The Practitioner’s Guide to Cloud Cyber Security
Security is it only infosec’s job ?
Security was lot more simpler in traditional IT days as everything was locked down and you had to go through numerous requests, and review processes before anything could be implemented. This process was too rigorous and time consuming and was doing businesses more harm than good due to the lost opportunity.
With the advent of cloud, things have changed and with a swipe of a credit card you can open a new cloud account. It has become very easy for enterprises, medium sized companies as well as startups to quickly create infrastructure and bring their offerings to the market in few days. Although this has been a dream for a fast paced organization looking to be the first to the market, the rush to deliver is damaging companies as well as its consumers due to the rise of cyber threats.
Cybersecurity Stats:
Various security experts are warning there is a rise in cyber incidents. The published cybersecurity stats indicate:
- 33 Billion records will be stolen by 2023 [2]
- 50% of the data breaches will occur in US and between 2015 and 2017 US accounted for 38% of the data breaches [2]
- The average cost of data breach to a company is $3.86 million, for a US company its almost double at $7.91 million [2]
- 85% of mobile apps violated one or more of the OWASP Mobile Top 10 [1]
- Micro services have 180 vulnerabilities vs 39 vulnerabilities for Monolithic apps per 100K lines of code [1]
Need of a cultural shift:
We have engineers and managers working day and night to build the best product possible. So why are our systems so insecure ? Why arent we securing the great work that we do from being hacked ? The reason is simple “ Lack of awareness”. We aren’t aware of the consequences of our actions. We assume the happy path and donot know what pitfalls we are introducing in our way forward. Further, we are a very “feature centric” community. We like to have things that look good, feel nice and are functional. The amount of effort that goes into architectural design to build a reusable code, or the effort that goes in making slick interfaces, the same effort doesn’t go into securing the product. Security is a very complex topic and it has traditionally been siloed to infosec department and it has been very manual. We need to have a cultural change where security is a shared responsibility and everyone needs to think and do things in a secured manner thats the only way we will have a truly secure system. In addition, to generate awareness of our actions, we need to implement diagnostic tooling and alerting in every step of the way.
Blueprint for a secure cloud — “The Cyber Security Web”:
“The Cyber Security Web” described below is the blueprint that enumerates the various security checkpoints and diagnostics that need to be integrated for a truly secured cloud implementation.
The Security Rings:
“The Cyber Security Web” has four risk level rings (1- 4) , The first ring, the outmost is the most critical, breach at that layer is the most damaging to the organization. This layer is almost under constant attack and every effort must be taken to secure it first. The subsequent layers are equally vulnerable to attacks but are increasingly harder to reach given their proximity from the periphery. The inner layers should also be secured to prevent any attacks from the inside. Ideally we should aim to build a zero trust network.
The Sections of the Security Web:
The above figure is divided into six sections that describes all security aspects related to:
- User and Credentials
- VM/Container’s
- Data
- Logging and Alerting
- Source Code
- Network
Type of security defenses:
Further the “The Cyber Security Web” also lays out the blueprint for various types of security checkpoint:
- Defensive — These are types of security tools that are used to actively monitor and fight back in case of an attack
- Preventive — These type of tools prevent the occurrence of a breach from occurring via enhanced encryption or simply working as a barrier
- Curative — These type of tools or processes help in curing a vulnerable system
- Diagnostic — These types of tools provide a warning by diagnosing the vulnerabilities so they can be cured before they are exploited
Matrix risk level vs tool type:
Below is the cybersecurity web risk level and security tool type matrix. The Red highlighted items are level 1 (outer ring) , Orange is level 2, Yellow is level 3 and grey is level 4.
Conclusion:
Cyber threats are a major risk to all the businesses. “Awareness” is the first step towards building a secure cloud. Infosec cannot sustain in a rapidly moving organization and hence a cultural change is needed where everyone shares the responsibility to build a secured product at each step of the process. “The Cyber Security Web” is the blueprint that depicts the checkpoints, alerting tools and processes that need to be implemented to build a truly secure cloud.
References:
