By Ramon
Peypoch, Senior Vice President of Products, VERA
The security concerns about cloud
infrastructure that shadowed the technology from its nascent stages have
largely dissipated as cloud adoption has spread and security has improved.
While even public cloud infrastructure is now far more secure, data in the
cloud is unfortunately still vulnerable due to a different challenge -
misconfiguration.
There are many recent examples of
misconfigured clouds that lead to data being exposed or breaches occurring - in
healthcare, finance, telecommunications, hospitality, technology - really every
sector is vulnerable. Check Point Software Technologies reports that "Following the 2018 trend,
practices such as misconfiguration and poor management of cloud resources
remained the most prominent threat to the cloud ecosystem in 2019 and, as a
result, subjected cloud assets to a wide array of attacks."
One of the predominant reasons for this
development is that most leading cloud providers maintain a "shared
responsibility" model, wherein the provider bears responsibility for protecting
its hardware and software infrastructure, but the customer bears responsibility
for protecting the data that it puts into that cloud environment. Recent research published by Oracle revealed that 90% of Chief Information Security
Officers (CISOs) do not fully understand their team's role in the shared
responsibility model; although 49% of Oracle's respondents said they expect to
store the majority of their data in a public cloud by 2020 - that's just around
the corner.
When deployment of cloud workloads (like IaaS,
PaaS, SaaS, containers and serverless), and cloud security services (like
networking, encryption, WAF and SIEM) are not automated, configurations are
done manually, increasing the chances for human error. Default configurations
can also cause problems. For example, the Box breach from March 2019 that left hundreds
of thousands of sensitive documents exposed was actually a default setting that
was easily exploited by security researchers; while it worked exactly as
designed, the Box deployment was misconfigured by users. Box has since changed
those default settings.
Cloud service providers like AWS are not
standing by idly waiting for solutions to take hold. Likely a result of the
high profile misconfigurations that led to Capital One data breach, AWS has
taken the proactive position of scanning customer accounts in an effort to warn
customers of any misconfigurations it surfaces on these accounts.
Other common errors include insufficient
access restrictions, not following internal security policies, and failing to
audit resources. While some may like to "blame the victim" for not adequately
securing access to their data, we have seen that even firms who are highly
sophisticated and mature in their security approach can still get hacked - attackers these days are very resourceful. Consequently,
protection needs to get down to the data itself.
There are a variety of market solutions that
address file and content protection across various third party repositories.
While most are well-suited to defending static data, protection for data in
motion is equally important and must be factored into the solution. Given the
extent to which data sharing with third and even fourth parties is regularly
practiced, one simply can't anticipate where sensitive data might end up.
Further, protecting data in the cloud has to be
approached as part of a robust ecosystem of security technologies, rather than
as a vendor-specific or niche concern. Data-level defense needs to integrate
with varying parts of a complex security infrastructure, readily working with
other important components of the stack such as data classification, data loss
prevention and activity monitoring products.
##
About the Author
Ramon J. Peypoch, SVP Products
A proven leader in the security industry, Ramon leads VERA's product strategy, management and market delivery. Prior to VERA, he was part of the founding team of ProtectWise, Inc. (acquired by Verizon). Earlier he was Vice President, Web Protection at McAfee. With a track record of creating category-leading security products and companies, he has held executive product and business development positions at Proofpoint, Websense and Symantec. He serves as a Board Member for Abusix, Inc. (network abuse and threat mitigation), a Trustee of the Keys School in Palo Alto, CA and serves on the board of Palo Alto Girls Softball. Ramon holds a M.B.A. in Finance & Entrepreneurial Management from The Wharton School and a B.A. in World Politics and Spanish from Hamilton College.