Best Practices for Navigating Transitions to the Cloud Environment
Originally written for RANE Network
Editors’ Note: As many companies increasingly turn to cloud providers to store proprietary and consumer data, these services are becoming attractive targets for threat actors. RANE spoke with expert Ben Finke at OnDefend to evaluate the most prevalent risks faced in the cloud environment and better understand how organizations can best protect their stored data and enhance security in the cloud.
As many companies increasingly turn to cloud providers to store proprietary and consumer data, these services are becoming attractive targets for threat actors. RANE spoke with expert BenFinke at OnDefend to evaluate the most prevalent risks faced in the cloud environment and better understand how organizations can best protect their stored data and enhance security in the cloud.
What is a “cloud” environment and why are organizations transitioning there?
A cloud environment refers to a web-based application or software that is used for particular tasks, such as website management or data storage. Broadly, there are two different types of clouds. Finke explains that “Public cloud is what most people think of when they think of cloud.” Public cloud providers create computing services, such as storage, applications, or “develop-and-deploy” environments, made available on-demand over the public internet. There are many different public providers, such as Amazon Web Services (AWS), Microsoft Azure or Google Cloud, each with its own unique products and offerings. In contrast, a private cloud can be offered over the internet, but it can also be used in a private internal network that is only available to select users rather than the general public. While a private cloud is usually fixed, a public cloud can be scaled to an organization’s preferences and adjusted to fit its needs.
Whether public or private, the primary types of cloud service models are infrastructure-as-a-service, platform-as-a-service and software-as-a-service. Organizations have the option to run an operating system as a whole and manage it as an infrastructure-as-a-service in the cloud, only paying for the resources they use, which provides cost benefits through efficient IT resource management. Platform-asa- service provides a complete platform – including hardware, software and infrastructure – which organizations can use to build and design their own cloud environment by developing, running and managing applications over the internet without the cost and complexity generated by on-premises platforms. However, Finke argues that software-as-a-service, a model that allows users to access software applications over the internet, is the most beneficial option as it requires the least organizational management . It is especially useful because it automatically integrates patches or other security updates for an operating system rather than putting the burden on the organization to manage.
Organizations are increasingly adopting cloud environments for cost savings and flexibility, especially as many companies have moved to remote work following the COVID-19 pandemic. Finke says that one of the main benefits of using the cloud is to save money. Many cloud providers, such as those that offer platform-as-a-service, enable organizations to get rid of most of their on-premises hardware and software, which can be costly and inconvenient to maintain. Additionally, cloud computing offers centralized data security. This means that organizations no longer need to expend resources to maintain on- or off-site data backups because cloud providers centralize data backups in their own data centers. This also minimizes the risks of data being lost due to physical damage, such as flooding or natural disasters. Instead, cloud providers can restore data from copies stored in their cloud storage.
What are the most prevalent risks in the cloud migration process?
As companies increasingly opt for cloud computing environments and shift away from traditional IT infrastructure, it requires a new approach to security. Finke describes this as a “total paradigm shift.” He says that there is a major risk in the fact that old security tools, such as network firewalls, which teams used when everything was held in on-premises data centers, have become irrelevant in many ways. “When we think about it from the old school security side, most of the tools that security teams used 10 years ago just don’t even work on the cloud anymore… and so a lot of the security folks kind of found themselves kind of out of their depth a little bit,” Finke says. Part of this is due to the fact that cloud configuration is largely dependent on coding, which is not a skillset that all IT security professionals have, especially older professionals who previously focused on developing skills for building complex firewalls and endpoint detection and response.
Many IT security experts are operating under a new way of thinking and cloud environments are often misconfigured, meaning they can accidentally leave access open to unauthorized third parties. Finke notes that the “cloud is all about configuration” and it is common for these environments to be misconfigured, even by experts. This is partly due to the abundance of offerings that many cloud providers have, as it is unlikely for an in-house IT professional to know how to properly set up hundreds of different offerings. The wide range of offerings can also lead to confusion about which service an organization uses and how they do or do not interact with each other. Finke says that “the problem is that they’re constantly adding new services into these things,” and they are all different in terms of default settings and configuration requirements. Some services allow organizations to segment how they pay for various services. However, Finke notes that a risk with this is not only that cloud environments are misconfigured but also that IT security professionals may look into which subscriptions an organization runs and be unable to identify which applications they belong to or which department is operating them. This means that if an employee went into the service and turned it off, there is no certainty whether doing so would go unnoticed or if it would cause a considerable disruption to business operations. It also makes it more difficult for IT security teams to inform the correct departments within an organization and respond to an incident if they find an issue within a particular application.
Additionally, default configurations can pose problems for organizations because using the cloud eliminates natural security boundaries that organizations may have previously relied upon, and many are unaware that they have to build these defenses back up since default cloud configurations do not come with the same kind of security measures. Finke states that the cloud is, by definition, accessible by the internet, which means that often the default configuration allows public access to anyone. Organizations need to take specific measures to prevent unauthorized parties from being able to enter the system. This is another consequence of a shift from traditional data centers and on-premises IT infrastructure; prior to the cloud, an organization’s network had a certain level of inherent protection, and access was only granted to those whom organizations explicitly granted permission. Without this kind of built-in security, there are inherent risks that organizations’ systems or information held on cloud servers are left exposed if not properly configured to prevent unwanted access. Finke says that “in the older style of networking where we had everything on-site in a data center, we used network ranges as boundaries, and in the cloud, that kind of doesn’t exist anymore. Everything can talk to everything if you let it…it was really helpful that you just didn’t make networks available to each other, and that instantly protected you, whereas the cloud is set up to automatically talk to each other.” Finke also notes that IT security teams now have to shift their thinking to be “more fine-grained with how they give permissions and roles,” because “in the cloud a lot of times, we do not think of networks as security boundaries; it is more like identity.” This means that organizations need new security frameworks that emphasize identity credentials and authentication more than the built-in security that comes with onpremises infrastructure.
Even once the cloud is properly configured and secured, default settings can still pose risks for organizations if they do not change default credentials. Finke warns that breaches frequently occur due to poor access control, saying that organizations will often use the default credentials and create a database that is automatically accessible over the internet and can be found through a brief online search of open database boards. “That is how a lot of cloud breaches happen. It wasn’t that they broke into something; the data just happened to be there,” Finke says.
Along with unintentionally leaving systems publicly accessible, there are problems with understanding which people in an organization do and do not have access to certain services, even if cloud environments are properly configured. This can lead to overlap or miscommunication surrounding security protocols, ultimately reducing their effectiveness. Finke says he frequently sees companies with on-premises IT security staff following one reporting line but cloud security teams reporting into a different group. The problem here stems from the fact that once an organization begins its cloud transition, it “then has to build a whole new [IT security team] for the cloud, and they never really connect the two.” Though he says this challenge has lessened, it nonetheless presents risks when combined with existing confusion around cloud security protocols and access.
Because of the ambiguity surrounding cloud services and the heightened risks of default settings, organizations will sometimes overcorrect in their security practices, causing delays that might incentivize employees to try to bypass lengthy security procedures. Finke says that in contrast with leaving cloud environments publicly accessible, he also sees “overreaction [in] the other direction where everyone is going to be very deliberate and thoughtful.” He says this can slow people down because “nothing can go [into the cloud] without something like three approvals.” This also contributes to confusion around proper configuration and access controls, as Finke highlights that “another thing we’ll see is that IT security teams will go in and they’ll build all these hard rules about things that have to comply with security standards in order to be created, but then the tools themselves don’t give you good feedback.” In other words, if something is not functioning properly in the cloud, there will often be an error message but no clear instructions as to the root of the issue or how to fix it. Because of this, employees may bypass security protocols to immediately begin working on a project using cloud services. This speaks to one of the benefits of cloud computing software, which is the ease that it offers. However, there is a tradeoff between user-friendliness and security that many providers have yet to sufficiently address. On this topic, Finke says, “what we also observe is that the cloud made it super easy to just put down a credit card and start doing stuff.” He says this has manifested in a phenomenon where “most companies, whether they know it or not, have departments in the organization that got tired of waiting for corporate IT and just went and signed up for something and the next thing you know business data is running outside of the company’s scope.” He says that in this case, “you know for sure the cloud environments are misconfigured because there are not even IT people involved.” In this case, a department may be attempting to move forward but faces obstacles when IT does not approve the request or the request may be outside the organization’s budget. When this happens, company data is potentially put at risk, oftentimes without leadership or IT security’s knowledge.
Finke often encounters another common vulnerability when individuals connect cloud services to other applications, often granting extended permissions without realizing it. He goes on to say that “it used to be that if you were an attacker and you wanted to gain persistent access to somebody’s email, you would convince them to give up credentials or run your payload.” However, these tactics have evolved as organizations increasingly move most of their information onto the cloud and individuals connect cloud services to apps to which they subsequently grant permissions. Finke says, “we see a lot of malicious apps where you only click once to grant it permissions, and it can gain send, receive and read access to your mailbox. And then an attacker never needs to touch your computer again because they can access it all in the cloud.”
How can organizations mitigate these risks?
In order to best protect against these risks, Finke shares some best practices: First, he suggests that organizations implement a plan of action for managing the new environment, including monitoring activity inside the cloud and tying it back to identity. One suggestion he makes is to utilize tagging within the cloud, which can help organizations track which departments use particular services. He also recommends regular reviews using these tags to ensure that aspects of the cloud that an organization is subscribed to are still necessary and in use. This can help avoid unnecessary costs or overlapping services and ensure costs are charged to the correct department.
Organizations can also use this planning process to help balance the tradeoff between user-friendliness and security. Finke recommends that IT teams guide employees through the cloud process, showing them the different offerings and how to implement them safely. He also recommends that IT security teams are involved from the very start of when organizations consider how to incorporate cloud services, saying organizations should “make sure that the IT security function is pushed out and embedded into other groups so that if they go to the cloud, they have somebody who is representing the IT security team in the planning and building stages.” He goes on to explain “it cannot really be centralized,” rather, “security functions should be included within groups that are going to consume the technology so that there is a security person there with them.” This is so that when a group decides to build something within the cloud, an IT security professional monitors the plan that is being created to ensure that it upholds proper security standards.
Finke also recommends that organizations invest in an outside consultant that can utilize third-party tools to validate the true state of their cloud environments. This can help organizations ensure that all data and services in the cloud have been properly secured. However, if organizations choose to bring in third-party validators, they must be sure that they uphold all data privacy commitments and do not inadvertently share client information or any personal information on employees without their knowledge, especially if they are operating in locations where regulations would require them to obtain permission before doing so. Finke notes that firms like OnDefend typically are not granted extensive permissions in the cloud when hired for security consultations, saying, “the good news is that…we don’t have access to any of the data; we only have access to the services they are using in the cloud environment that holds the data.” Thus, organizations must be sure that they are not inadvertently giving permissions to third-party validators and that they have performed due diligence to ensure they are abiding by the relevant legislation and regulations. For example, if an organization maintains any biometric data on a cloud database, such as employee fingerprints, and it operates in a state that regulates how organizations handle such biometric data, it must ensure that this information is not made available to a third-party consulting firm in this process without employee consent. This measure can help organizations avoid potential legal action like fast food chain White Castle, which, as covered in a prior RANE Advisory, is currently facing potential class action damages of up to $17 billion under Illinois’s Biometric Information Privacy Act after sharing employee fingerprints with a third party validator.
About the expert: Ben Finke is a co-founder and CTO of OnDefend. Ben has almost two decades’ worth of experience in cybersecurity, starting as a communication officer in the U.S. Air Force. Over the course of his career, Ben worked with organizations ranging from government agencies to Fortune 500 companies, including being embedded in development teams in SaaS companies, overseeing a red team for testing critical infrastructure systems and running the security practice for a managed security provider. In 2016, Ben Co-founded OnDefend, where he currently serves as the Chief Technology Officer. Ben also is the creator of BlindSpot, a purple team testing automation tool. Ben has a bachelor’s degree in computer science from Florida State University.
OnDefend is a cybersecurity consulting firm based in Jacksonville, Florida, that assists firms in reducing their cyber risk through preventative security testing and consulting services. OnDefend’s information security services include network penetration tests, attack simulation tests, application security tests, vulnerability assessments, incident response readiness, ransomware readiness assessments, compliance consulting and other security consulting services.
OnDefend Media Contact: Lauren Verno, Lauren.verno@ondefend.com