Cloud Security Starts at Home
Tue, 30 Aug 2016 10:28:14 GMT
Cloud security is getting attention and that’s as it should
be. But before you get hung up on techie
security details like whether SAML is more secure than OpenID Connect and the
like, it’s good to take a step back. One
of the tenets of information security is to follow the risk. Risk is largely a measure of damage and likelihood. When you are looking at different threats to
the same cloud-based data then it becomes a function of the likelihood of those
risks.
In the cloud we worry about the technology and the host of
the cloud. Let’s focus on
industrial-strength infrastructure and platform-as-a-service clouds like AWS
and Azure. And let’s throw in O365 –
it’s not infrastructure or platform but it’s scale and quality of hosting fits
our purposes in terms of security and risk. I don’t have any special affection for any of the cloud providers but
it’s a fact that they have the scale to do a better, more comprehensive, more
active job on security that my little company does and I’m far from alone. This level of cloud doesn’t historically get
hacked because of stupid operational mistakes or flimsy coding practices with
cryptography and password handling. Or
because of obscure vulnerabilities in standards like SAML and OpenID Connect (they
are present). It’s because of tenant-vectored risks. Either poor security practices by the
tenant’s admins or vulnerabilities in the tenant’s technology which the cloud
is exposed to or on which it is reliant.
Here are just a few scenarios of cloud intrusions with a
tenant origin vector
|
Tenant
Vulnerability
|
Cloud
Intrusion
|
1
|
Admin’s PC infected
with malware
|
Cloud tenant admin password stolen
|
2
|
Tenant’s on-prem network
penetrated
|
VPN connection between cloud and on-prem network
|
3
|
Tenant’s
Active Directory unmonitored
|
Federation/synchronization with on-prem AD results
in an on-prem admin’s account having privileged access to the cloud.
|
I’m going to focus on the latter scenario. The point is that most organizations integrate their cloud with their
on-prem Active Directory and that’s as it should be. We hardly want to go back to the inefficient
and insecure world of countless user accounts and passwords per person. We were able to largely reduce that of the
years by bringing more and more on-prem apps, databases and systems online with
Active Directory. Let’s not lose ground
on that with the cloud.
But your greatest risk in the cloud might just be right
under your nose here in AD on your local network. Do you monitor changes in Active
Directory? Are you aware when there are
failed logons or unusual logons to privileged accounts? And I’m not just talking about admin
accounts. Really, just as important, are
those user accounts who have access to the data that your security measures are
all about. So that means identifying not
just the IT groups in AD but also those groups which are used to entitle users
to that important data. Very likely some
of those groups are re-used in the cloud to entitle users there as well. Of course the same goes for the actual user
accounts.
Even for those of us who can say our network isn’t connected
by VPN or any direct connections (like ExpressRoute for Azure/O365) and there’s
no federation or sync between our on-prem and cloud directories your on-prem,
internal security efforts will make or break your security in the cloud and
that’s simply because of #1. At some
point your cloud admin has to connect to the cloud from some device. And if that device isn’t secure or the cloud
admin’s credential handling is lax you’re in trouble.
That’s why I say that for most of us in the cloud need to
first look inward for risks. Monitoring
as always is key. The detective control
you get with a well implemented and correctly used SIEM is incredible and often
the only control you can deploy at key points, technologies or processes in
your network.
"This
article by Randy Smith was originally published by EventTracker."
http://www.eventtracker.com/newsletters/cloud-security-starts-at-home/
email this
•
digg
•
reddit
•
dzone
comments (0)
•
references (0)
Related:
5 Indicators of Endpoint Evil
Auditing Privileged Operations and Mailbox Access in Office 365 Exchange Online
Severing the Horizontal Kill Chain: The Role of Micro-Segmentation in Your Virtualization Infrastructure
Anatomy of a Hack Disrupted: How one of SIEM’s out-of-the-box rules caught an intrusion and beyond
The Leftovers: A Data Recovery Study
Thu, 18 Aug 2016 08:17:08 GMT
I did a webinar a
while back with Paul Henry on “What One Digital Forensics Expert Found On
Hundreds of Hard Drives, iPhones and Android Devices” which was sponsored by
Blancco Technology Group who makes really cool data erasure software for
the enterprise.
Blancco has released a
whitepaper, The Leftovers: A Data
Recovery Study, based on the same work that Paul did. To demonstrate just
how easy, common and dangerous it is when data is improperly removed before
used electronics are resold, Blancco Technology Group purchased a total of 200
used hard disk drives and solid state drives from eBay and Craigslist in
the first quarter of 2016.
Here are the top
findings from their study:
- 67 percent of the used
hard disk drives and solid state drives hold personally identifiable
information and 11 percent contain sensitive corporate data.
- Upon analyzing the 200
used drives, company emails were recovered on 9 percent of the drives, followed
by spreadsheets containing sales projections and product inventories (5
percent) and CRM records (1 percent).
- 36 percent of the used
HDDs/SSDs containing residual data had data improperly deleted from them by
simply dragging files to the ‘Recycle Bin’ or using the basic delete button.
Check out the paper
at http://info.blancco.com/en-rs-leftovers-a-data-recovery-study?utm_source=ultimatewindowssecurity&utm_medium=blog&utm_campaign=UWS
email this
•
digg
•
reddit
•
dzone
comments (0)
•
references (0)
Related:
Auditing Privileged Operations and Mailbox Access in Office 365 Exchange Online
5 Indicators of Endpoint Evil
Severing the Horizontal Kill Chain: The Role of Micro-Segmentation in Your Virtualization Infrastructure
Anatomy of a Hack Disrupted: How one of SIEM’s out-of-the-box rules caught an intrusion and beyond
previous | next
powered by Bloget™