The following excerpt regarding the most common mistakes and critical security issues to fix in the cloud is taken from a live panel titled Cloud Security 2021: Emerging Trends, Threats, and Responses. The cloud provider, auditing, managed service provider and enterprise communities were represented by Tim Sandage of AWS, Mike Hughes of Prism RA, Jeff Collins of Lightstream and Tyler Kennedy of Rewind. The session was moderated by Aaron Klein of SecureCloudDB.
Panelists identified authentication, accountability, permissions and more - do you agree with what these security experts say about what they deem to be the biggest issues in data protection in the cloud?
Aaron Klein, Co-Founder & CEO, SecureCloudDB
In our preparation [for this panel], I heard multiple panel members say we keep making the same mistakes. Let's start with what each of you sees as the most common mistakes and how we move forward to solve these mistakes and help prepare ourselves against other attacks and future breaches. We'll start this topic with Jeff and then work our way clockwise around.
Jeff Collins, Chief Strategy Officer, Lightstream
Perfect; thanks, Aaron. The biggest area that we see still at this point in time is kind of one of the biggest that we've dealt with in the last 20 - 25 years I've been in this business, and that's identity.
We still have problems holistically with identity. What I mean by that is, do we know how to manage identities? Certainly. But do we know how to control the sprawl of identities? No; and that's a huge issue that we see all the time.
Time and time again, when we're brought in for breaches or I'm spending time with customers as we're walking through what occurred, or what could occur, identity often becomes that catalyst that causes so much risk within cloud providers, within applications, within core infrastructure — identity just becomes such a big issue across the board.
It's really that management and understanding roles — how roles chain off of each other, all those types of activities that occur. That's really what I see is the biggest risk. Certainly, there's a whole bunch of others that I'm sure the rest of the team will talk about, but that's the one we see the most. That's the one that most of our customers still have big problems with and, you know, the answer is not well, we use Active Directory and we federate it, and we use any of the SAML solutions, that's not really an answer. You really have to think, and you really have to understand where that identity goes, who has access to it, and what that access provides.
When you talk about the solution, the solution is digging down deep and tracking and understanding those accesses, and staying current and staying on top of it?
Jeff Collins, Chief Strategy Officer, Lightstream
Correct. And as you go out and you develop applications, really understanding how that identity is used within those applications, because oftentimes that identity and how it's used, and how it's chained, and how it's leveraged to support those applications becomes the problem.
It's not as simple as the identity that allows you to log on to your computer; that's pretty well understood at this point in time; we have a group, we have a role, we have a user — pretty well understood.
But it's that identity outside of that and identity as it attaches to services, as it attaches to storage accounts, as it attaches to applications. Those are the pieces where it becomes the huge risk across the board.
All of us are familiar with breaches that have happened over the last five years that were solely identity-related breaches. They had every security control on the planet, they bought the best IPSs and the best WAFs, and they had the best controls around all of their software delivery and all their application code and they were still breached. Well, oftentimes, it's because of this identity component.
It's really spot on from what we see. I’ll ask Tyler — are you seeing the same? Do you have other concerns?
Tyler Kennedy, Application Security Engineer, Rewind
I would say, in general, we see the same thing. In general, across the entire industry, people are getting better with understanding basic security and the steps that should be taken no matter what.
Two-factor authentication is becoming more and more common. We see large organizations like Twitter, for example, that follow a fantastic set of default rules for when should we ask for reconfirmation of identity?; Has an IP changed since the last time this account was used?; Is this pattern somehow different from the user's previous patterns? We should try to re-verify identity.
But at the same time, all of these things that we do to secure an identity get ruined by doing something like allowing account recovery through SMS. I imagine most people here know SIM Hijacking, which is a fairly trivial process these days to get a cell phone number reassigned to you. And you can use this to circumvent two-factor authentication with anyone that allows account recovery through SMS. And Twitter being one of the most notorious — Twitter's own CEO, I believe was exploited that way.
So even if you follow all of the best practices — you do two-factor authentication, you do every step you can imagine to secure an identity — having a single weak point is enough to circumvent everything that you've tried to do. And so when that happens, the most important thing is to have accountability.
Even though you've authenticated identity, you still need to audit it; you still need to check what it's doing. And you really should be restricting what that identity can have access to.
A lot of small companies, for example, don't really restrict what data an administrator could access. You create an admin portal; admin logs in. Well, that's it, they're just an admin. There's no further clarification of their role there. They have access to all the customer data that's in the admin portal now. Well, they probably shouldn't have that. Right, you need a further level of granularity — what data should this identity truly be able to access when it has access to a privileged system.
And it's often just not something that's done at a small company, as a startup. It's not a priority — you just want to get that support panel going, you want to get an admin panel going. And so your roles and permissions are very simple, very trivial. Yeah, I'm an admin. I'm a super admin, I can do whatever. And that's unfortunately, where it ends.
Got it. Up, Mike, you want to weigh in?
Mike Hughes, Director, Prism RA
Yeah, well, in my experience, organizations are still not getting the basics right. Now, two-factor authentication — why haven’t we got that across the board? You know, it's simple to implement now. But still, we haven't; we’ve still been relying on IDs and passwords and we know how effective passwords are; unless a user can put in their own password.
You have the authorization piece — who can access what, and we’re still finding that a long standing member in an organization have had many roles, and they, you know, gathered lots of access over the years. Now, it's a simple control — when you change a role, you give up all access and you have your access rebuilt for that new role. It's simple, but organizations don't do it.
Privileged access. I wish I had a pound, or dollar, where every time I've been told, “I want privileged access to do my job, if you take it away from me, you're going to stop me from doing my job; when that system falls over in the middle of the night, I won't be able to get in.” Well, yes, you need access, but we can put some controls around it to help manage that. You don't need access — privileged access — all the time.
And the final one is backups. And again, the amount of time I've had meaningful discussions with clients telling me out in the cloud now, it's automatically backed up. Well, no it’s not. Yes, you can pay for that — for your data to be backed up — but just because it's cloud, it's not automatic.
So, you know, we still have got an awful lot to do to get those basics right.
Tyler Kennedy, Application Security Engineer, Rewind
There's not just security, there's business security. And if your backups are gone, if your backups are insecure, your business security is basically non existent. And having for example, Amazon is awesome for this, the data redundancy, the actual data security of making sure your data is still there tomorrow, is fantastic.
I can do multiple availability with an S3 bucket and it's available around the world. But again, if someone has my identity, or someone gets a root IAM key, or somehow gets permission to do a single command to S3, they can erase everything. If it's on premise, it's not truly a backup.
Timothy Sandage, Senior Manager, AWS
Yeah, agreed. After my 25 years in this business, I still go back to it’s basic blocking and tackling. We still have never gotten that down. You just heard it now — we're still having conversations about having customers set up a least privilege capability; not having any one human walking around with admin privileges — why we still have that nowadays is still crazy to my mind, but you'd be amazed of the reasons and rationale.
Some of the other panelists already said it — “I have to have that” — and it's like, no; use a role, assume the role, time out the roll with an STS token, make sure that you know that a human isn't walking around with it because nowadays especially, it's even worse because now we've got laptops, we've got iPhones or got iPads, we got any and every device that a human can leave behind with privileged access to a network. But then it goes beyond that. It's the basic blocking and tackling.
It's like just looking and watching the patching, the inability to patch systems, the inability to either adopt a rigorous patch process or rip and replace process. The greatest part of the cloud is that you can actually leverage infrastructure as code, and you can codify your security posture because again, at the end of the day — and I'm just as bad — we're lazy human beings, we want to take the easy way out. More of us that have been working at IT for many, many years, just want to say “Aaron, you have this access, you just hired a new employee, I'm going to give them the exact same access” because it's easy. We've seen this historically throughout our careers; I'm sure we all have those stories. So it's a matter of making sure that if that's the case that we're going to do that, let's make sure that it's documented in a CloudFormation template, Terraform, whatever the case may be. And let's execute it based on a least privileged access model. Let's leverage some of the tools and services that are out there to manage rip and replace or manage patch management, depending on the organization.
We constantly get calls about ransomware infections nowadays and the biggest thing back to the gentleman that was talking about backups is like, yeah, your backups are only as good as the access model, though. Because if you're backing up the exact same data, and they have the exact same access model, then guess what, when you've been hit with ransomware, so is your backup. And so trying to have all of those pieces set up properly, and being able to mitigate that, versus “Oh, I've got to pay the ransomware”, which we see happen often right now. A lot of it is based on these basic blocking and tackling things. You know, it's been around for years — it used to be the SANS top 10, or whatever the case may be, they're still the top 10.
The key is, we're always trying to educate our customers — let's make sure that we're doing things methodically, let's make sure that we're leveraging things, if you’ve got to do it more than once in your IT infrastructure, let's codify it, let's leverage the tools and the services. And let's make sure that you have a plan in place that you can deal with, because we all know that at some point, you're going to have some breach, whether it's a minor, it's a natural disaster, it's intentional, whatever the case may be, let's make sure that we're mitigating for those breaches. That's kind of the key that we try to talk to customers about on a constant basis.
That's definitely philosophically where we come in. My sort of SecureCloudDB two cents, which is, you need multiple sorts of defense in depth, you need multiple layers, you need to be prepared, you need to recognize that things are going to happen.
Taking the permissioning and the access as an example, we come at it, and we go, if you don't make everyone an admin, if you split things up, if you use rules, if you use expiries, if you understand that, that's great, but the reality is, there are going to be moments where you need — for example in the database world — activity monitoring and you want to understand who has access, and you'll see things earlier, and you want to set up trip wires across your system.
We see the same problems again and again. We recognize that you're going to identify the problem; you're going to solve 90% of it. But you have to be prepared for the 10% that you don't. It's just not realistic to think everyone's gonna do everything perfectly.