The cloud has been around for more than half a century and till now, the topic of “Is the cloud secure” remains a question that often surface in google searches and conversations. In this article, Geoff Leeming gave blunt (but necessary) pieces of advice.
The sheer power and ease of use of AWS’s security systems were one of the main reasons I left banking and started up my own consultancy: when a cloud service provider can give you better security, cheaper and faster than the world’s best investment banks, you know there’s a revolution on its way. So it continues to amaze me that I still hear so many stories about the insecurity of the cloud, and still hear so many fears from our clients, wondering whether they dare make that shift. Are they looking at a different cloud to me?
Pragma has been consulting on, implementing and operating secure cloud workloads for regulated clients for some time now, and we’ve dealt with many firms who migrated and many firms who decided to watch and wait. We also run incident response for some of the world’s best cyber insurers, so we have a rich store of case studies of firms who got hit, both on premise and on the cloud, and can draw some fascinating conclusions about what works and what doesn’t. Let me explain to you why cloud is more secure than on-premise, and at the same time is more risky.
1. It’s all about the people
Myles Hosford at AWS talks about this relentlessly, and he’s absolutely right: training is essential to the success of any cloud deployment, not just an afterthought to keep the engineers quiet. Cloud skills are in high demand and low supply; Cyber skills are in high demand and low supply; Cloud Cyber skills are rarer than hen’s teeth and I’m doing my very best to hire any good ones before you do.
So many firms end up with a deployment team that are making it up as they go along, trying to keep one step ahead of management who know even less than they do. Keep an eye on your deployment team’s web surfing, and watch the hits on stackoverflow.com and acloud.guru spike as they get their new project. They’re experimenting with your requirements, trying to find the best way to meet them: or maybe the quickest way, or sometimes just any way that will work and let them get the project back on track before the project manager gets any more aggressive. What they’re not doing – because they rarely encounter this in the lab environment – is looking for the way to meet those requirements that won’t expose all sorts of security vulnerabilities.
In a traditional IT team, you have a project team of engineers trying to create something, and if you’re lucky, maybe a security review before it goes live. That doesn’t work on the cloud. If you don’t have security engineers in there from day 1, defining securely, building securely, testing securely, you’re going to get hit.
Why doesn’t that old paradigm of the pre-go-live security review work anymore? That’s because…
2. You’re naked in the cloud
It’s allegedly one of the world’s most common dreams: you walk into your office as normal, in front of everyone you know, only to realise that you’re completely naked (see (https://www.huffpost.com/entry/dream-being-naked-public_n_58ab242de4b037d17d2a08aa). Everyone’s had that nightmare at some point in their life. But nobody has nightmares about being naked in their own bathroom – it’s not the thought of being naked that stresses people, it’s being naked in public.
But that’s where you are in the cloud. Your systems are no longer hidden away from public view in some corner of a dusty data center in Slough or Pune, they’re on a global high-traffic forum that’s the focus of attention of most of the world’s IT industry. Our security testing team finds vulnerabilities in every single client system we test, but our Incident Response team knows that not every client gets hacked. Why? Luck, partly, but also obscurity.
That poorly coded, hacked-together in-house intranet web app you have that was put together by the interns, and should never see the light of day, but isn’t important enough to be able to get the budget for the complete security re-write it so desperately needs? The reason why it hasn’t been hacked yet is not because those interns miraculously created something invulnerable, it’s because it’s hidden away on your intranet where only Purchasing can see it. Then some bright spark has the idea of saving infrastructure cost by moving it to the cloud, and suddenly it’s accessible to the world because your deployment team doesn’t really understand network access control. And when that gets hit (which can happen surprisingly quickly), it’s connected to other systems, which in turn are connected to others.
It’s not that you’re naked, it’s that you’re naked in public. One slip, and you’re exposed to the world.
What’s the solution? You need security engineers in there from day 1, defining securely, building securely, and testing securely.
3. Not all clouds are created equal
One of the most common forms of computer-based fraud out there at the moment is the Business Email Compromise or BEC. Every time our CERT responders react to one, they have to ask the same question, even though they always get the same answer: “What email system do you use? Ah yes, Office 365”. To this day we have never had a BEC case that involved Google’s G Suite. I’m sure Microsoft will tell you this is because of their dominance of the SME market, but we know that Google’s focus on email security dates back years, even before their purchase and integration of the superb Postini email filtering system in 2007. Outlook365 focuses on ease of use; G Suite builds in a layer of security that will keep you safe.
But email’s only one small part of a full cloud infrastructure. Each service provider has their own areas of excellence, each gives you a full suite of security tools that you can build in to any cloud deployment, and most tools are free or incredibly cheap. One bank I worked for spent nine months and half a million bucks rolling out a backup encryption solution across Asia: on AWS, that’s a tickbox, and it’s free. For banking security we prefer AWS, because of their ongoing dedication to meeting some of the toughest banking security regulations in the world, and the level of support they’ll give you to make that happen, but choose the supplier that meets your needs across the board.
But when you have chosen your cloud supplier, you really need to do the research to find out how their security tools work, how they integrate, and how and when you should use them. That’s right, you need security engineers in there from day 1, defining securely, building securely, and testing securely.
Is cloud secure?
That’s the wrong question. They’ll all give you all the security you’re willing to use. The question isn’t whether they’re secure, it’s whether you’re secure. Are you willing to put in the work you need?
If you are, you can create something far better in the cloud than you’ll ever do on premise. Good luck!
Geoff Leeming has over 25 years of experience in running security teams for some of the world’s biggest organisations, and have helped those teams grow from the far, geekiest corner of the IT department into mission-critical risk management teams that face off to governments and CEOs. He is now the co-founder of Pragma and a certified AWS Cloud Architect.