How to mitigate security risks as cloud services adoption spikes
Millions have flocked to video-conferencing solutions and organizations have relied more heavily on various applications (such as G Suite for end users, Azure for developers, or AWS for system admins) amid the COVID-19 crisis. According to Gartner, cloud adoption will only accelerate as we move into 2021, with cloud services revenue climbing more than 19%. However, all of this change creates a totally different set of work streams and security challenges.
Let’s explore some of the key challenges facing organizations, look at how hardware innovations are impacting this space, and review some key tips to consider.
The challenges of accelerated cloud adoption
The sheer number of organizations moving to the cloud is staggering: we’re seeing 3-5 years-worth of business transformation happening in just months due to the pandemic. As cloud-enabled digital transformation continues to accelerate, there are a variety of concerns.
For example, the visibility of data. Organizations (and users) must assess what controls cloud services providers offer in order to understand the security risks and challenges. If data is stored unencrypted, that implies significant additional risk in a multi-tenant environment. Or what about the ability of security models to mimic dynamic behavior? Many anomaly detection and predictive “risk-scoring” algorithms look for abnormal user behavior to help identify security threats. With the sudden and dramatic shift to remote work last year, most models require significant adjustments and adaptation.
Normally, companies begin exploring the move to a cloud service provider with a detailed risk analysis assessment. This often involves examining assets, potential vulnerabilities, exploitation probabilities, anticipated breach-driven outcomes, and an in-depth evaluation of vendors’ capacity to effectively manage a hybrid solution (including authentication services, authorization, access controls, encryption capabilities, logging, incident response, reliability and uptime, etc.).
However, during COVID-19, many organizations viewed cloud services as a quick way to improve uptime and mitigate the risk of single points of failure. Unfortunately, rushed implementations often come at the expense of due diligence on vendor capabilities and building an understanding of the full spectrum of support services required.
The reality is that cloud services are shared resources. As companies migrate, they need to think through how to guarantee isolation at scale, application-level security and identity management, while still delivering consistent performance.
Ultimately users come to the public cloud for better dynamic capacity and improved cost, but the economics make no sense if it results in a data breach. As a result, organizations are looking for ways to bolster security throughout cloud adoption initiatives, especially given recent data that shows the number of records exposed through Q3 2020 exceeded $36 billion.
The role hardware security innovation plays in cloud computing
As organizations continue to move to the cloud, it’s vital to build a trusted foundation for computing. Security is only as strong as the layer below it, which is why it’s important to have trusted security technologies rooted in hardware for cloud. For example, technologies such as disk and network traffic encryption protect data in storage and during transmission, but data can be vulnerable to interception and tampering while in use in memory. “Confidential computing” is a rapidly emerging usage category that protects cloud data while it’s in use in a Trusted Execution Environment (TEE). TEEs enable application isolation in private memory regions called enclaves to protect code and data while in use on a CPU. For instance, healthcare organizations can securely protect data with TEEs — including electronic health records — and create trusted computing environments that preserve patient privacy across the cloud.
Full memory encryption is another technology used to protect hardware platforms (in the cloud) to ensure that memory accessed in CPUs is encrypted, including customer credentials, encryption keys, and other IP or personal information on the external memory bus. This encryption can help protect system memory against hardware attacks, such as removing and reading the DIMM after spraying it with liquid nitrogen or installing a purpose-built attack hardware.
To be effective, the technology requires not only using the NIST storage encryption standard (AES XTS), but also cryptographic libraries and hardware with FIPS certification, and an encryption key generated using a hardened random number generator in the processor without exposure to software.
Some public cloud service providers (such as AWS and Google) provide FIPS-140-L1 certificates for cryptographic libraries and some offer FIPS-140-L2/L3 for their key management services. Using this approach allows for existing software to run unmodified while protecting memory, which can reduce the chances the library or hardware might have a backdoor to store or send out keys (it’s worth noting the number of keys might not be scalable with this approach, and that can be a limitation).
And finally, while we can’t dive into every hardware innovation, it’s also worth noting there are advances around platform resilience and cryptographic acceleration. Both can help organizations protect against firmware attacks and eliminate the need for customers to choose between protection and performance when looking at cloud technologies and services.
Key security considerations when migrating to the cloud
Cloud technologies are a powerful way to transform business operations, reduce costs, and increase productivity. However, they require organizations to invest in understanding the impact they can have – both on performance and security – to be effective. As you start or continue your cloud journey, here are some key areas to consider:
Understand employee usage
As more organizations integrate cloud technologies, it’s important to understand user profiles. The edge used to be primarily the buildings of a business, but now it’s employee homes. Understanding the tools and resources they’re using can be critical for mitigating risk, especially as you move to cloud.
However, gathering the data required to understand those profiles from a security modeling perspective is very challenging today due to the siloed nature (and non-standard approach) of data management and usage in the cloud. The lack of consistent logging methodologies, and even user profile databases for identity management, is an example of this.
Some cloud companies are taking action to create services that help assess security and risk. Ultimately though, the responsibility of protecting user data belongs to the company entrusted to defend it and not public cloud service providers.
Stay on top of compliance and policy
Setting up basic ground rules for how different stakeholders should function within the business is a foundational step in reducing risk as cloud usage increases. For example, knowing what you can and can’t do on your laptop, setting passwords to eliminate a child using the corporate Zoom line, or not uploading confidential information from a personal cell phone.
Setting explicit boundaries for cloud services usage and the crossover into home technology is critical. Organizations should also explore SASE, multi-factor authentication, better security patch management practices, setting access control and enforcement policies, logging and reporting malicious activities, and more.
Evaluate the risk
When selecting any cloud technology, it’s essential to first identify your assets. What are the core workloads you are running? Who should be able to access them? Which ones correlate directly to revenue? Which impact the end-user experience? Which ones are business-critical (like email)?
Next, it’s critical to look at vulnerabilities. Are there vulnerabilities within the core domain space, in a region you may not trust, associated with compliance guidelines, or because of the supply chain, the risk of wildfires, or utilization? You must account for every risk involved. From this information, you create and apply policies to help reduce risk or meet regulatory criteria.
Look at the potential losses
Not all vulnerabilities are created equal. While it’s important to assess what vulnerabilities exist, you need to understand their correlation to potential losses. While cost is the primary loss factor, it’s not the only one. For example, loss can also be the cost of a damaged brand, which can be very hard to measure. Nevertheless, the ultimate goal is to understand your choices’ expected value as it relates to your domain space.
What’s an acceptable tier of loss (if any)? What are your risk tolerances? For example, you may have zero tolerance for losing customer data because of the risk of lawsuits or brand degradation.
Understanding the legal culpability associated with cloud services is another vital element (associated with evaluating loss). Where does your legal responsibility for the business and customers start and end when using cloud services? Determining this can be very confusing. For example, look at Microsoft’s security best practices for its Azure IaaS product to understand what responsibilities customers must bear—these policies are fairly consistent across public cloud providers: the burden is on the user to ensure security practices are followed.
Don’t underestimate utilization
As organizations quickly shift to the cloud, they often underestimate or overestimate, and in general poorly provision for their usage, which can be a costly budgeting error. Performance issues can cause outages, website availability issues, inconsistent or subpar user experiences and more, all of which can produce losses that are catastrophic to a business. The only way to be prepared is to have capacity and bandwidth “on tap” and the ability to be flexible in your payment models.
On-premise IT leasing models from traditional IT companies and cloud providers try to address this requirement to deliver more predictable cost structures with dynamic capacity and security for enterprises.
While the cloud is enabling businesses all around the world to streamline operations and expand the network edge, events of the past year have dramatically accelerated adoption. This acceleration has caused many organizations to cut corners and not fully understand the impact of certain choices. By considering the above tips and understanding how hardware security impacts cloud adoption, you can better prepare your team to deploy and maintain cloud services successfully.