[BreachExchange] The cloud’s weakest security links aren’t where you're looking

Destry Winant destry at riskbasedsecurity.com
Fri Feb 8 05:46:50 EST 2019


https://www.infoworld.com/article/3336926/cloud-security/the-clouds-weakest-security-links-arent-where-youre-looking.html

You pride yourself on your cloud computing security strategy and tool
stack. Indeed, your system made up of many security solutions is both
proactive, and self-updating. So, you’ll never have to worry about new
security attacks that you’re not prepped to defend—well, almost.

Most IT shops do a good job looking for the latest DNS and ransomware
attacks, but they’re not paying as much attention to the cloud
security fundamentals such as physical security, federated data access
governance, and network visibility.

I once had a friend who was the best security guy in the business. He
built a software-based security solution for his company’s on-premises
data center that was both well done and state-of-the-art. However,
over the weekend a security guard failed to lock a loading dock door
and those very secure servers left in the bed of an F-150.

The moral of this story for the cloud is that while we seem to be
clever in pulling together the best cloud security solutions, in many
instances we’re missing the more primitive aspects of security. While
I don’t believe that your cloud server will go rolling down the street
in the back of a truck any time soon, there are very similar things to
look out for. Here are three:

Application-level security. For the most part, cloud security people
don’t look at application-level security, cloud or not. This is due
more around control and politics more so than desire. However, if an
application has access to data, and that application is vulnerable,
then so is the data.

The answer is that security needs to be designed in the application
and should be systemic to all applications and databases. Yet that’s
almost never the case.

Bad actors. Every company has a story about a disgruntled employee who
decided to walk out with a USB drive full of secure data. Moreover,
there are employees who are well intentioned but end up having their
laptops—and thus the laptops’ data—stolen from their cars.

The only way to protect your data is to limit what the people can see
and what they can carry with them. There should be a need-to-know rule
where they can see only the data they need to see, and they should
never have the ability to do massive downloads or data dumps.

Legacy systems that have cloud access. The frustration of cloud data
integration with legacy systems has left many cloud-to-legacy gateways
poorly configured and thus vulnerable. When a company can’t get to
data on the public cloud due to a well-designed security system, too
often many of those security systems are bypassed due to the need to
provide data sync. These bypasses are easily exploited.

In all security, your weakest link is your biggest vulnerability.
Cloud security is no different. But where those weak links are
probably not where you’re looking. So start looking in more places.


More information about the BreachExchange mailing list