In this Q&A article, Oracle spokesperson: Craig Nel, Cloud platform leader, ECEMEA, Oracle, examines questions on the impact of security and the cloud and how these issues should be addressed.
What are the necessary elements of a cloud security strategy?
Cloud security encompasses the technologies, controls, processes, and policies which combine to protect cloud-based systems, data, and infrastructure. It is considered a sub-domain of computer security and more broadly, information security. Therefore, any cloud security strategy will need to address these core elements.
The notion of cloud security as a shared responsibility is a foundational cloud security and risk management construct for conveying the division of labor between the cloud service provider and service subscriber. A clear understanding of the shared responsibility model for all types of cloud services is nothing short of a cornerstone for cloud security programs.
How should security challenges in a multi-cloud environment be addressed?
A multi-cloud strategy typically suggests the use of two or more cloud-based computing services. Multi-cloud can refer to any deployment of multiple software-as-a-service (SaaS) or platform-as-a-service (PaaS) cloud offerings, but it is generally used to refer to a combination of public infrastructure-as-a-service (IaaS) environments.
A well-designed multi-cloud strategy decreases the effectiveness of distributed denial of service (DDoS) attacks by allowing IT and security teams to shift the workloads that operate in impacted environments to other cloud environments. This capability, combined with a strong DDoS protection solution, provides resiliency beyond having only a single DDoS protection strategy.
Multi-cloud environments also make a core-to-edge security approach possible. Security defences located at the edge of the network, away from the core infrastructure and closer to the end user, can be implemented on demand – often as part of a cloud service. This allow attack detection and mitigation before potential threats can reach the core network where applications and workloads exist.
A multicloud strategy can also improve reliability outside of the event of an attack. If the primary cloud encounters an issue, a passive cloud can seamlessly act as a failover solution to ensure uninterrupted site availability, content delivery and e-commerce transactions.
What are the top threats in terms of cloud security?
Even in the face of well publicised public cloud data loss incidents, many consider public clouds as more secure and resilient environments. The sheer rate at which the use of cloud services is expanding is creating an appreciable cloud security readiness gap. Cloud services and applications are often consumed by a business unit outside of the purview of the centralised IT and cybersecurity teams.
Then, as lines of business realise rapid time to value, use expands. Collaboration with the cybersecurity team is perceived as threatening to throttle speed. Herein lies the issues of velocity outpacing security readiness and the need for a cultural shift in how organisations approach cybersecurity. Fraud itself is one of the oldest tricks in the book employed by criminals for financial gain dating back to the beginning of commerce.
The use of cloud services, fueled by digital transformation initiatives is yielding new business workflows that, in turn, are creating new opportunities for fraudulent activity. The increase in remote work has served as an additional catalyst for the use of cloud services.
Fraudsters employ multiple means to monetise illicit activity, with lines between the types of cyber fraud and the tactics and methods employed by cyber criminals blurry. As a form of extortion, ransomware continues to be a big business for cyber criminals. Recent examples of ransomware attacks against cloud-resident data include dental records, chart histories, and x-rays of patients at hundreds of dental providers held for ransom.
Impersonation, or identity fraud, is the predominant means for cyber criminals to conduct financial fraud. The rise in business email compromise (BEC) attacks is evidence of this point. The FBI’s Internet Crime Complaint Center (IC3) 2019 Internet Crime Report reveals that BEC attacks in 2019 were quite profitable for cyber criminals, totaling $1.8B in losses, likely not a full picture of the actual financial impact, as many BEC incidents go unreported.
The threat actors of cyber fraud include cyber criminals, insiders, and those who collude as part of group crime. While most data breaches are perpetrated at the hands of external adversaries, the 2020 Verizon Data Breach Report notes that 30% of the data breach investigating conducted by Verizon in 2019 involved a malicious insider. The report notes that not only are these insiders often in a position of seniority, but that the financial losses can be appreciable. Because of the insider’s familiarity with both business process and business applications, the insider threat is harder to detect. Further, now being able to conduct fraud out of sight in their own home, remote work has exacerbated the internal threat.
Organisations of all sizes are becoming well versed with the risks associated with data theft, misuse of data, and inappropriate access to data. The growing cost of post-breach fines and litigation, combined with regulatory penalties for failure to adequately protect data, make securing sensitive data a top priority for most organisations. Most organisations that suffered a data breach attribute the incident to a known, unpatched vulnerability.
A self-securing database, such as the Oracle Autonomous Database, is more trustworthy than a manually secured database. Automating basic security requirements like encryption and patching not only removes the element of human error, it eliminates the dangers that are inherent with competing IT priorities and an industry-wide tendency to procrastinate when it comes to applying security controls to databases.
How can AI and machine learning be used to boost cloud security?
When it comes to AI as a driver for selecting cybersecurity controls, there is no ambiguity: AI/ML use is a priority and a fundamental requirement.
The reasons AI/ML have emerged as foundational cybersecurity technologies are grounded in the challenges cybersecurity teams face on a daily basis. In addition to leveraging AI/ML to detect, and thus prevent, new and unknown threats such as new malware variants, exploits, or phishing tactics, growing streams of event telemetry are flooding security operations centres (SOCs). The extensive use of cloud services only adds to the level of noise in which security analysts are looking for a high-fidelity signal.
The range of use cases that is driving demand for cybersecurity solutions that utilise AI/ML has clearly expanded from the beachhead application of the technology to applying machine learning algorithms trained on large collections of binaries to detect new and unknown malware. An expanded set of use cases where AI could prove effective for detecting a range of threats beyond malware, with fraud clearly top of mind, include intrusions, exploits, denial of service, and credential abuse.
However; it should be noted that triaging and prioritising security events requires context with respect to the risk profile of the asset potentially being compromised and how the attributes of an in-flight attack could compromise those assets. That is, automating the detection of adversarial activity relative to an organisational specific threat model is aspirational, if not an unrealistically high bar for the current state of AI/ML.
As already discussed, a complete security architecture involves the integration of people, processes, and technology via a cloud-based, identity-centric approach. To tie it all together, you need a comprehensive management framework. Oracle Management Cloud for example includes a machine-learning engine that correlates the data and enables single pane-of-glass management. It includes preprogrammed AI models, so you don’t need a data scientist to program the system or keep it up to date. The machine learning algorithms add intelligence to DevOps and SOC processes.
What is the best way to manage cloud governance?
Typically, it is easier to come up with governance policies when there is total visibility of enterprise resources. Cloud deployments; however, are very different from on-premises deployments and it is much harder to enforce governance policies. This is the primary reason why many enterprises rely on cloud management platforms.
These cloud management platforms should ideally eliminate the human effort associated with traditional solutions for monitoring, managing, and governing applications and infrastructure. Enterprises must be able to leverage different services and combinations against the full breadth of the operational data set as appropriate for managing on-premise environments, cloud environments, hybrid cloud environments, and multi-cloud environments.
What security measures should cloud providers have in place?
The cloud security shared responsibility model (SRM) is inherent to the use of cloud services: while in traditional on-premises data center deployments, customers had full physical and logical control over the environment, in the cloud, a customer’s security responsibility is limited to certain operational areas that vary depending of the nature of the cloud services being utilized. It is essential that subscribers of cloud services be fluent in, and up to date on, how they and their service providers share the responsibility for securing their cloud footprint.
It boils down to developing an accurate understanding of who is responsible for what security functions (e.g., patching malware scanning, log analysis, user provisioning, etc.) As the SRM varies by the type of services, and in many instances, between providers of similar cloud services, the ability of a business to develop an accurate understanding of the SRM is critical to its ability to secure its IT operations.
If a Cloud Computing platform is to be made operationally secure, all the issues potentially posing a threat to the confidentiality, integrity and availability of the data stored there needs to be examined. Besides a well-structured procedural model for all IT processes, it is important that a security architecture be set up to protect resources (employees, infrastructure, networks, IT systems, applications, data, etc.) and that the customer is securely isolated.
A robust separation of customers at every level in the Cloud Computing stack (application, servers, networks, storage, etc.) is a fundamental requirement that each Cloud Computing platform should meet. This requirement applies equally both to public and private clouds.
Data centres form the technical basis for Cloud Computing. To this extent, it is important that every CSP ensures their systems are secure in compliance with the current state the technology. This includes permanent monitoring of access, for example using video monitoring systems, movement sensors, alarm systems and trained security personnel. Any provision components which are essential for operations, for example the power supply, air-conditioning and Internet connection, should be designed to be redundant.
The servers represent the environment for performing the processes and their computations. For this reason, the operating systems deployed on the servers should be hardened to the extent that they offer the smallest possible area to attack.
In the past, Cloud Computing platforms have often been misused either by placing malware there which is then used to send spam, or their processing power has been exploited to crack passwords using brute force attacks or to hide command and control servers (C&C servers) used to control botnets. To prevent these and similar attacks as well as the misuse of resources, each CSP should take effective security measures to de
fend against network-based attacks. As well as the usual IT security measures such as anti-virus protection, Trojan detection, spam protection, firewalls, Application Layer Gateway and IDS/IPS systems, particular care should be taken to encrypt all communication between the CSP and the customer and between the provider’s sites. If a third-party provider is required to deliver the services, the communication with them also needs to be encrypted.
In the case of offerings in the PaaS area, customers no longer have to worry specifically about database accesses, scalability, access controls, etc., as the platform provides these functionalities for them. Due to the fact that the customers use the platform’s core functionalities to develop their own software, they can only succeed in developing software securely, if the entire software stack on the platform is developed and upgraded professionally and securely.
CSPs typically deploy not just a large number of different software components, but they also continue to upgrade them in order to be able to optimally provide their customers with the services in the runtime environment. When developing software, all CSPs must have established security as a fixed component in the software development life cycle process (SDLC process). Security issues need to be addressed at each phase of the software development process, and programs and modules may only be deployed if they have been properly tested and approved by the CSP’s security manager.
The data life cycle comprises its generation, data storage, data usage, data distribution and data destruction. Cloud Service Providers should support all these phases in the data life cycle with appropriate security mechanisms.
In modern cloud environments, APIs are critical to application function; however, they also expose broader attack surfaces. The importance of API security for applications in cloud environments cannot be understated.
Oracle developed the API Gateway Service to provide that security. API Gateway is a fully managed, regional service that integrates with customers’ networks on Oracle Cloud Infrastructure. API gateways enable customers to publish public or private APIs, process incoming requests from a client, and apply policies for security, availability, and validation.
API gateways also forward requests to backend services, apply policies to the responses from the backend services, and then forward the responses to the client. API gateways protect and isolate backend services and help customers meter API calls. Connections from clients to API gateways always use TLS to preserve the privacy and integrity of data.
Customers can also configure the connections from API gateways to backend services to also use TLS.