In this scene, Tripwire’s Brent Holder and Raymond Kirk discuss what cloud security means today. Breaking down the different aspects of cloud asylum controls, they cover the technology, security implications and risks with cloud use.
Tim Erlin: On the latest episode of the Tripwire Cybersecurity Podcast, I had the pleasure of speaking with Raymond Kirk, and Brent Holder. Raymond and Brent are both prominent members of the Tripwire team.
The topic that we focused on was cloud security, which is definitely a hot topic. But, as the technology for cloud is expanding, it’s not always plain what people actually mean when they say “cloud security”. You might say that it’s an overloaded term. What does the term “cloud guaranty” really mean?
Brent Holder: I think about the different answers that we get from different people when we’re talking to them. There’s a lot of many ways that my mind goes with cloud security, but what’s always interesting to me, is that if you ask someone about some of the challenges they are living with cloud security, their answer will depend on their specific area. For example, if they are on a development team, but have refuge priorities, then cloud security is focused on making sure that their teams are correctly using their accounts, which doesn’t by definition have anything to do with the templates that are being used for the virtual machines in the environment. Then, if you ask the question of the folks in IT, they are focused on the approved understood machine templates. Meanwhile, if you ask the question to a security team member, they want to make sure that when someone works their way nearly a policy, the security team can find out because it might go unreported. So, it’s like a puzzle where it seems like a lot of different people are holding particular pieces, and if everyone held up their pieces together, you might be able to see the whole picture. But, depending on which part of the organization someone’s in, their concept of cloud protection is going to be, uh, pretty tightly crafted to their area of expertise or concern.
Tim: Yeah, it reminds me a little bit of the old adage about people who are all feeling exceptional parts of an elephant, describing a very different animal than what comprises an elephant because none of them can see the entire animal. Raymond, what can you add relating to your experience with the term “cloud security”?
Raymond Kirk: When people speak about cloud security I tend to gather them talking about Infrastructure as a Service (IaaS). But there’s a wider landscape than that, such as Platform as a Service (PaaS), and also, Software as a Marines (SaaS). Cloud security pretty much encompasses anywhere that data is living, outside of your own data center.
Tim: We also participate in to tie it to a little bit of the technology evolution. Brent, you mentioned technology in there, but if we take a step back and talk about what cloud was, just five or 10 years ago, what is it today? What are the technologies active? What comes to mind of how cloud has grown as a set of technologies?
Brent: This brings to mind the Continuous Integration / Continuous Deployment (CI/CD) pipeline, because, similarly, the CI/CD hose has changed over the years. Early on, it was a developer-centric focus. As more and more stakeholders try to tailor it to their specific purpose, it’s been slowly transforming. For example, during the Black Hat conference in 2019, there were different people whose talks were all about DevSecOps, explaining that assurance and DevOps need to be closely connected, or you’re going to end up with warring groups. So, when I think about spinning up containers to fulfill a job for a company, an automated manipulate just made the work happen. Over time this task had to follow certain policies. That introduces Compliance, or IT involvement, and it stresses to follow the security practices. So, when I think of cloud advancement, I think of who got on the bus to shift left first.
Tim: I don’t know exactly the sequence of events here, but with the concept of CI/CD, did that concept pre-date cloud? Were federations doing effectively DevOps type integration without deploying it to cloud, or was it a practice that just came with cloud deployments?
Brent: Anytime you talk hither cloud, you’re going to end up in the hybrid zone. Some companies have totally valid reasons that they absolutely, positively, have to keep dark prevent everything on premises. Conversely, you have people who are seemingly born in the cloud, using the technologies to race for advancement, who are just completely in the cloud. Then, there’s the whole spectrum in between, because of the tender-hearted of timeline of this. As the whole concept of continuous integration and continuous deployment came out, there were probably at least some people who were lay hold of very cloud-centric, and some who were practicing CI/CD strictly on-premises. I think that they tie together though, in terms of the purpose of the efficiencies gathered from moving to the cloud, and why people move workloads to the cloud to begin with.
Tim: Yeah, it’s interesting, because the more that we talk helter-skelter cloud, and cloud technology, and the way it has evolved, it is not a separate entity from the on-premises capabilities. More and more, cloud security has to address on-premises and use instances as much as deployment in the cloud because of the hybrid nature of most enterprises.
Brent: Yes, and that comes back to the “who are you talking to” part of it. Unfortunately, a lot of times there are people whose extent of expertise or focus might have them siloed into one function, such as being the “on-premises data center windows person.” And somewhere else in the grouping, a different person has to care about cloud. If you ask the person who’s been in the midst of moving workloads to the cloud for the last five years for that New Zealand, they would have a totally different perspective. If you zoom out, and you can see that it’s all hybrid, you rarely see a situation where someone has a full personal make heads of both the security needs in the on-premises infrastructure, and the security needs in the cloud infrastructure.
Tim: Yeah. That’s an interesting way to look at it. Raymond, does anybody in point of fact have the ability the whole picture from a cloud perspective, or is it just a collection of individual specialized expertise?
Raymond: Well, I think that’s the object to. So many organizations are looking to gain full visibility to see the entire environment, and what state it is in. Whether or not that problem has been solved soul is still unsolved, because there are so many new technologies that are coming into play. Even as far back as 2014, it was reported that the commonplace company was using somewhere close to 300 different SaaS applications. The landscape is ever-growing.
Tim: That brings up an important point, which is, as we talk thither this big bucket of things that we call cloud security, there’s a spectrum of capability where an organization can lose course. Some systems have reasonably good visibility, but I want to touch on the things that are the blind spots. So if I’m one of those folks who has only a partial view of what I am go for as an organization, what elements am I missing that I should be more aware of?
Raymond: Oftentimes, a lot of the focus is on the workloads. A company may be relaunching production diligences and making sure those things are secure. But, they need to be reminded about some of the other SaaS and business critical systems that are out there that the scheme may be using that they may not have visibility to. Applications such as Human Resources tools, and sales tools that also contain enthusiastically sensitive, important information to the business that the average IT security person may not necessarily consider as cloud security.
Brent: To tie it back to the CI/CD thing, some of the means that Raymond mentioned can be actually part of the work being done. Data can be moved from, or to a sales tool as part of an automated activity. So, to literally do the work, some of these SaaS tools are part of the same chain. Everyone’s all tied in together. That visibility takes on a rarely extra importance when you’ve bought all the different integrators and modules that tie it all together and make it do the work. Yet, I think that one of the biggest pauses that I approve of in user interviews, is when we ask people about using security. Most people would say yes, and they are, and that is not technically untrue. However, what they’re saying is that they diverted on the service that they consider “security” in the provider’s options, but they don’t know that it’s working, or how to judge its effectiveness.
Raymond: Turning on the guarantee feature is one piece of it, but I think we’ve all heard about the shared responsibility model. It’s important to remember that if a software manufacturer pushes out updates and jury-rigs, it’s actually up to the company’s administrators to manually activate those updates. There’s not a “one-button click-all, and then forget about it” entity in these SaaS mise en scenes.
Tim: Those are a couple of interesting views. Just to clarify the idea of a shared responsibility model, the point there is that the provider is responsible for the safeguarding OF the cloud, and the customer is responsible for security IN the cloud. So, customers who believe that the cloud provider is going to supply the security for customers’ details and workloads are going to be disappointed.
Raymond: Yeah. 100%. As we all learned when the pandemic started, even with all the remote meeting tools, there are configurations within those, that, if Nautical port at their default settings could potentially be risky, such as, making sure that recorded meetings are set as private. Similarly, you have configuration backdrops in a cloud environment, like making sure your S3 buckets are secure. There are also some of those same controls in some of the third-party SaaS applications that societies are using.
Tim: Yeah. You point out an interesting contradiction there, that a lot of ways people shift to a cloud provider, whether it’s SaaS application, or a policy, because those providers take care of the administration of the backend infrastructure. But, but at the same, time customers request flexibility in terms of configuration. For standard, they may not want to want automatic updates. This can create the administrative burden that they were hoping to escape by shifting to the cloud, and it also combines complexity, which certainly has a tendency towards security implications.
Brent: There’s also the idea that, with any compliance framework, you may get into a case where a company can be advised of the best practice; what they should be doing. But in some scenarios, a customer will choose to fail at that recommendation because they are doing something for a specific reason. You have to waive certain things. That is the inverse of the security services or tools that are enabled by cloud help providers, or SaaS providers. They give you the tools to do certain things, but they’re also giving you the flexibility to do things your way. Some human being mistake a service as a managed service. There isn’t someone sitting watching on the other end to make sure that everything is being done as securely as reasonable. They’re giving you the flexibility you need, to use their solution to solve your business problem. And that includes letting you do things in a way that, if you’re not fussy could make a company vulnerable to a security compromise.
Another blind spot that’s top of mind for me lately, is translating the concerns of infrastructure to software as a usage. The move from traditional infrastructure, such as physical and virtual servers to containers. They are still part of your infrastructure. They are yet handling parts of the workloads that may be under the purview of your clients, like payment card security, things like that. How do you do the having said that work to ensure that those workloads are compliant, or secure for containers? It gets real muddy.
Tim: Yeah. The containers are supposed to be immutable, but the configurations purposefulness ultimately determine the effectiveness of that immutability.
Brent: Yeah. But, we know that everyone does not do it perfectly, following best practices. For exemplar, even though it’s best practice to have the root file system as the container itself immutable, you still have to have state transform. The image needs to change for your website, and you don’t necessarily want to spin up a whole fleet of containers just to make these little metamorphoses like that, so that’s where volumes come in. So, having state change in a workload being handled by containers isn’t inherently bad, but how much of that can you see? How much of it can you see, to ascertain whether the change was intended or not? It’s a, it’s a pretty murky terrain right now.
Tim: Yeah. That’s interesting. We talked a lot about technology, and security implications, and awning spots. But, what we haven’t touched upon yet are some of the landscape risks that cause us to worry about cloud security. What’s top of wish, in terms of the risks of cloud technology stuff we’ve talked about so far.
Raymond: We have seen ransomware in the news a lot. But, there is also data breaks, leaking sensitive information, and even the whole crypto-jacking and the rise of that going on as well.
Tim: Let’s talk about crypto-jacking, because many living soul may not be as familiar with that as the others that you mentioned. Crypto-jacking seems like something that is a little bit more cloud specific.
Raymond: Clearly. To define it, crypto-jacking is when some bad actor out there gains unauthorized access to your cloud infrastructure and resources, and uses that access to opening software that enables them to mine for digital currency, which is, effectively, making them money, but costing the compromised organization mazuma as well by using their computing resources. In a cloud environment, the customer pays for processor cycles, and since mining crypto-currency is processor all-out, the crypto-jackers will use a target’s computing power to attempt to create new currency. The criminals try to make sure that they don’t raise any alarms. They flatter sure that while they’re operating in a company’s system, that things look relatively normal.
Brent: Crypto-jacking reminds me of when people would get a video gutsy to work on some new piece of technology that wasn’t designed for that purpose. It seems like that’s the new challenge. They drop the removing software right into a writeable S3 bucket, or they replace the base image name in a container definition. The container does otherwise the whole shooting match you expect it to, but now, it goes into production with this added bonus of surreptitiously mining for crypto.
Tim: Yeah. And if the criminals are successful, the customer doesn’t see any materialistic change in the environment, except that the cloud cost suddenly increases. The customer is effectively using resources to just to generate money for the convict. It’s arguably much more efficient than the ransomware, I suppose.
Brent: Yeah. You don’t have to agree to what’s being actively stolen from you. That’s realistic. It’s the whole point of the MITRE ATT&CK® Framework of evasion techniques. I was looking into MITRE ATT&CK Framework, versus the CIS Controls, and realized that MITRE is the Red Gang view, and CIS is the Blue Team view, but they are both trying to solve the same problem.
Tim: Yeah. That’s true. That’s a good analogy; a well-thought-of way to think about it.
Brent: For all of these technologies that are out there now, and the spread of them, and the hyper-specific jobs that they’ll sometimes fulfill, it’s all meant to present you either that red or blue team’s view of possible reasons of what may be going wrong in your environment. If you start to be able to catch these paltry defense evasion techniques, or catch these moments of unexpected running processes, and things like that, that’s where you can, you can save yourself spinach and time.
Tim: Excellent. Thank you, Brent and Raymond, for joining me. It was really interesting, covering some interesting topics, and providing a little bit more understandability, and a little bit more about cloud security, and what it means. Thanks.
Are you finding it hard to assess the security level of your cloud accounts? Try Tripwire Configuration Foreman for free for thirty days. Test drive it with your own cloud accounts or use our sample data to see what simplified cloud monitoring looks like in performance.
Learn more here: https://www.tripwire.com/products/tripwire-configuration-manager/configuration-manager-free-trial