“Data breaches can have a clear impact on enterprises’ bottom line, and security teams are desperate to prevent them. However, it’s not the underlying cloud technology that has exacerbated the data breach problem – it’s the immature security practices, overtaxed IT staff and risky end-user behavior surrounding cloud adoption.”
Info Security Magazine - 08/07/2019
Capital One is a poster child for public cloud – it’s AWS implementation is a featured case study on the web site. But the recent security breach that exposed over 100 million of its credit card applications could cost the company up to $500 million in U.S. fines.
Capital One is hardly alone. In April of this year researchers found third parties exposed over 540 million Facebook user records on the public cloud. Similarly, last February an “authorized third-party” exposed 2.4 million Dow Jones customer records. According to the Vulnerability and Threat Trends Report, public cloud vulnerabilities increased by 240% in the first half of 2019 from the same period in 2017.
Public Cloud Security is Far from a Given
“Misconfigured server infrastructure is often considered one of the most significant causes of data breaches within the IT industry. This human error phenomenon is usually unintentional, but it can have catastrophic consequences regarding the exposure of sensitive personal information as well as potentially damaging the reputation of your business.”
Cyber Security Magazine, CS Media 12/26/2018
There was a great deal of press about the Capital One breach including a few articles in the Wall Street Journal alone. One of them, How the Accused Capital One Hacker Stole Reams of Data From the Cloud put the blame for the exposure on a misconfigured server. The article quotes a security researcher who said this is quite common and found over 800 accounts across the two leading cloud providers where misconfigured servers enable outsider access.
IT leaders often look to public cloud as the remedy for on-premises security struggles such as firewall configuration and keeping patching up to date. But public cloud is hardly a panacea. Not only does public cloud not eliminate misconfigured servers and firewalls, it exacerbates the problem.
Moving a security risk from on-premises to public cloud means it is now much more easily targeted by hackers in the highly exposed public cloud arena. Security expert and Citadel Chief Information Security Officer, Christofer Hoff, tweeted, “If your security sucks now, you’ll be pleasantly surprised by the lack of change when you move to Cloud.”
Public Cloud Increases Security Demands
A July 2018 IDC report, Cloud Repatriation Accelerates in a Multi-Cloud World, says that half of all public cloud applications are expected to move back on-premises over the next two years. The number one driver cited by the survey of 400 companies was security.
Not only does a security mistake in public cloud pose much greater risk than on-premises, but effective security is far more challenging. Each public cloud requires specialized security knowledge around areas such as multi-tenancy (shared resources), permissions, network traffic flows, storage buckets, load-balancers, databases, identity access management, and so on.
Consider, for example, backup. A 08/09/2019 TechCrunch article, Hundreds of exposed Amazon cloud backups found online, says that cloud administrators often fail to choose the correct security settings. This leaves EBS snapshots (backups), “inadvertently public and unencrypted.”
Deloitte Consulting Chief Cloud Strategy Officer, David Linthicum, made it clear in a 05/08/2018 InfoWorld article, that even deep IT on-premises security skills don’t translate fully to the specific requirements of a public cloud provider:
“The fact is that enterprises have done a poor job in prepping the talent pool for the cloud…The breaches that I see are caused by people doing dumb things, not by the lack of technology. Things are misconfigured, updates are not applied, or the wrong technologies are chosen. Indeed, you can trace most breaches over the last five years to that root cause of poor talent.”
Cloud Security is a Shared Responsibility
Security and compliance in the cloud is a shared responsibility between the cloud service providers (CSP) and their customers. Under the Shared Responsibility Model, the CSP is responsible for “security of the cloud” which includes the hardware, software, networking, and facilities that run the cloud services. Organizations (the CSP’s customers), on the other hand, are responsible for “security in the cloud” which includes how they configure and use the resources provided by the CSP.
Diem Shin, Fugue 01/23/2019
Public cloud providers could, if they wished, simply implement airtight server/firewall security. As an example, AWS could make its storage bucket (AWS E3) unavailable to anyone on the Internet. But locking down E3 would thwart an organization’s ability to easily share certain information for test/dev purposes or even production.
Public cloud providers built their architectures for rapid integration and scalability. Cloud customers have the freedom to configure and deploy servers as they best see fit with a click of a button, but the trade-off is a requirement to assume much of the resulting security responsibility. The key is recognizing their level of risk appetite and then ensuring best practice conformity against an appropriate security baseline.
It is helpful to look at cloud security as a four-layer spectrum. On one end is the cloud platform layer which is clearly the public cloud provider’s responsibility to secure. At the opposite end of the spectrum is the application layer which is in the customer’s purview to secure. In between these two layers lies a gradient where the cloud provider responsibility gradually declines while the customer responsibility increases.
- Cloud platform layer
- Infrastructure layer
- Network layer
- Application layer
Cloud customers tend to have a poor track record when it comes to fulfilling their responsibility for security.
Securing both on-premises and multiple clouds is more complex than securing a single cloud. Organizations require a different set of controls for private cloud, public cloud, and then for different public clouds. And there seems little doubt that we’re headed in a hybrid/multi-cloud world. An April 2019 IDC study, Surviving and Thriving in a Multicloud World, states, “Multi-cloud environments are now the norm for enterprise organizations.” Forrester Research confirms that multi-cloud/hybrid cloud environments now comprise 74% of enterprise computing strategies.
Even good security policies do not guarantee security if leadership has no way to ensure compliance. For example, a Nutanix customer had a policy of no cloud-based load balancers with unencrypted data, but upon deploying Xi Beam found 67 such instances.
Effective security mandates an ability to monitor thousands of variables. Is the storage bucket secure? Is the data encrypted? Was the Log Access key discarded after 30 days? This is not possible to do manually. Automated tooling must poll each public and private cloud environment to check configurations against a known list of cloud security best practices. Cloud security management tools must provide:
- Complete visibility into an organization’s security posture across all clouds including on-premises
- Real-time recommendations for fixing security vulnerabilities
- Custom security policies and audits that meet specific business needs
One such tool is Nutanix Xi Beam which supports both AWS and Azure. Beam also supports security compliance audits for on-premises Nutanix environments that use the Nutanix native hypervisor, AHV. Beam can help detect, and even remedy server and firewall misconfigurations, organizations identify and fix their security issues across multiple cloud accounts by providing cloud security visibility, optimization and control:
What does the multi-cloud environment look like? How are resources deployed? Are there any exposed databases? Beam answers these types of questions, and many others, by providing a security heatmap and global visibility into the security posture of a multi-cloud environment. It identifies cloud infrastructure security vulnerabilities using 500+ automated audit checks based on industry best practices across public and private clouds.
Beam includes a one-click feature that can easily fix security issues and improve a customer’s security posture. It provides out-of-the-box security policies to automate the checks for common regulatory compliance policies such as HIPAA, PCI-DSS, NIST, etc.
Beam brings automation to securing the environment with policy-driven automated workflows that continuously detects security vulnerabilities in real-time. Beam then implements the actions needed to fix them. Customers can create their own custom audit checks to meet their business specific security compliance needs.
For Nutanix customers we are now launching the security compliance audits through Xi Beam. If you’d like to try it out, click here.
Thanks to Beam product marketing manager, Sahil Bansal, who provided invaluable information, guidance, and editing.
Disclaimer: The views expressed in this blog are the author and not necessarily those of Nutanix, Inc. or any of its other employees or affiliates.