Major cloud violations share similar characteristics - poor security practices. Typically these poor security practices consist of the failure to encrypt sensitive data, the failure to test applications for vulnerabilities, and the failure to apply effective access controls.
The major cloud violations at Target (2013), Yahoo (2014), and Anthem (2015) were all attributable to at least one poor security practice, sometimes two, and quite often three or more. You might have thought that, following these major cloud violations, enterprises would have tightened up their security practices, but no. In subsequent years, major cloud violations at Uber (2016), Equifax (2017), and T-Mobile (2018) demonstrate some enterprises have failed to learn from the lessons of the past.
So, what were the common denominators in these major cloud violations? In the case of the Target, Anthem, and Uber breaches, the login credentials for the companies’ cloud accounts had been disclosed - Uber’s left unprotected in a Github depository - giving hackers access to unencrypted data. The breaches at Equifax, and T-Mobile also exposed unencrypted data, but shared the characteristics of the Yahoo breach inasmuch as hackers gained access via a vulnerable application.
Encryption Alone Isn’t the Solution
Many enterprises sacrifice security for performance by failing to use encryption. According to some white hat cloud security experts, approximately 40% of storage volumes and 82% of relational databases are unencrypted so that applications needing to access data in the storage volumes and databases can work efficiently. However, as the Marriott data breach demonstrated, encrypting data can be a waste of time if you leave the encryption keys in the same folders.
A better solution is to have a multi-tiered risk management strategy that includes encryption, penetration testing, and multi-factor authentication to protect cloud accounts when login credentials have been disclosed. It’s also recommended to give consideration to “insider-inflicted breaches” - a leading cause of cloud violations that covers inadvertent breaches (i.e. accidental misconfigurations), non-responders (i.e. those with a high susceptibility to phishing emails), and malicious insiders.
Developing a Risk Management Strategy
Risk management strategies vary from business to business depending on the threats they’re most vulnerable to and their “appetite for risk”, where they’re willing to take a few chances in order to create a balance between security and performance. Your business’s appetite for risk can be determined by conducting a risk assessment and taking into account the potential impact of cloud violations in terms of security, performance, and cost.
Naturally some processes and data will require a higher level of security than others. For these you can implement a “zero trust” policy in which each authorized user is given access to only the processes and data required to do their job. Less sensitive processes and data can be given a lower priority, but this involves micro-managing risk strategies that require more work. In some cases, businesses have divided assets between different Cloud Service Providers in order to distinguish between strategies.
Enforcing a Risk Management Strategy
Unfortunately, creating security policies to prevent cloud violations isn’t going to stop cloud violations from happening. It only takes one susceptible employee to interact with a phishing email or a misjudgment in the IT department for the benefit of policies to be undone. Training - and reassigning employees who don’t respond to training - is one way to increase security awareness, but it’s also necessary to enforce your risk management strategy in order for it to be effective.
One way of enforcing a risk management strategy is to have a sanctions policy. In some industries these are required by law, but it isn’t always a best practice to have the potential of sanctions hanging over your workforce if you’re trying to promote innovation in order to keep ahead of your competition. It can also be difficult to monitor compliance with security policies if you’re micromanaging different strategies either within one environment or in a multi-cloud environment.
Using Automation to Manage Security by Exception
Automation in the cloud is most commonly referred to as a means of automating the provisioning and management of computing workloads, but it can also be used to manage security by exception in order to prevent cloud violations. When using automation to manage security by exception, you simply apply rules that tell the automation software what to watch out for and how to respond when a rule is broken. In the context of the security issues mention above you can create rules that:
- Instruct the software to encrypt any storage volumes tagged with (for example) “PII”.
- Instruct the software to automatically apply updates and patches to Virtual Machines.
- Instruct the software to identify inactive users and delete their login credentials.
- Instruct the software to notify you of accounts with Multi-Factor Authentication disabled.
- Instruct the software to stop instances that don’t conform to a tagging policy.
- Instruct the software to terminate assets with unauthorized open ports.
- Instruct the software to revoke user access when selected (suspicious) activities occur.
Using automation in this way means you can apply multiple security policies to best suit your business’s specific circumstances without spending all your time monitoring compliance and enforcing your risk management strategies. When you use automation to detect problems and standardize asset configuration, you can spend more time on more complex issues such as staff training and managing your business’s relationships with Cloud Service Providers.