So you’ve locked down your perimeter defenses tightly and implemented comprehensive monitoring and remediation facilities.
All your employees have been trained to spot potential phishing attacks and your email filtering ensures bad actors get dumped unceremoniously into the street, long before their spam and malware gets anywhere near your gleaming infrastructure.
Even your pentesters have started to complain that they’re running out of attack vectors.
Before you decide to relax, there’s something you may have overlooked.
When you set up your infrastructure, the phrase ‘on premises’ was a pointless distinction. Of course everything was on-prem. Your server racks, your switches, everything belonged to the company. Only the communications links were out of your control, and that was no problem, since as long as you encrypted everything that went over them, it didn’t much matter what happened out there in the Big Blue Yonder. And you had backup links to cover single points of failure, and geographically distributed server clusters with regularly-tested disaster recovery processes.
So your main vulnerability was (and often still is), the rogue sysadmin. And even there you mitigated that vulnerability by using the time-honored techniques of the financial industry. Two separate logins to authorize highly privileged operations, or 2FA where a second party holds one of the authentication factors. Mandatory policies that require key personnel to take at least a week’s vacation at a single time (which allows you to correlate system activities with that person’s presence).
But – and there’s always a but in security – you didn’t know about Fred in sales. Fred’s a dynamic young exec and he’s not impressed with the in-house CRM system. So he uses his company credit card to purchase a Salesforce license. One of the interns works with him to customize it and produce some awesome reports. Soon other team members are using Salesforce. More licenses are purchased, using individual credit cards – the sales manager is happy to authorize the expense which is filed under ‘Office Expenses’ and meets the finance department’s procurement rules.
There’s nothing installed locally either, so the Ops people never get consulted – and before long you have 50 people all using Salesforce. Targets are met – and exceeded; your company has a great quarter.
Before long your entire customer list is now on the Salesforce database. Along with all sorts of useful information like key contact details, financial information, marketing plans, and so on.
Then Fred gets poached by a competitor. His logon is still valid; someone else ‘borrowed’ it when he left. As long as the account payments get made by someone, it turns out to be easier just to recycle existing accounts. No one bothers to change the password. No one’s auditing accesses, either.
So Fred can easily exfiltrate the data. To a salesperson, all’s fair in love and war. Only targets matter. It’s highly likely you’ll never find out, either.
It gets worse. Someone in the development team needs to do some scalability testing. They spin up some Amazon AWS instances and then – with the permission of the team lead – copy up some large datasets for testing. Supposedly these were anonymized, so they met your security criteria.
Because this was just a test environment, and there were contractors needing to access it as well as employees, someone sets the AWS storage bucket ACL to allow ‘authenticated users’. This, effectively, allows any AWS user to access the buckets.
At some point – and it’s not clear when, because the logs got lost when the AWS instances were decommissioned - somebody external to the organization discovers the AWS storage buckets and exfiltrates the data. Using other publicly-available material they are able to de-anonymize a great deal of it. Using that sensitive corporate data, they then launch a very successful spear-phishing attack against key personnel within several of these companies. Who just happen to be your customers. Or were.
Now that your clear blue skies are becoming increasingly cloudy, you need to refashion your perimeter defenses to guard against the unplanned, ad-hoc expansion of your tightly-defended on-premise infrastructure into cyberspace. Sure, having policies to manage the procurement of cloud-based services is a good idea. But, as any young, ambitious exec knows, policies are just the dead hand of bureaucracy; a fence to be jumped.
So you need more than just processes. Your perimeter defenses need to be looking outward and not just inward. When internal systems start accessing sites associated with the provision of cloud-based services, that’s a tripwire. You should be able to account for all users accessing these sites and the activities that they undertake. In addition you need to be able to access these sites yourself in a privileged context, so that you can audit the data stored outside your organization and determine that it is both secured and consistent with corporate policies.
You also need to ensure that credentials needed to access these sites are properly secured. This may mean extending your Active Directory infrastructure to allow them to be secured as extended attributes against a user. If possible, it may alternatively entail federating your identity management systems into the cloud so that corporate single sign-on (SSO) works with these systems.
If you don’t implement something like this, then logons and passwords for external cloud-based services will end up scrawled on post it notes, shared around other users, and pinned to monitors. There will be no mandatory complexity, lockout, or password change policies on these credentials, yet they control access to highly sensitive corporate information.
With GDPR legislation due to become effective shortly, the management of this information is becoming an increasingly important priority for organizations. Personally-identifiable data must be effectively secured, audited and controlled. The price of failure is now not just embarrassing headlines, lost customers and a sudden unplanned change of career. It can be a substantial financial penalty levied on the organization. Risks like this tend to focus minds at boardroom level. So it’s time to review your cloud-based defense strategies. Before someone clouds up your skies and rains on your parade.