How to Stay Ahead of the Hackers: Proactive Cloud Security Learning

October 13, 2016

When we think of cloud security, most of us think of encryption, identity and access management, user IDs and passwords, and other mechanism that make the clouds more secure – certainly more secure than most on-premise systems.

But would you be surprised to know there is a missing piece that makes the clouds even more secure? It's called proactive security.

The notion of proactive security is nothing new. As the number of websites arose in the 1990s, cyber attacks became more frequent. So web security people played a game of cyber “Whack-a-Mole,” where IP addresses were shut down based upon monitoring of access. 

In the cloud, there are hundreds and thousands of IP addresses to protect. Enterprises expect cloud providers to do some of the monitoring on behalf of their clients. However, public cloud tenants are ultimately responsible for protecting their applications and data, using whatever tools they have available. 

The kneejerk reaction is to just lock the door. This means using multi-factor authentication (MFA) to ensure that those who attempt to access the systems are authorized.  

MFA combines two or more independent credentials. For instance, what the user knows (password), what the user has (security token), and what the user is (biometric verification). You can think of this as double checking that the user is who they say they are and provide authorization to enter.

Of course, MFA only provides entry-level protection. Encryption of information within the cloud servers means that, even if the hackers get by MFA, the information won’t be accessible or readable. For example, governments agencies that monitor systems can’t see the data without the encryption key, and data stolen from the public cloud servers are all but worthless. 

What proactive monitoring looks like

The notion of proactive monitoring for security takes cloud security to a whole new level.  This involves active monitoring of who, what and when.

Who is attempting to access the system, including IP address, location, and profile? What are they doing? That’s the most important thing to note. Are they trying to access data, other servers, things that are out of the norm?  Finally, when. How often, and at what time? Most users don’t access the systems at 3 a.m., for example. 

Even the National Institute for Standards and Technology (NIST) has already chimed in on this issue. One of the NIST playbooks, which enterprises are encouraged to leverage, is NIST Special Publication 800-137 Rev. 1, “Information Security Continuous Monitoring,” which provides guidelines for implementing automated tools and processes for continually monitoring security risks. 

In particular, NIST recommends that organizations:

  • Take a holistic approach to risk management. Organizations should identify the processes that are critical to their mission, the systems critical to those processes, and the assets that support those systems. Look at everything, not just the data store of single server instance, but the networks, the platforms, the data and even the security systems themselves. All should be considered in the mix, all are areas that can be compromised.
  • Quantify risks. To allow relative risks to be compared with one another and over time, risk should be quantified at the asset level. At any point in time, an individual asset’s risk score may be rolled-up to show aggregate system and mission risks. Rank the risks and provide scores. Risks to network access may fall well below risk to the data. Use the scores to determine which require attention in priority order, among other things.
  • Automate risk determination. As opposed to determining asset risk via manual audit, risk determination should be the result of automated tools and processes that score asset configuration and behavior against stated policies. This is perhaps the most important aspect of proactive security, in that we’re actively seeking issues, such as a sustained attack, and are taking automated preventive action. For instance, locking out an IP address that appears to be malicious.   
  • Assess risk continuously. With risk determination automated, risk assessment should be performed continuously rather than periodically, as is the case with traditional compliance certification. This is an ongoing process that never stops. Moreover, the process continuously improves itself. For instance, it could add capabilities each week to provide the best proactive monitoring features, and live up to best practices for both cloud computing and the enterprise’s industry. 

Those who aspire to become proactive around cloud security usually get part of the way there. Costs are typically an issue, as well as lack of skills and knowledge. 

Enterprises that actually determine the cost of risk may understand that they can’t afford not to have a proactive security strategy in place. The cost of risk, if understood by leadership, means that this approach and its technology are compelling. 

How to implement proactive security at your company

So, what are the steps to set up a proactive security approach and technology for your cloud deployment? 

First, make the business case. Risks are easy to understand, and assigned a value. For example, if you’re a healthcare organization, compromised data typically means the business will fail in short order, considering the number of lawsuits that will arise from such an event.

Second, select the approach you need to leverage. Proactive security approaches vary, depending upon the type of organization and its industry. Publicly traded companies, for instance, have regulations such as Sarbanes Oxley to consider, and the approach must mesh well with existing laws. Manufacturing and retail have fewer regulations to consider, but must make sure their approach does not compromise existing compliance processes. 

Finally, pick the right proactive security monitoring technology. There are hundreds of providers out there – including some provided by the cloud providers themselves – that offer up ways to monitor your core cloud assets, follow pre-defined policies and take corrective action, such as alerting a human or even stopping the attack before it becomes an issue. 

The path to cloud means thinking about many things, including data management, service management, governance, and, of course, security. The opportunity is that we can build systems in the cloud that are better and more secure than traditional on-premises systems. The way to make that happen is to think proactively, rather than just responding to trouble.      

*Image from Colin, Wikipedia Commons