[BreachExchange] The One Thing You Can't Outsource: Risk

[Destry Winant]

https://www.cso.com.au/article/667441/one-thing-can-t-outsource-risk/

Cloud continues to make strides in Australia, with the public cloud
services market expected to reach $10.3 billion by 2022. However, this
growth in public, private, and hybrid cloud adoption is met with a
growing convolution for businesses: application sprawl and
architectural complexity. As businesses expand their services with
cloud, they inadvertently expand the attack surface, producing new
threat vectors.

While cloud allows us to offload many responsibilities to third party
providers, risk is not one of them. What’s more, is that the rising
use of cloud, shared code libraries and other third party resources
reduces the visibility and control businesses have over their apps and
data – making them even more vulnerable.

Moreover, supply chain risk management has been failing to identify
and prevent breaches caused by the use of third party components and
poorly configured cloud deployments. In fact, 245 data breaches were
reported to the OAIC between April 1 and June 30 this year alone – 34
per cent of which were caused by human error.

Businesses today increasingly deal with fragmented authentication
across the organisation. The question is: what can they do to ensure
they’re covering all their bases?

Identify the repeat offender

First, we need to identify the most common cause of data breaches in
the enterprise: identity and access management. Studies show that
Australian businesses still struggle to get basic identity and access
management right with the majority of users reusing passwords across
multiples web sites. Cloud deployments significantly compound this
issue since each provider manages roles and permissions in different
ways. However, the lack of strong authentication and auditing leaves
many apps exposed to the public with default or weak credentials.

Without a proper framework in place, businesses are exposing
themselves to unnecessary security risks.

App security versus infrastructure security – who owns what?

Secondly, while often blurred, it’s important to understand the
difference between app security and infrastructure security,
especially for businesses that use a multi-cloud strategy for their
services.

Infrastructure security pertains to the security of the hardware and
networking components. While each cloud provider is subtly different,
this generally refers to the servers, storage, virtualisation layer
and the network itself. The security of these components is the
responsibility of the cloud service provider. Whereas app security
refers to the security of software applications that exist on an
infrastructure and is typically the responsibility of the business.
Deploying your app on a cloud platform does not inherently make it
more secure. In fact, vulnerabilities which are decades old, such as
code injection, plague brand new apps as much as it does the legacy
ones.

With the rise of Software-as-a-Service (SaaS) applications in the
cloud, many would expect the needle of responsibility to shift to the
host provider – but the reality is that very often security becomes a
shared responsibility. Cloud consumers will always own the data placed
into SaaS applications so will continue to own the risk regardless of
who is managing the security of the service. Moreover, as a result of
the growing popularity of SaaS applications, businesses increasingly
lack visibility across the application layer. F5’s State of
Application Security report revealed 57 percent of respondents say it
is the lack of visibility in the application layer that is preventing
a strong application security—which can dangerously invite common
security threats such as misuse of data, DDoS attacks and web fraud.

Do risk management frameworks accurately identify risks in the cloud?

Universal encryption and “bring your own device” policies make
surveillance of data movements nearly impossible. As users become more
mobile and apps are hosted in numerous data centres and clouds,
traditional risk management frameworks may struggle to identify all
potential risks.

Banning the use of all external SaaS and cloud-based services is not
realistic or even an option for most businesses.

Instead, businesses need to implement a centralised access policy
framework which provides a single source of truth for authentication,
to ensure faster access enforcement, enable endpoint health checks, as
well as mobile device management integration.

This framework allows businesses to streamline and protect
authentication and provides access to apps via a centralised proxy
that moves the perimeter to the app, user, or device. That way a
business can effectively ensure the security of an app regardless of
its environment. Additionally, the use of approved tooling can
significantly reduce the risks of a well-intentioned employee
unintentionally causing a large-scale breach.

Ultimately, the goal for businesses should be to work towards
achieving governance of their apps in the cloud. To do this, here are
five things to remember:

Understand your cloud environment and reduce the attack surface where
possible – be especially mindful of unsecured backup locations
Control access via a centralised proxy enforcing strong authentication
for all users
Mitigate the most likely threats: web injection, credential stuffing
and phishing
Assume that a breach will happen and have an incident response strategy in place
Ensure that all apps, even those in test and pre-prod environments,
have the same security policies applied as those in production

Moving to the cloud has presented both opportunities and challenges
for businesses. It’s no longer a matter of if, but it’s a case of when
a breach will occur and it’s vital that businesses are prepared for
it.