For its 10th anniversary, the CyberCrime Symposium took to the cloud, where security still concerns, confuses and confounds info-sec pros. For this year’s event, sponsored by AWS, Tyler Cybersecurity put together a stellar lineup of speakers, who took the stage to discuss the high stakes of cybersecurity in a world taken with the cloud.
For the first time, the symposium program included interactive breakout sessions — with separate tracks exploring the technical and risk and compliance sides of the house. The event wrapped with a peer panel, whose participants discussed lessons learned from their own cloud migrations.
In his opening remarks, Brendan Travis, Tyler Cybersecurity’s director of business development, asked attendees to consider the state of cloud security at the time of the inaugural symposium, a decade earlier. “Cloud security was just coming into its own, starting to attract the attention of the security world,” said Travis. To punctuate his point, he reminded the crowd that Jim Reavis, slated to speak later that day, founded the influential Cloud Security Alliance (CSA) in the same timeframe .
“In the intervening 10 years,” Travis said, “cloud security has only gained momentum, drawing more and more attention as the benefits of cloud migration grow.” But even with all the advantages that come with cloud computing, cloud security’s still sketchy in the minds of many CISOs.
Rack and Stack on Cruise Control
That was the case for Patrick Woods, security assurance lead, US public sector compliance for AWS, until a security crisis changed this thinking. As the first CISO for the Missouri State Highway Patrol, Woods was forced to rely on rudimentary tools to muscle his department through the 2014 DDoS attacks launched by Anonymous, in response to the chaos unfolding in Ferguson.
In his keynote, “Leveraging Cloud Controls to Improve Security in Times of Crisis,” Woods said that incident was the turning point in his attitude toward the cloud. “We’d always kept the cloud at arm’s length because we were concerned about access control,” he said. “As someone who’d been in the trenches during that incident, I started considering the security positives we’d gain if we went to the cloud.”
Woods put aside all preconceived notions and started to meet with providers, who had the advanced tools and rerouting capabilities that would have eased his incident response effort. “We realized we could take baby steps, spinning up a virtual server to start off with a test system,” said Woods. “We didn’t have to dive-in to cloud computing headfirst.”
Cloud Forecast: Lower Visibility
As organizations put more assets in the cloud, CISOs struggle to adapt on-prem incident response controls to cloud environments. They’re under pressure to revamp IR plans as cloud discussions heat-up, said Dave Shackleford, principal consultant at Voodoo Security.
In his “Incident Response in the Cloud” presentation, Shackleford walked attendees through ways they could adapt their IR practices and workflows to cloud-based environments. In addition, he used SANS Institute’s 2019 Cloud Security survey to temper some of their fears over cloud adoption. As it turns out, survey data revealed a significant perception vs. reality gap in the cloud security concerns cited by respondents. For instance, nearly 60% said unauthorized access was a major concern, but less than 20% actually had an outsider gain access to a cloud system.
No surprise: Third on the list of respondent concerns was a lack of visibility into their cloud-based systems. “Security professionals feel like they don’t have the kind of visibility in cloud environments that they get in-house, and that thread runs throughout IR discussions,” said Shackleford.
This contributes to the imaginative scenarios security pros conjure up when they’re migrating. “CISOs get all spun-up about things that could happen in the cloud, like virtual machines escaping,” Shackleford joked. “They’ve got a much bigger problem — users writing down their passwords.”
Check out other takeaways from 2019’s event:
Security’s a shared responsibility. How do cloud providers and customers reconcile the responsibilities critical to a strong security posture? They rely on the “shared responsibility” model, where the provider controls and secures the cloud infrastructure and the customer controls and secures what they put there.
Just say yes. When Jim Reavis founded the CSA , he believed the organization could be more than just a leader in defining cloud-security best practices. Security professionals don’t want to be the wet blankets of innovation, but it’s difficult when they’re regularly burned by rogue IT and risk-addicted employees.
“We didn’t want to be the ones to say “no” to the cloud. The idea was for security pros to embrace the cloud, but in a thoughtful, secure way,” said Reavis, the CSA’s CEO. “If we started defining defensible best practices in 2009, they’d be in place when adoption took off.”
Security in the show. At the end of his session, “Leveraging the Cloud for Resiliency,” Don Anderson advised attendees worried about cloud adoption to consider the high stakes of security for big-league providers.
“Security in the cloud is stronger than on-premise security,” said Anderson, Senior VP and CIO, Federal Reserve Bank of Boston. The big cloud providers — AWS, Azure and Google — have huge customers and everything to lose if they fail to protect them.
Moreover, he said, “they’re building awesome functionality and innovating faster and at a much larger scale than any organization, regardless of its budget or size, ever could.”
People, process, technology—in that order. Employee security training programs become even more important when organizations start making cloud moves. Companies can subscribe to every Amazon service in sight, but if they don’t have trained, motivated people working with those systems, they’re asking for security problems, said Jeremy Ward, senior ISO for Tyler Technologies.
“Security professionals can’t control everything, a situation exacerbated by the cloud’s availability,” said Ward, whose breakout session covered technical considerations in cloud migrations. Anyone can create an AWS account, build a system, and load it with corporate data. If info-sec leads haven’t implemented a cloud access security broker or similar mechanism to detect such activity, they may never know that data’s been moved to the cloud. And if they don’t know about it, it’s not covered by security controls.
Ward’s advice: identify cloud proponents in the organization and ‘deputize’ them as security team members. Teach them basic security concepts — authentication, network segmentation, identity and access management — and their real-world application.
Then, when they propose moving a workload to the cloud, ask how they’d apply these controls. After all, Ward said, it’s far easier to implement controls for applications at the outset than after they’re in the cloud.
This is the first in our series of posts presenting key takeaways from our 2019 CyberCrime Symposium, held Oct. 18-19. The program — Cloud Security — featured an incredible line-up of speakers. If you couldn’t get a seat at the event or want a refresher on various sessions, don’t miss upcoming installments.