Automated Security Services Essential for Cloud Security

Dr. Rials contributed as one of the authors in this article published by SC Magazine.

Enterprise cloud operations are expanding and maturing, but as with any natural maturation, inevitable growing pains must be endured and overcome.

As organizations increasingly migrate operations to the cloud providers, security experts rapidly are realizing that automated cloud security services are essential to mitigate risk in these environments. But automated, they are also learning, does not mean easy or unchallenging. And further, even once the applications are firmly ensconced in the cloud automated security operations do not end.

Indeed, since the financial, operational and even security benefits of cloud environments are becoming sharply clear for a growing number of enterprises, they recognize that they must learn how to best make it all work. Forrester Research, Inc. predicted that the public cloud services market will blossom to more than $236 billion by 2020 on the strength of the business case for offloading operations to the cloud.

But, with ever-growing cyber concerns and a continued dearth of experienced security personnel to field these issues, automated security operations must be in place as companies migrate their applications and these applications must be seen to remain secure. This is especially true even when the servers themselves are no longer under the control of the internal IT team.

Security is still your responsibility

Most organizations want to move to the cloud not only to replace their data centers, but to reap business benefits such as agility, time to value, and cost control for “bursty applications,” says Steven Aiello, security and compliance solutions principal for Chicago-based AHEAD, a technology consulting firm. “The cloud changes the way that security teams operate in a very similar fashion,” he notes. “Security engineers no longer need to worry if hypervisors are being patched, or if their router and switching firmware is up to date.”

And, as more small-and-mid-sized enterprises move to cloud environments, the requisite automated security services are moving downstream as well, according to Matt Wilson, chief information security advisor at Southampton, Pa.-based BTB Security, a cybersecurity consulting firm.

One of the key missteps organizations can make is in assuming that because their data or processing centers are no longer in their internal network that they can become more complacent in their own security management. This sort of out-of-sight, out-of-mind thinking can be costly.

With the move to automated cloud security, enterprises still must test on a regular basis for weak credentials, lack of two-factor authentication, insecure APIs, operating system image vulnerabilities, malicious insiders, unintended information disclosures and denial of service attacks, he adds.

With automation, enterprises security teams also have to be more mindful than ever before about how they keep the practices and processes regimented across the board. One of the critical security benefits of automation is that it can greatly help standardize secure configurations by removing — or at least reducing — human intervention, which can lead to inconsistencies and misconfigurations of users, Lehmann points out. But with this change comes a new, more imperative obligation for consistency.

“There needs to be a standard process for utilizing cloud resources in a secure manor, which is easily automated,” Lehmann explains, citing examples of processes related to using private keys and how they are managed to access resources. “This needs to be standard operating procedure.”

Adventures (and misadventures) in automating cloud security

In the military, the saying goes that a failure to plan is a plan for failure. So too it is with moving to automated cloud security services, our experts point out. “The most common mistake is starting without a plan,” says Bruce Beam, (ISC)² director of infrastructure and security. “Without a clear plan and strategy many security vulnerabilities can be created and they often multiply as the environment expands.”

Criss says that ensuring a smooth move to automated cloud services begins with the process of selecting a cloud service provider itself. “It is imperative to ensure that the service provider has applied the same security controls across all of the hosting platforms,” Criss advises, noting that enterprises demand that their service provider should be contractually obligated to produce reporting, evidence of testing, and notifications of security changes or events that affect any of the existing environments where the application is currently hosted along with an environment where the application could be moved.

“As the client,” Criss adds, “you should include your specific security requirements along with the regular reporting requirements, intervals and the right to audit the security controls that are agreed to.”

As basic as it might seem, another critical misstep is in ignoring the value of embracing more automated security services in the first place. Rials says it is still commonplace for many organizations to continue using traditional — and arguably outdated — IT tools and techniques to manage cloud security and compliance. Well-meaning but misaligned enterprise cybersecurity professionals might install a firewall and intrusion prevention system/ intrusion detection system (IPS/IDS) at the network edge and control ingress and egress to the protected assets inside the network, without thought for how cloud environments demands defense in depth, he says.

Even when an enterprise recognizes the vaunted need for automated security services as they venture into the cloud, they might not be doing their correct due diligence beforehand, according to Doug Barbin, principal and cybersecurity practice leader of Schellman & Company, Inc., an independent security and privacy compliance assessor, who is based in Sacramento, Calif. “The largest mistake we see is not doing a proper risk assessment,” Barbin says. “Everyone says they do a risk assessment, but understanding the specific use cases and threats is most important, even when heavily leveraging cloud services.”

With automation completely changing the security paradigm, new security threats can emerge. For example, Aiello suggests an attacker might change Windows registry keys without the IT security team knowing, or drop a web shell backdoor onto a server farm and gain remote access, if companies are not tracking their event logs.

Lehmann concurs, noting that cybersecurity professionals failing to keep tabs on these automated processes, as well as regularly monitoring and validating that all systems are working correctly, are frequent and crucial mistakes he has seen.

“This gives a false sense of confidence that all is well,” he adds. “Companies have to be diligent in establishing secure baselines of where and how data is used on the cloud.” With automation, Lehmann says, comes a greater focus on “baking security into [development operations], not just bolting it on afterwards, [which becomes] especially critical on any platforms hosted on the cloud.”

He continues: “We see a ton of applications that are rushed into the cloud with security as an afterthought and not part of the development lifecycle.” When enterprises more frequently and thoughtfully ingrain security into their development operations (DevOps), he says, it mitigates common risk issues such as hard-coded credentials in plain text, unnecessary API functions, and a lack of business continuity regarding data privacy issues.

While automated cloud security offers undeniable advantages, Rhodes cautions that enterprises should refrain from thinking that it is a panacea for all their security ills. Since the artificial intelligence and machine learning utilized by these systems works, in large part, on probabilities — analyzing large volumes of data — these systems can more effectively and efficiently analyze certain patterns of behavior as “threats” or “non-threats.” However, as cyber threats evolve, Rhodes says, even automated security systems might “mischaracterize a behavior as a threat, when it is really not, or vice versa.”

Also, she points out, there are types of threats that “may not be subject to detection by an automated system, at least not yet or not in all cases,” such as for an unauthorized user of otherwise valid credentials or human error in uploading regulated data into a noncompliant cloud offering. For these reasons alone, Rhodes underscores the importance of continuing to actively manage, monitor and update these newer systems.

A cloudy outlook for security?

Keep the basics in mind. Countless examples exist where organizations fail spectacularly at the basics of patching, as well as hardening, configuration and access control , according to Matt Wilson, chief information security advisor at BTB Security, a cybersecurity consulting firm. “Before we can automate, we must execute the basics well,” Wilson says. “There must be qualities, parameters, and metrics measured continuously in a structured process formally assigned to someone within the organization.” Another example of sticking to the basics, Wilson points out, is the ability to monitor cloud-native log events effectively. Major providers such as Amazon, Microsoft, and Google make available tremendous capabilities for audit and visibility through a variety of tools that come as part of their services.

Get it all in writing. Enterprises must ensure that their service provider gives them proper documentation and holds the certifications they require, according to Bruce Beam, (ISC)² director of infrastructure and security. “Once this has been established,” he adds, “you can implement the automated roadmap to keep security consistent and make sure it remotes to a common location or dashboard.”

The post Automated Security Services Essential for Cloud Security appeared first on .