CLOUD SECURITY - IMPORTANCE OF CLEAR VISIBILITY THROUGH THE CLOUD
Importance of Clear Visibility through the Cloud
Cloud Security, what does it mean to different folks? Security for the cloud,
security in the cloud, we are told don’t get locked down into one Cloud Service
Provider (CSP), but if you have many CSP’s how do you manage the security consistently?
Important reminder – CSPs are responsible for the security OF the cloud, but the customer of CSP
(i.e. you) are responsible for the security IN your cloud. The CSPs have security tools but it’s
your responsibility to make them integrate and work seamlessly.
These tools are at various stages of maturity and often do not work together seamlessly to
provide you a context based risk picture of your cloud.
Tam wrote a great article previously
(cloud securing strategies) and I thought of trying to expand
a little further starting with -Visibility. It’s a huge topic as it touches on all pillars of
cloud
security - Platform, Identity, Data and Workload security - so let me attempt to start the
journey
by asking some pertinent questions.
How is visibility affected : how much attention cloud security has garnered in the board room
allowing
more budget ? or is it enough damage by threat actors that we sit up and feel something needs to
be
done ? or perhaps enough coverage of a new buzzword in recent conferences or by different cloud
security related organisations ?
how far can we see and is the data in the vision sufficient enough for us to act responsibly?
There are many important aspects you need to think of:
- You need to see all the things in the cloud and their configurations
- What maturity level are they at
- You need visibility deeper into not only what your Identities are but:
- What their entitlements are (effective permissions)
- What data / sensitive resources they can access (risk)
- What are they doing with that access (actions / incident)
- You need visibility into data:
- Where is all of your data
- What is your data
- Who / what has access to your data
- Who / what are they doing with that access (actions / incident)
- Vulnerabilities
- What your traditional tools are missing
- Why are they missing stuff
Is context important when providing visibility?
Let's look at something simple;vulnerabilities on workloads. How often are these workloads
used, do they stay around long enough
(ephemeral) to be visible to your scanning tool?
Once you have the list of vulnerabilities ( it can be a very long list), will it make sense
to have further impact analysis on whether there are other amplifiers eg: who can access
this workload ( identities including Non Person ) , public or private access ( platform
risks)even if it crosses multiple CSP’s , have the permissions been used recently( if not ,
are they needed) , are there roles which can hop through assuming other roles ( privilege
escalation)?
Is there an attached storage with sensitive data( data classification) , is it encrypted (
integration with vaults)? Finally , during this process is any residual data left with your
vendor , increasing your supply chain risk ?
Gaining visibility into each of the areas is extremely important , as only then we can help
to break the kill chain and improve our security step by step.
We are only scratching the surface here but it's important to scratch with the right vector(
direction and force). We cannot solve what we cannot see , so the view must be complete
across the path. Data should be presented in a consistent, clear and digestible manner.
The environment must be continuously monitored and able to update itself with intelligent
usable context, only then it can deliver a view that we can act on. We must then measure our
progress to ensure we are making it more difficult for the threat actors.
Biography
Sukhdev Singh
Sukhdev Singh has an International & multicultural background across 24 years in Cyber Security. He has worked for a foreign public service , spoken at leading security conferences {RSA , HITB,IDC ,CII ID , VNCert, Govware} and was previously the X Force Spokesman for Asia Pacific. He has ACLP from IAL Singapore and is an experienced trainer across multiple security technologies and ISMS .His certifications include CISSP,CISM, CDPSE,CCSP,CEA. He currently leads the APJ business for Sonrai Security Inc. He volunteers in various capacities and is a SIG member of AISP