At nearly every conference, we talk about the lowest-hanging fruit of virtualization security, but we often miss the discussion about the lowest-hanging fruit of cloud security. They are not the same. Are we talking about good SSL hygiene? That is a part of it, but there is something even more basic than that. John Dickson, principal of the Denim Group, joined us on The Virtualization Security Podcast to talk about how people are moving to the cloud and the things they miss.
So, if good communication hygiene is part of the answer, what is the rest?
The lowest-hanging fruit of cloud security is actually good planning. Take the time to really think about and plan for those workloads you are placing into the cloud. Do a simple risk assessment to understand all the ins and outs of those applications, who needs access to them, and how those protocols for access are protected. However, even though this is important, it is more an end point. We need to seriously consider mindset before anything else. The lowest-hanging fruit of cloud security starts with:
- Convincing upper management that security is necessary and important
- Showing developers where their code is weak in a non-confrontational way
- Providing threat intelligence and ways of gathering threat intelligence.
Convincing Upper Management
This is the trickiest part of any security discussion, because the attitude of an organization takes its cues from those in charge with respect not only to security but to all other aspects of the business as well. Perhaps this is where you first use threat intelligence, which you can obtain from the following sources:
- Verizon Data Breach Investigations Report
- Mandiant APT1 Report
- Alert Logic Cloud Security Report
- Trustwave Global Security Report
- and any others that make sense for the type of business.
More importantly, this is where white-hack hacking and penetration tests can come in handy. You need such tests to probe the unknown unknowns, not just the known attacks. For some companies, the convincing threat is the possibility of their name showing up in the newspaper. If a breach is big enough or politically motivated enough, then they will appear within the newspaper (and everywhere else on social media), which will impact the bottom line. This is where we start to talk about financial and reputation impact of bad security choices.
Showing Developers the Breaches
Developers can be prickly, and in many cases, they have their own ideals about how the code should look. After convincing upper management, you need to show the developers the weaknesses in their code, as they are ultimately responsible for any code-related breaches. Mistakes happen, but by the same token, developers seem to be a breed apart and have a different mindset. Showing them where the breach is and how it impacts the business is the first step in convincing developers that their methods need to change. Perhaps this is as easy as a static code analysis or even a code review.
Providing Threat Intelligence
There are many good locations for threat intelligence, yet an organization needs not only to gather intelligence but also to respond to the intelligence they gather. This is where simple risk assessments come in. Seriously consider the threat: does it impact your plans to enter the cloud, does it impact how your code is produced, do you need more resources, tighter controls, or even better communication (SSL) hygiene? This is the repetitive part of the lowest-hanging fruit of cloud security. You iterate after every report. Architects, developers, everyone is involved. We need to break down barriers, not build them up. This is really what DevOps is all about, but we have a way to go.
Concluding Thoughts
This is just the tip of the iceberg when it comes to cloud security, the simplest but perhaps the hardest elements to change within the organization. We need to think more broadly, as a cloud comprises shared resources, which come with their own threats. Will the code or business process be impacted? How can you continue to communicate to partners? These are the types of questions to start asking.
The lowest-hanging fruit of cloud security is to plan, plan again, and plan some more. Ask the tough questions: How are you going to recover in case of an unknown unknown attack? How will you even detect such an attack?
Where do you get your threat intelligence? What is the impact of such intelligence on your organization?
Great post Edward!
The highlight of this is the challenge to get buy-in at many levels, and most importantly management. It becomes tiring to have to put up the picture of Edward Snowden at the beginning of each slide deck just to show a realistic example of how vulnerable we can be.
I wonder if we have any thoughts from the readers as to how they have effectively gotten a threat management program in place at different sized organizations. There are particular challenges in the SMB space that make those organizations particularly vulnerable.
What is even worse is the willful ignorance of a threat management program which I have seen happen at some organizations. It is terrible to have to be in the post-mortem meeting after a breach and lay out past emails highlighting the need for attention, only to have the management teams ask why admins/architects didn’t “put enough emphasis” when they presented their case.
As you’ve noted perfectly, there is the collection process, but the key is the action taken. It really needs attention in both areas. I’m a believer in the use of white-hat teams to highlight issues for sure because merely collecting logs without understanding what a real breach looks like can be as ineffective as not looking for it at all sometimes.
Thanks…Eric
Hello Eric,
Thank you. Please listen to the podcast as there is some other comments in there that may be helpful.
There are two types of organizations I think: those that have been breached, and those that do not know they have been breached. The later are the ones that tend to ignore threat intelligence and the threats thinking they just do not happen to them. In reality, however, they have most likely already been breached.
The mindset of security and those looking at threat intelligence should be could this happen to us, has it already, how can we recover or even prevent, but most importantly how does this threat impact our business…
I think things are changing but I too would like to know how others get over the hurdles.
Best regards,
Edward L. Haletky
Interesting article and advice, most organizations move to the cloud – it is cost effective and offers numerous benefits such as ubiquity but concerns over moving to the cloud have always centered on security and privacy of data hosted on cloud. I work for McGladrey and there’s a whitepaper on cloud computing that will interest a few readers it weighs the risks of moving to the cloud against the many benefits of the cloud. @ “Cloud risks striking a balance between savings and security”