In early 2018, Niall Merrigan, an Irish cyber security expert living in Norway, chanced upon the personal data of tens of thousands of mobile phone subscribers in Thailand using a free tool that scans content stored on Amazon’s S3 cloud storage service.
The data, including image scans of drivers’ licences belonging to customers of Thai telco service True Move H, was stored in S3 buckets with allegedly no security measures in place to protect it.
“Simply, if you found the URL, you could download all their customers’ scanned details,” Merrigan wrote on his blog. “In all, over 32GB of data existed in this bucket, totalling 46,000 files, neatly organised by year.”
True Corp, the company that operates the True Move H service, defended its security measures after the breach, claiming that it had a “good security system” and that the data was hacked by Merrigan.
The True Move H incident, following other S3 data leaks that hit organisations in Asia-Pacific (APAC), including Australia, and elsewhere globally, underscores the importance of cyber security when moving to the cloud.
“There are still a lot of misconceptions about the cloud and the kind of security and protection that companies will get when they store their data there,” says Aaron Bugal, global solutions engineer at Sophos.
“The most important thing to remember is that when companies put data in the cloud, it is imperative that they understand how it is being protected, and do not assume that security is being taken care of.”
After a spate of S3 data leaks, Amazon rolled out another layer of protection in November 2018 to prevent accidental data leakages. This includes tools to make sure administrators do not make data publicly accessible through a simple mistake or misunderstanding.
Although such tools are handy and should help enterprises to avoid costly cloud security mistakes, they are often not enough.
“More can still be done to ensure that data on the cloud is not easily compromised,” says Bugal, such as the need to understand the type of data and whether or not that data should be in the cloud in the first place.
Enterprises should also understand the types of cloud models used by the company, and ensure the proper layers of protection, such as firewalls or intrusion prevention, are in place.
Enter cloud-based security
But faced with limited budgets and a dearth of cyber security talent, many enterprises can’t do it all alone. That’s where cloud-based security – a growing market that Gartner expects to be worth $9bn by 2020 – comes in.
“Cloud-based solutions can help organisations save significant costs by eliminating the need to power the hardware-based security equipment and physical space taken up by datacentres,” says John Cunningham, APAC vice-president for cloud security at Symantec. “This is one of the key benefits that all organisations welcome – especially small and medium-sized enterprises [SMEs] that tend to have limited resources.”
The increased use of mobile devices and applications in line with the bring-your-own-device (BYOD) trend has also contributed to the growth in adoption of cloud-based security systems, says Cunningham, noting that cloud-based security will give organisations greater business agility while ensuring that critical information remains protected.
“Outsourcing all the knowledge and skills to a cloud vendor will leave a skills gap should the need to bring offerings back on-premise occur. Also keep an eye on the pricing, since it too is flexible”
Simon Piff, IDC
Other benefits of cloud-based services are the always-on availability of such services to monitor real-time threats, as well as simplicity, with suppliers taking care of the heavy lifting without enterprises needing to become cyber security experts.
“Complexity is the enemy of security,” says Sophos’s Bugal. “If technical controls demand a high degree of knowledge to operate, they will most likely negatively affect the overall security posture of the business.”
In fact, the benefits of adopting cloud-based security are not too different from those that drive enterprises to move to cloud-based infrastructure or, more generically, IT outsourcing, according to the Cloud Security Alliance (CSA) APAC.
“That would include greater business agility, data availability, collaboration, simplicity of updates and cost savings,” it told Computer Weekly. “The scale stemming from cloud service providers’ extensive and distributed infrastructure also provides the economies of scale and performance that are beneficial in protecting enterprises against attacks such as distributed denial of service [DDoS].”
However, the CSA APAC notes that the adoption of cloud-based security is often a function of where an enterprise is on the cloud adoption readiness scale.
“Without the right organisational mindset, governance and compliance, architecture, skilled manpower, understanding of service level agreements and the shared responsibility model, just to name a few, an enterprise is essentially not yet ready to take on anything cloud-based,” it says.
“Just like you cannot port an enterprise’s on-premise infrastructure to the cloud overnight, the same applies, even more so, to security. Of course, if an enterprise’s infrastructure is not fully cloud-based, there will be some areas of security that would still practically require some form of on-premise and hybrid solutions.”
Broad considerations
Before settling on any cloud-based security service, there are a number of broad considerations to bear in mind.
First, enterprises need to evaluate the pros and cons of each service delivery method and how it fits into the current security infrastructure – and, critically, the future strategy of the business, says Simon Piff, vice-president of IDC’s IT security practice in APAC.
Enterprises should also consider their ability to manage these offerings effectively, he says, because having a broad range of supplier products inevitably leads to complexity and inefficiency – as well as the regulatory environment in which they are operating.
Piff notes that some industries have more regulatory hurdles than others – and with privacy emerging as a bigger issue in APAC than it has in the past, enterprises should consider data management as part of their cloud-based security portfolio.
Types of cloud-based services
Cloud-based security services run the gamut of risks, from data loss prevention and email security to identity and access management. Here are the common services of most interest to enterprises and security professionals, as well as Sophos’s take on what enterprises should look out for in each service:
Identity and access management (IAM) Flexibility is key to an identity and access management system. Given the vast number of authentication directories available and some being proprietary in nature, it would be advantageous if the IAM system could be made interoperable with third-party resources. Although this is now expected of many IAM providers, some are not as flexible as others.
Data loss prevention (DLP) Passive discovery is important in data loss prevention. Many organisations start down a path of DLP without knowing where their data is, how it is being used or how it should be classified. Data classification can become such a roadblock in a DLP project that it makes many enterprises give up. Look for a DLP provider that can enumerate data and use rules and artificial intelligence to classify the data and simply report on its location and how it is being transported. This will ensure the organisation can start with little knowledge on what data it has, profile everything and then implement rules to restrict content based on the discovery phase.
Web security The core features of a web security product should be user identification, device identification, requested destination, content filtering, secure session decryption, and inspection and solid reporting.
Email security Phishing, business email compromise and user impersonation are the most requested functions when it comes to email security. Targeted attacks are on the rise, and successful breaches are often attributed to initial access being granted off the back of a successful phishing attack or an email account being compromised by poor password use.
Intrusion management Clarity on discovered events is key here. Many products provide a dump of all attempts made and do not classify the severity of the event. Look for tools that have a very good signal-to-noise ratio, where the noisy, low-priority events are filtered down, with potentially threatening events bubbled up to the surface for immediate attention.
Security information and event management (SIEM) When evaluating a SIEM system, do not necessarily base your organisation’s needs on a supplier’s capabilities. Instead, decide based on what your current security, gateway and authentication controls declare as best for the information they generate. Many suppliers of security controls have tried and tested various SIEM offerings, and typically settle on a handful that works best with the information they generate.
Encryption Although many organisations consider encryption on mobile devices’ hard drives, they also need to consider where the data from that device could end up eventually – such as removable media and online storage. As such, ensure your encryption supplier does not just encrypt the data on the disk, but offers a choice of encryption before it reaches the public or private cloud, and most definitely before it is copied to removable media.
Common cloud security services – IAM, DLP and web security
Common cloud security services – email security, intrusion management and SIEM
Managed security services
In some cases, managing a suite of cloud-based security services may not be viable because of a lack of in-house expertise and resources, or the need for customised cyber security programmes.
A managed security service (MSS) could be the answer, by providing a range of services powered by different security suppliers that scale on demand, including threat detection and response, security testing, proactive threat hunting and digital forensic investigations.
“Some organisations, but very few, have the monetary and time resources needed for building out and maintaining an infrastructure that will deliver the same level of security that MSS provides,” says Chris Schueler, senior vice-president of MSS at Singtel-owned Trustwave. “In most cases, it is simply not feasible.”
Schueler notes that the talent gap, in particular, is driving some enterprises to consider MSS offerings that are typically delivered by a team of highly skilled security specialists operating out of security operations centres around the globe.
“Enterprises are finding it necessary to fight fire with fire by eliciting the help of ethical hackers, threat hunters and digital forensic investigators who have deep insight into cyber criminals’ tactics and ways that they exploit vulnerabilities,” he says.
“If an enterprise is lucky enough to obtain these specialists, they are finding it increasingly difficult to retain them because better offers and perks are always available. This puts the enterprise in a difficult situation because just one of these experts leaving to pursue another opportunity has the potential of crippling the entire security programme. The MSS model ensures expert support is available and can scale as needed.”
But IDC’s Piff warns that MSS offerings can be more expensive, with incident response and data being co-managed by a third party. There could also be unique challenges in data recovery, he adds.
Pitfalls and integration challenges
For all their benefits, cloud-based services are updated as and when necessary by security suppliers. IDC’s Piff says this is not a problem if there is limited or no customisation, but organisations often seek to customise systems to meet a perceived unique need, which can lead to problems.
Also, consider that cloud is currently the most effective datacentre operating model, and although IDC does not see anything on the horizon to change this perception, other issues may arise from a move back to an on-premise security infrastructure.
“Outsourcing all the knowledge and skills to a cloud vendor will leave a skills gap should the need occur to bring offerings back on-premise,” says Piff. “Also keep an eye on the pricing, since it too is flexible.”
Then there is also the challenge of integrating cloud-based security offerings with on-premise security systems. To that, Symantec’s Cunningham notes that many cloud-based security services offer enterprises the ability to integrate with common on-premise SIEM and service orchestration platforms.
But what is really needed is a shared security model, says Bruce Olson, director for worldwide public cloud sales at Fortinet.
“Make sure that these tools, whether local or in the cloud, can be seen and managed through a single management interface to facilitate the collection and correlation of threat intelligence and the ability to track and orchestrate universal security policies,” he said.
For software-as-a-service (SaaS) applications, Olson advises enterprises to adopt cloud access security brokers (CASBs) that can be deployed either on-premise or in the cloud to establish security policy enforcement points between cloud users and cloud service providers to maintain security and inspect and secure data moving to cloud domains.
“As the use of SaaS applications grows from both enterprise and remote locations, so does the need to enforce a consistent security policy at the user level. Cloud security must integrate security controls from perimeter firewalls used to inspect all outbound traffic, including that generated by SaaS applications.”
Read more about cyber security in APAC
Amid growing cyber threats, the Asia-Pacific cyber security landscape will not get any rosier in 2019 unless organisations start shoring up their cyber hygiene.
The cyber security consulting arm of Australian telco Optus is acquiring Hivint for A$23.3m in a bid to bolster its security pedigree.
This gives enterprises an integrated view of their cloud and on-premise security posture, as well as a single feed and workflow for incident response management.
“SDP is able to provide the benefits of VPN – message confidentiality and integrity – while overcoming the limitations of traditional VPN products such as all-or-nothing access control to the network.” it says.
“It also allows organisations to have a centralised, policy-driven network security platform that covers their on-premise infrastructure, cloud infrastructure and user populace, while reducing the attack surface.”
