Zunaeed Salahuddin
Molly Mort
Rachel CatanCloud adoption and migration for enterprises have grown significantly in the past two decades. Industry trends project that cloud adoption and migration will continue to grow steadily over the next couple years. In a global survey commissioned by Microsoft in Dec 2022, with 1200 IT decision makers, three pivotal trends were identified:
- 82% of organizations have noted cloud migration as an important steppingstone to digital transformation
- 74% of workloads will be modernized by organizations migrating to the cloud
- 63% of organizations plan on fully adopting hybrid and multi-cloud environments within the next 3 years
These upward trends are driven primarily by the advantages that cloud computing offers over traditional on-premises infrastructure. Benefits include scalability, performance efficiency, cost optimization, easy automation, on-demand provisioning of tools and more. Be that as it may, enterprises migrating to the cloud are not without their fair share of security issues.
AWS has identified, per Verizon’s Data Breach Investigations Reports, that data breaches have increased by 96% from 2019 – 2020. Seventy percent of these data breaches were perpetrated by external threat actors, which means 30% came internally from shadow IT. About one third of these breaches were caused simply by not enforcing multi-factor authentication (MFA) and reusing access credentials. Almost half of detected breaches involved hacking, primarily in the form of phishing and malware.
Likewise, Microsoft has published statistics on their 2022 Digital Defense Report revealing the most common vulnerabilities that are exploited in data breaches. The statistics show that 74% of data breaches were caused by an absence of MFA. The additional primary drivers of data attacks were insufficient verification of identity providers, and the lack of privilege access and lateral movement guardrails. Microsoft revealed that in the previous year alone, their digital crime ecosystem detected 70 billion email and identity threat attempts.
As reports show, cloud security risks do not discriminate between cloud service providers. These risks inevitably grow in proportion to vulnerabilities that, once gone unnoticed, are much more likely to be exploited by threat actors. It’s true that cloud adoption and migration have grown larger than ever before, but so have cloud security issues, which are not going away anytime soon.
A common denominator
In Protiviti’s No Phishing in This Data Lake webinar, presenters discussed the challenges of data storage and identity and access management, and how a lack of strong security around them can lead to breaches due to poor access control, ransomware, SQL injection, and most commonly phishing. These cloud security issues are rooted in one common denominator: the lack of an automated, mature cloud security policy implementation.
To address these issues, organizations need an affordable means of maintaining a strong cloud security presence through automated policy enforcement. By automating policy enforcement in the cloud, organizations can proactively manage threats, secure confidential data, fulfill GRC expectations and maintain a strong, highly available and scalable support system for its assets and systems.
Enforcing three types of guardrails
The two largest cloud providers, Azure and AWS, each offer 200+ platforms and services. The sheer breadth of available services allows unparalleled flexibility and versatility of solutions implementation for a business. However, as with anything else, the larger the scope, the greater the potential risks. Therefore, understanding how to implement comprehensive cloud security policies is critical for all businesses, especially large-scale enterprises. To ensure that all bases are covered, the cloud security policy implementations should fulfill three types of guardrails: preventative, detective and responsive.
Preventative:
Preventative guardrails, within the context of cloud security, are designed to prevent an event from occurring. Within the context of cloud governance, preventative guardrails provide a first line of defense. Preventative guardrails are primarily used to help prevent unauthorized access or unwanted changes to a network. Use cases include data handling (e.g., encryption, user key access), user privilege escalation through permissions assignment, workload lockdown in the event of data compromise and more.
Detective:
Detective guardrails, within the context of cloud security, are designed to detect, log, and alert after an event has occurred. Within the context of cloud governance, detective guardrails provide a second line of defense. Use cases for detective guardrails include, but are not limited to, suspicious behavior detection, fraud detection, compliance requirements (e.g., identity theft prevention) and automated anomaly detection.
Responsive:
Responsive guardrails, within the context of cloud security, provide security to an environment by establishing several traits that are conducive to a secure cloud environment. Responsive guardrails ensure that systems respond to threats promptly by reducing latency between requests and responses. Responsive guardrails (which may also be called “reactive”) ensure resilience, meaning that system workloads are capable of recovering when stressed by load, attacks and failure of any component in the workload’s system. Responsive guardrails ensure elasticity, meaning systems remain responsive under varying workloads and are able to scale in or out dynamically to avoid bottlenecks. Lastly, responsive guardrails remain message-driven, through an asynchronous communication pattern. This makes the responsive system in the cloud a more distributed system, which promotes failover and greater redundancy, unlike traditional monolithic systems. Coupled with a microservices architecture and the inclusion of data streams, responsive guardrails ensure a high-performing cloud security environment, which is invaluable in a comprehensive cloud security implementation.
Introducing Protiviti Cloud Shepherd
While it may seem overwhelming, organizations can implement automated policy enforcement and ensure that the guardrails are in place with a new solution, Protiviti Cloud Shepherd. Most organizations already have strong detective guardrails in place; the gaps primarily lie within their preventative and responsive mechanisms. To remediate this, Protiviti Cloud Shepherd was developed as a pre-packaged bundle of policies, emphasizing preventative and response policy enforcement, in a balanced ratio. These policies are written primarily in Python, as pre-built JSON code that’s ready to deploy.
Deployment via Terraform offers the most versatility between different cloud providers, but CloudFormation is a more native approach if AWS is the provider of choice. The preventative guardrails can be deployed in AWS using SCP, while in Azure they will use Azure policies. The responsive guardrails are deployed through Lambda and Python code execution, while in Azure they use Azure policy actions with PowerShell scripts and Azure functions. All pre-packaged bundles, from free tier to custom consulting engagement, come equipped with the required implementation steps, tools, materials, and pricing models attached. Every organization’s cybersecurity team(s) can choose the appropriate bundle(s) for their cloud security policy implementation needs.
The cloud adoption and migration growth seen in the last decade shows no signs of slowing down. Unfortunately, cyberattacks have grown in parallel as well. With Protiviti Cloud Shepherd, organizations have an efficient means to kick-start their cloud security competency by starting with the most fundamental aspect of a secure cloud environment: automated policy enforcement. By using Protiviti Cloud Shepherd services and proactively securing the cloud environment from the start, organizations will be able to prevent (potentially devastating) incidents from occurring, remain alert when they do occur, and ensure that they are addressed quickly while minimizing any business impact.
Harry Lu and Zeljka Majetic also contributed to this blog.
To learn more about the CIS benchmarks referenced in the creation of these automated policies, please see this cloud security guardrails framework: Foundational Cloud Security with CIS Benchmarks (cisecurity.org)
To learn more about our cloud security solutions, contact us.
Warren Fish
Jody Casey
Brandon Wardlaw
Jon Medina
Nishi Prasad
