilizing cloud services in any way, they must ensure those cloud providers understand and protect that data just as rigidly. This must be included in legal contracts to ensure the vendor is legally obligated to maintain specific levels of security controls (and to maintain an Information Security Program). The company must also understand and implement security features within the cloud environment.

How the security perimeter shifted as businesses expand their use of the hybrid cloud?

The line between an “internal” network and an “external” network has been blurred for decades. While a company will always have systems, networks, and applications that can only be accessed when within the offices of the company or via a VPN – there are two new use cases that the company must deal with.

First is the use of cloud services to handle applications that used to be relegated to the internal network. When these applications were internal to the company, access to these resources could be tightly controlled by requiring the user to be within the confines of a company office or requiring access to the internal network via VPN tunnels.

These could be configured to interrogate the connecting system to ensure security controls were implemented on the connecting device. This minimized the potential for an unauthorized outside entity to access the internal network resources. By moving these previously ‘internal’ systems to external vendors, the company has now lost the ability to confine access to a VPN or physical office network. Some cloud vendors do provide mechanisms for customers to limit access to the services, but these controls are impractical and would negatively impact the end user experience.

Secondly, the workforce is becoming increasingly mobile and need seamless access to the applications and resources necessary to complete their tasks. Requiring a user to jump through hoops, like logging in via VPN, (to check the security controls on the connecting system), and then having to log into yet another application once they are on the internal network – the users are not going to be satisfied with that experience and the amount of friction therein. Today’s workforce requires access from anywhere and everywhere.

Are CIOs using more automated security systems to manage their hybrid cloud deployments?

Many companies use the same authentication mechanisms for all systems and applications, whether internal or external. If the company does not have a solid identity platform to span all of its resources and assets, they are leaving the control of who can access these cloud environments up to the third party. This lack of control can be very dangerous.

For example, if an end user is using the same password across multiple accounts and services, and that password is compromised, many sites could be impacted. Also, while it is true that a single sign-on (SSO) solution is vulnerable to that same risk if the company is using an identity platform that they control, they can implement common controls across all accounts — providing a single monitoring point to detect compromises and prevent attacks. Using a robust identity platform can provide a multitude of security controls from multi-factor authentication, to having up-to-the-second adaptive intelligence built into the authentication process.

There are tools and services available that can monitor all traffic to or from a cloud service, a cloud access security broker (or CASB); however, all traffic must pass through that monitoring system, which creates a single point of failure and significantly increases the complexity and latency of user requests. Additionally, as all traffic that contains sensitive information must be encrypted, the CASB solution must decrypt the traffic, inspect it and then re-encrypt the traffic. This decryption of traffic by the company could cause privacy concerns on behalf of the users of the system.

How do you expect security to evolve in a hybrid cloud environment?

Security must evolve in several ways when talking about hybrid or cloud environments – most specifically, all companies must maintain a certain level of security controls based on the sensitivity of the data that they are collecting, storing and processing. And cloud services vendors must establish and maintain trust within the community and the industry as a whole.

Everyone must assume that it is not a matter of “if” a company will get compromised, but “when”. Therefore, every precaution must be taken, and there must be transparency between vendors and customers about the security of the environment, and if that security is ever compromised. Security controls must be implemented to minimize the potential consequences of exposure of data in the event of a breach, and security monitoring must be diligently watched for any signs of compromise or attack.

Cloud services are a fantastic mechanism for companies to potentially save money and reduce the level of expertise that is required within the company. Most of the cloud vendors are very good at what they do. Using a third party can be economically and operationally efficient versus having to find, train, and keep an individual or teams to do the same activities. However, moving services and data to the cloud does take away some control over security controls and protections for the service or data.

Additionally, there is likely not a single company in business today that does not utilize some form of cloud service from payroll to backup services, to human resources. Therefore, companies must not ignore that fact and must stay on top of reviewing security controls, implementing contractual language and ensuring all necessary security controls that can be implemented within the cloud service are understood and implemented.

The first level of security control that a company can implement is to use a common identity platform with robust multi-factor authentication and secondary security and intelligence checks on users before accessing any environment while maintaining a consistent, easy-to-use end user experience.