Cloud continues to make strides in Australia, with the public cloud services market expected to reach $10.3 billion by 2022. However, this growth in public, private, and hybrid cloud adoption is met with a growing convolution for businesses: application sprawl and architectural complexity. As businesses expand their services with cloud, they inadvertently expand the attack surface, producing new threat vectors.
While cloud allows us to offload many responsibilities to third party providers, risk is not one of them. What’s more, is that the rising use of cloud, shared code libraries and other third party resources reduces the visibility and control businesses have over their apps and data – making them even more vulnerable.
Moreover, supply chain risk management has been failing to identify and prevent breaches caused by the use of third party components and poorly configured cloud deployments. In fact, 245 data breaches were reported to the OAIC between April 1 and June 30 this year alone – 34 per cent of which were caused by human error.
Businesses today increasingly deal with fragmented authentication across the organisation. The question is: what can they do to ensure they’re covering all their bases?
Identify the repeat offender
First, we need to identify the most common cause of data breaches in the enterprise: identity and access management. Studies show that Australian businesses still struggle to get basic identity and access management right with the majority of users reusing passwords across multiples web sites. Cloud deployments significantly compound this issue since each provider manages roles and permissions in different ways. However, the lack of strong authentication and auditing leaves many apps exposed to the public with default or weak credentials.
Without a proper framework in place, businesses are exposing themselves to unnecessary security risks.
App security versus infrastructure security – who owns what?
Secondly, while often blurred, it’s important to understand the difference between app security and infrastructure security, especially for businesses that use a multi-cloud strategy for their services.
Infrastructure security pertains to the security of the hardware and networking components. While each cloud provider is subtly different, this generally refers to the servers, storage, virtualisation layer and the network itself. The security of these components is the responsibility of the cloud service provider. Whereas app security refers to the security of software applications that exist on an infrastructure and is typically the responsibility of the business. Deploying your app on a cloud platform does not inherently make it more secure. In fact, vulnerabilities which are decades old, such as code injection, plague brand new apps as much as it does the legacy ones.
With the rise of Software-as-a-Service (SaaS) applications in the cloud, many would expect the needle of responsibility to shift to the host provider – but the reality is that very often security becomes a shared responsibility. Cloud consumers will always own the data placed into SaaS applications so will continue to own the risk regardless of who is managing the security of the service. Moreover, as a result of the growing popularity of SaaS applications, businesses increasingly lack visibility across the application layer. F5’s State of Application Security report revealed 57 percent of respondents say it is the lack of visibility in the application layer that is preventing a strong application security—which can dangerously invite common security threats such as misuse of data, DDoS attacks and web fraud.
Do risk management frameworks accurately identify risks in the cloud?
Universal encryption and “bring your own device” policies make surveillance of data movements nearly impossible. As users become more mobile and apps are hosted in numerous data centres and clouds, traditional risk management frameworks may struggle to identify all potential risks.
Banning the use of all external SaaS and cloud-based services is not realistic or even an option for most businesses.
Instead, businesses need to implement a centralised access policy framework which provides a single source of truth for authentication, to ensure faster access enforcement, enable endpoint health checks, as well as mobile device management integration.
This framework allows businesses to streamline and protect authentication and provides access to apps via a centralised proxy that moves the perimeter to the app, user, or device. That way a business can effectively ensure the security of an app regardless of its environment. Additionally, the use of approved tooling can significantly reduce the risks of a well-intentioned employee unintentionally causing a large-scale breach.
Ultimately, the goal for businesses should be to work towards achieving governance of their apps in the cloud. To do this, here are five things to remember:
- Understand your cloud environment and reduce the attack surface where possible – be especially mindful of unsecured backup locations
- Control access via a centralised proxy enforcing strong authentication for all users
- Mitigate the most likely threats: web injection, credential stuffing and phishing
- Assume that a breach will happen and have an incident response strategy in place
- Ensure that all apps, even those in test and pre-prod environments, have the same security policies applied as those in production
Moving to the cloud has presented both opportunities and challenges for businesses. It’s no longer a matter of if, but it’s a case of when a breach will occur and it’s vital that businesses are prepared for it.