By Todd Beebe
If you have been in IT security as long as I have, when it comes to moving to cloud, you are feeling a certain sense of déjà vu. We have been here before, this place of uncertainty, where we lack visibility into and control over our sensitive data.
Think back to the first wave of the digital revolution in the early to mid-‘90s, when our organizations were just connecting to the Internet and every user in the company now had Internet access. At first, we had little or no visibility into what was coming into or out of our network. We put in basic firewalls to give us granular access control and activity logging, and we now had a secure perimeter that allowed us to see and control that new traffic. Of course, every few years a new set of holes was created in that perimeter – our first websites, business-to-business email, dial-up, wireless access, etc. In each case we had to deploy new security solutions to re-secure our network perimeter.
Today’s move to the cloud feels so similar to how I felt back then. This time the organization wants cloud-based applications, delivered as a service, and the lines of business are connecting their systems to the cloud without us knowing. All that visibility and control we had established just flew out the window. We know with this newest wave in IT innovation that our teams need to approach it with the same goal as before – visibility and control. This time, however, the perimeter isn’t around our network, it’s around our sensitive data – no matter where it resides.
I’ve found it helps to remember that the main tenets of cybersecurity haven’t changed. It’s all about critical data, the credentials that have privilege to access that data, and the applications and processes that run on the systems – wherever those credentials are used or wherever that sensitive data resides. Treat your sensitive data in the cloud just like you would when storing your valuables at a bank. When in the bank, your valuables are secured in their own safety deposit box, just like encryption at rest. While transported to and from the bank, your valuables ride in an armored vehicle, just like encryption in motion. And when they are being accessed, you need your photo ID and your key, just like multifactor authentication. At each step, access is being recorded by cameras and sign-in sheets, just like activity logs.
So the main tenets that haven’t changed are:
- Critical data – What sensitive data is monetizable? What is valuable intelligence that can be used by a competitor or nation state, and what would an attacker target for sabotage? Think like an attacker. Now, where is the data and what controls does the business require for it – encryption at rest, encryption in motion, or multifactor authentication?
- Credentials – Who should have access to your critical data and when are those credentials being used to access, modify, delete, or copy that sensitive data? Have those credentials been compromised?
- Processes – Know which applications and processes are authorized to run on the systems containing your sensitive data.
What has changed, however, is now you need to partner with your cloud service provider (CSP) and your security vendors to ensure visibility into and control over your sensitive data in the cloud. Be sure to ask these questions:
- Ask your CSP about its data practices to ensure your data isn’t being sent or stored outside of your control. Ensure your cloud provider offers encryption for data at rest, including backups and data in motion. Remember, disk-based encryption is not the same as file-based encryption. Inquire about how the CSP will support your corporate data retention policies. Most important, validate that adequate logging of all access to sensitive data occurs. And with any cloud service, make sure your data isn’t shared with other entities.
- Ensure that your CSP offers two-factor authentication to access its services and your sensitive data. Hackers are going to go after your servers first and then your credentials. Any compromise to your cloud service credentials can be devastating to your data security program. Inquire about what level of detailed logging for credential use is available. This is extremely important.
- Secure your cloud services with solutions that provide both visibility and protection over cloud applications such as Intel Security Public Cloud Security Suite. You should know and be able to control which applications and processes are running on the systems that store, process, or access your sensitive data. Security for the cloud should come from the cloud and work natively in Azure and AWS.
- Ideally the CSP you select fully supports giving your security team both visibility (access to the logs of sensitive data, privileged account access, and application/process activity along with control) and the ability to terminate the access of compromised accounts or rogue processes.
While it may feel frustrating, it’s a challenging time to be in IT security. The cloud provides us with a fresh platform to once again architect our security systems for visibility and control of our sensitive data. Déjà vu gives us the opportunity to do it better the second time around. Bring it on!
Todd Beebe is the Information Security Officer for Freeport LNG and co-chair of CSA’s Houston Chapter.