The importance of understanding your cloud application attack surface

null

You’ve decided to move to the cloud. It’s faster, more scalable, and more agile. Security is a priority, but you don’t want it to slow you down. The foundational infrastructure delivered by cloud providers is secure but protecting the applications, workloads, and data you run on top of that infrastructure is your responsibility—and it’s a big one, so how do you advance your security measures and keep up with the ever-evolving threat landscape?

In the past 10 years the rate of technology adoption has increased considerably – it took 75 years for 50 million people to adopt the humble telephone and only 35 days for the application Angry Birds Space to reach the equivalent number in downloads!

Cloud has disrupted traditional security, there is no doubt about that. The reason for this is that we, as consumers, are driving the need for delivery of solutions much faster. People expect to consume services in a responsive and familiar way through mobile and web applications. The expectation is that services will be fast and always responsive even at load. This demand and expectation is achievable at a cost, the cost of a cultural change to the way organisations do business and all the way down to how we develop systems and deliver those services.

The question is what does this mean for security? Many of today’s available security tools have evolved over years with a focus on a specific problem, one that is static and often very slow. Even when organisations started to use virtualisation, the approach still required a huge amount of red tape and manual process to spin up new services. A cloud-first approach is an expression I hear often these days; it is an approach adopted by so many organisations and is driven by consumer expectation and demand.

What this change means for security can be distilled into two core concerns:

  • Does the technology you use today actually work in the cloud?
  • How do you keep up with the rate of change in the environment while ensuring adequate levels of security?

Cloud has improved our ability to be more secure, whilst compounding the skills gap problem. Another expectation of the security tooling is its transparency and thus ability to accelerate expansion into the cloud rather than slowing it down. I have spoken to numerous businesses with courageous goals to be fully in the cloud within the next two years. Security has to form part of that migration, but we are not talking two or three servers, we are talking large scale deployments.

Hybrid cloud security

What is the problem with this traditional security approach? Old-school cybersecurity methods and tooling were not designed to enable or support the cloud because of their legacy design. Today’s cybersecurity measures need to relate to today’s infrastructure, they need to be agile and fluid.

Another side of this security coin is that as we evolve our cybersecurity capability, so do the cyber criminals. The current cyber attack trend is to move up the stack to the application layer, where the opportunities are rich. In defence, organisations have increased application security awareness and detection skills, which has led cyber attackers to build attacks that subvert controls by being ever more complex to detect. How do we as businesses maintain this level of evolution in our security controls whilst evolving at a rate demanded by our business and customers when we have limited budgets and a shortage of cybersecurity skills?

I ask whether most organisations should tackle this challenge themselves; after all, why would we expect one person with a security title to cover five completely separate security disciplines like intelligence, content, analyst and compliance expert, as well as being a tooling expert.  

In its 2017 Cloud Security Report, Alert Logic analysed millions of their customers’ security incidents over 18 months to gain a better understanding of the general cloud security landscape and the specific cyber threats companies face. Findings include:

SQL Injection - According to the report, web application attacks accounted for 75 per cent of security incidents escalated by the Security Operations Centre (SOC). SQL Injection is behind 55 per cent of web application attacks in the dataset. Organisations need to take steps to be able to identify and guard against SQL injection attacks which is not a trivial exercise.

Workload Environment - Perhaps the most surprising element of the results is the marked difference in the numbers of escalated incidents in public, hosted and hybrid cloud service providers. The public cloud has proved itself relatively more secure, experiencing only 405 security incidents over the 18-month period. Comparatively, on-premises customers experienced a 51 per cent higher rate of security incident escalations (612), hosted private cloud 69 per cent higher (684) and hybrid cloud 141 per cent higher (977). When it comes to securing cloud resources, you need to know where the weak spots are and how attackers are targeting cloud assets.

Cloud security – continuous protection

We continue to see web application attacks ranking in the top 5 of security incidents and SQL Injection continues to be number one. We often see some recent celebrity exploit attempts making an appearance when vulnerabilities are discovered, for example Apache Struts. In addition, we still see attacks that are more than 2 years old, proving that if it isn’t broke, the cyber attackers will continue to use that which is working.

Bearing in mind the ever-expanding cyber universe, companies must ensure they have strong security processes in place. The principles of security do not change, but the approach to security does. It’s like running – when we can see the objects in front of us we dodge them, but as things start to move it becomes more difficult to navigate the hazard. Making threat detection work in the cloud is like running at full speed as the hazard moves right in front of you. With the traditional world, we know the server very personally, we have spent significant time nurturing it. In the cloud we just terminate unhealthy or tainted machines, and this has a profound impact on how we investigate an incident. For cyber attackers, it slows APTs or even makes them impossible, but it also means attacks are masked by the inability for traditional tools to realise that that system will never come back or that it has a different personality than before it was hacked.

Security-as-a-Service

Consider working with external security experts. Organisations must ensure that, like their data and workloads, their people resources occupy the most relevant roles. The in-house IT expertise shouldn’t be diminished by ongoing security management when these professionals are better suited to drive innovation and elevate customer satisfaction. Organisations must ask themselves – are their valuable resources in the ‘best execution venue’ for their skills? Working with a security partner can help to reduce resourcing gridlocks and appropriately engage the internal talent pool.

There are lots of other cloud security aspects to consider. Read the full Cloud Security Report to learn key strategies you can adopt to increase cloud security and manage risk. Remember, it’s not easy but cloud security doesn’t have to be complicated.

James Brown is VP EMEA at Alert Logic
Image Credit: Melpomene / Shutterstock