The Cloud Security Alliance (CSA) recently released “The Treacherous 12: Cloud Computing Top Threats in 2016,” which provided a run-down on the greatest security threats that organizations face with cloud computing.
The report’s findings are especially important this year, as business units are increasingly acquiring cloud services independent of the IT department -- often with little to no regard for security, according to security firm Palerra. The result: “the door is wide open for hackers,” the firm warns.
Information Management spoke with Rohit Gupta, co-founder and CEO of Palerra, for his thoughts on the Cloud Security Alliance study, and what chief information security officers should take from the report.
Information Management: When you saw the "Treacherous 12 Cloud Computing Top Threats" from the Cloud Security Alliance, what was your first reaction to the threats outlined in that report?
Rohit Gupta: My initial reaction was one of vindication. The cloud brings the promise of incredible agility and velocity. But that has to be balanced with the shared responsibility and governance-focus that is required of the enterprises that consume it.
Enterprises have to be concerned with breaches and data exfiltration from account hijacking, and from privileged insiders whose elevated access rights can be misused. With breaches continuing to be on the rise, it was a strong sign to see the CSA publish research on the top threats to cloud computing.
IM: How do you think the top cloud threats for 2016 compare with one or two years ago -- what is better, and what is worse?
RG: I don’t believe that one report is better and the other report is worse. With the passage of time, and greater access to data, the top threats list has evolved. There are several everyday experiences which give immediate reality to the Threats that are listed.
For example, there was the episode of a senior executive leaving one major ride sharing company to go to another. In that case, the departing executive used a Cloud-based file sharing system to hold onto sensitive content of his former employer. That is a classic case of insider misuse resulting in massive IP loss that could eventually result in brand and financial damage.
An area where I felt the 2016 report was stronger was in highlighting the concerns around insecure APIs. APIs are the lifeblood of the cloud, mobile, and IoT economy; and insecurities and vulnerabilities in them could be catastrophic.
IM: With regard to the companies that you work with, what are their concerns or challenges when it comes to cloud security?
RG: The most commonly heard issues and concerns we hear with our clients surround the following: • Lack of visibility into what’s happening in the cloud, thereby raising security and risk concerns • Suspicious activity from insiders • Concerns around data exfiltration (sensitive data moving to the cloud, or being shared with unauthorized users) • Insufficient controls on how cloud services are configured, leaving them vulnerable to an attack; we hear this about SaaS apps as well as cloud infrastructure
IM: Of those challenges, which are due to external forces, and which are due to internal shortcomings?
RG: It’s always a mix. When it comes to data exfiltration or phishing attacks, that’s clearly external forces which could be at work. However, companies have to recognize that cloud security control starts at home first, and that begins with getting better visibility and setting the right controls on their mission critical cloud applications.
IM: How do you go about advising a company on the best way to assess their risk and vulnerability in the cloud?
RG: We recommend that companies consider a holistic security governance strategy when it comes to assessing and mitigating their risk in the cloud.
First, set up security monitoring for your mission-critical cloud applications and infrastructure. This is important for enterprises that’ve spent millions of dollars on services such as AWS, Salesforce, and Office365. They need to be able to ensure that their users, data, and apps are protected with deep security monitoring.
Next, make sure there is ongoing discovery of any shadow cloud services being used. By doing that, an enterprise finds out where they’re potentially exposed, as well as the risks they face. They can then implement procedures by which they can control and mitigate the risks.
Lastly, we recommend enterprises embrace security automation in an expanding capacity. Automating the process of threat detection, forensic analysis, and incident response in the Cloud helps companies keep their costs low and eliminates the dependency on manual tasks.
IM: What can an organization do on its own to help reduce cloud security risk?
RG: The first and most basic undertaking surrounds that of education and driving awareness within the employee base. An organization should never hinder productivity, and providing employees greater flexibility in selecting tools to do their jobs is important; but balancing that productivity with security and risk management is equally as important. Implementing the right set of security monitoring tools is the next critical step in the process of cloud security risk reduction.
IM: What are the advantages that an outside partner can bring to a client to improve their cloud security?
RG: Palerra is a Cloud Access Security Broker (CASB) and in the business of helping companies truly embrace the promise of the cloud by dramatically reducing the risks that might be present.
For example, our solutions help companies gain better visibility and insight into what’s happening in their cloud services so that they can make the right decisions. We also provide our clients with a highly automated security framework in the cloud. Gartner predicts that through 2020, 95 percent of cloud security failures will be the customer’s fault.
This does not mean that customers lack security expertise. What it does mean is that it’s no longer sufficient to know how to make decisions about risk mitigation in the cloud. To reliably address cloud security, automation will be a key factor. We provide our customers with automated threat protection and forensic response so that they can be assured that their users, data, and applications are safe. Automation brings significant benefits around eliminating manual tasks and errors, reducing costs, and dramatically increasing productivity.
IM: Looking out a year or two, what do you see as the looming new security challenges in the cloud that companies should be aware of?
RG: Cloud-centric Advanced Persistent Threats (APTs) are a concerning trend to watch out for in the near future.