It took just one email spoofing attack to defeat a hospitality empire. That hack – conducted against the hotel chain Starwood in 2014 – compromised the unencrypted personal data of thousands of guests held in the firm’s cloud databases. Worse, was the injected malware that sat unnoticed for years, even after Starwood was purchased by its much larger rival, Marriott, whereupon the program began harvesting the details of its customers, too. By the time the infection was purged, some 500 million guests’ passport numbers, names and email addresses were in the hands of state-sponsored Chinese hackers.
While the scale of the attack against Marriott remains shocking, the weaknesses in cloud security exploited by the hackers remain sadly unremarkable. According to a recent study by Forrester, some 45% of organisations surveyed employed a hybrid modernisation approach toward their cloud security, maintaining on-premises servers while adding extra cloud solutions on top. This is, overwhelmingly, how cybercriminals penetrate corporate defences in the first place, exploiting misconfigured data storage buckets or slipping through cracks in firewalls that bridge these online and offline facets of a company’s cloud empire. Worse yet, it seems that many firms have little idea about how to prevent these types of attacks from happening in the first place, with another survey by Osterman Research finding that 84% of organisations’ understanding of cloud security remains ‘entry-level,’ while another 80% have experienced at least one cloud security incident in the past year.
Overcoming this challenge, suggest many researchers in the space, lies in automating as many cloud security practices as possible. Never before has there been an opportunity to kill so many unfortunate birds with a single stone, they say, with automation promising to ameliorate the cybersecurity skills gap making it so difficult to hire specialists in the first place, reduce incidents of burnout among those already on the team, and – most importantly – eye breaches in progress with the kind of attention only a machine can muster. Ultimately, explains Sergio Loureiro, VP from Outpost24 and founding member of the Cloud Security Alliance, automation will eradicate the silly mistakes that invite most cyberattacks.
The potential of cloud security automation, says Loureiro, is most evident in the public cloud. “On Azure, Amazon and Google you can deploy anti-virus and malware with the click of a button, right out of the box, that’s the automated part,” he says. “This makes life much easier for even the smaller organisations.”
Implementing new strategies can be done in a matter of minutes, agrees Etay Maor, senior director of security strategy at Cato Networks. “Say, for example, you’re running a shop and you have 114 firewalls and 50 Cisco firewalls and now there’s a new vulnerability,” says Maor. “You need to implement a new rule 164 times. Or, with cloud security automation, I’m updated and ‘click’ it’s distributed everywhere. Done!”
Automated cloud security also collects tremendous amounts of raw data which, if gathered properly, can add invaluable visibility to the entire system by revealing anomalies that could signal the beginning of a cyberattack, notes James Todd, director of cybersecurity at KPMG. “Almost every process asset is producing a huge amount of telemetry,” says Todd. Harnessing this for the benefit of the business, he adds, involves “understanding the value that’s generating insight from its platforms and how to use that to understand, more accurately, the security posture of an environment.”
The expensive side of cloud security automation
However, cloud security automation may not be a catch-all for indelible future cloud security. Automated tools can go wrong, and when they do, the consequences are dire. A recent report by security company Titania shows that exploitable network misconfigurations cost organisations 9% of their total annual revenue. ‘Respondents also indicated that financial resources allocated to mitigating network configuration, which currently stands around 3.4% of the total IT budget, and a lack of accurate automation, are limiting factors in misconfiguration risk management,’ its authors claim.
The tools supporting cloud security automation are also getting more complex, warns Loureiro. “Cloud providers have been releasing new security tools almost every week,” he says. “It’s really hard to keep up with these new services, which creates a gap between the skills and the security knowledge we have and what is being used right away by the early adopters and developers.” That’s not great news amid a cybersecurity skills crisis of global proportions. A report by security company S-RM reveals that more than a third of US senior C-suite holders and IT leaders surveyed highlighted a lack of cyber skills and expertise as one of the leading issues in their organisations, rising to 42% in the financial services industry.
Practically speaking, this leaves many companies at a disadvantage. Most are still testing the waters with a hybrid cloud approach, where they keep their resources in-house (on-premises) but increase their storage with an added cloud environment. This approach is difficult to manage successfully and has been flagged by Loureiro as a hotbed of mistakes and vulnerabilities. This tends to hit older companies the hardest, adds Loureiro. “For the more traditional organisations, I think the weak spot is really on-premises, and having homogeneous controls at the same level between clouds and non-clouds,” he says. “That is still a balance that many organisations struggle with.”
Public cloud use is not even an option for some smaller companies, which may not have permanent security staff, continues Loureiro. “Many, especially the smallest companies, rely on consultants who are on-site once a month doing updates and so on, which is why malware can spread so fast,” he says. “This is really hard for companies with fewer resources to deal with.”
Ideally, says Loureiro, the most secure way of storing data is with a method called the ‘Poly-cloud’, involving the use of multiple cloud providers across one organisation and choosing the best cloud for each individual project. With data and back-ups distributed, businesses can continue as usual even if services in parts of the company are down. If one part of the company is attacked, elements of infrastructure can be taken down and replaced incredibly quickly, adds KPMG’s Todd.
“That might be a case of bringing everything down and back up again to a known, good state whilst you’re responding to an event, but also being able to take compromised things apart offline and bring something else up in its place very quickly,” he says. “That’s very hard to do in a kind of legacy data centre environment, but much easier to do in a cloud environment.”
Such options are out of reach, however, for most businesses. Maintaining a presence in the cloud is expensive as it is, and carving out space with the hyperscalers certainly isn’t cheap. Consequently, dreams of poly-clouds and automated security provisions remain just that for the majority of businesses. “Pushing for mass consumption of cloud automation is very handy as you do not need to be a security expert to use it,” says Loureiro. “But, at the same time, you will pay.”