Many organizations get so caught up in the promise of the cloud that they overlook the challenges associated with migrating to a new environment, and keeping it secure.
This was the topic of last month’s Cyber Tech & Risk: People in Cybersecurity discussion by Ajay Sood of Symantec, Arani Adhikari of KPMG, Marcos Santiago of TD Canada, and BlueCat’s own Andrew Wertkin.
Together, they broke down the most common cloud migration mistakes they see in the industry.
Falsehood #1: My Cloud Service Provider Will Keep Me Secure
Adhikari, who consults on cybersecurity-related projects for KPMG, told us that customers need to understand “cybersecurity as a joint responsibility for both the Cloud Service Provider (CSP) and Cloud Service Subscriber (CSS).” Those who assume a public cloud provider will comprehensively guard their network as part of their service package risk exposure to avoidable cyber incidents.
Examples of such incidents are easy to find. Some were simply caused by unsecured Amazon S3 buckets (these are like file folders, but in the cloud). The result was exposed voter and customer data at companies like FedEx, Booz Allen Hamilton, and more.
“When an Amazon S3 bucket with sensitive information is exposed, it is not due to any issue on Amazon’s front,” Adhikari explains. “It is due to the misconfiguration of settings that lead to the buckets being public–this is the subscriber organization’s responsibility.”
While Amazon has taken steps to help clients better manage settings on their own end, organizations are not off the hook. Adhikari reminds attendees that organizations are “still responsible for hardening the operating system they host, making sure that the hosted applications are securely deployed, conducting vulnerability assessments on them, etc.” Organizational cloud migration strategies ought to take this into account.
Falsehood #2: The Cloud is an Extension of my Network
During the panel, Wertkin cautioned that the cloud environment – and hybrid cloud environment – is a completely different landscape from the traditional data center. It needs to be treated that way, too. “You’re not in your firewall anymore,” he said. “There’s not a boundary. We’re removing the border between internet and intranet in many, many cases.”
Consider this: DNS queries which come in from the cloud typically get privileged access to the network. Only, there’s no rigorous pre-check for them. The moment those queries enter the corporate network, they’re left to act unchecked. This is because enterprises often build their networks in an ad hoc, decentralized way. That inhibits visibility and control over internal queries in any at-scale, meaningful way.
To build a backdoor between internet and intranet requires a more secure migration plan, you need resilient network architecture (see: Adaptive DNS for cloud). It just isn’t cautious to treat the cloud like a simple additional server on the network.
Falsehood #3: Cloud is Cheaper
Ajay Sood noted that moving applications to the cloud, and data to the cloud, is “a never-ending journey.” While cloud platforms don’t come with the same expense spikes that traditional IT infrastructure demands every few years, it isn’t free of cost guesswork and risk.
“Looking at the number of applications we have now, can we predict where they will be in five or ten years? Every time you need a new application, or any time there’s a new piece of technology, new protocol, or new way of interfacing with your customers or your workers, you’re going to have to adopt that in the cloud. What people don’t often recognize is that the dynamic nature of cloud applications means increased complexity, and it’s also getting more expensive.”
This expanded cost consideration also applies to cybersecurity in the cloud. It isn’t just a CSP’s responsibility. Cloud security isn’t same as on premise security. Securing the sprawling compute in there requires additional budget.
Moving to the cloud isn’t a prerogative, it’s a responsibility. One that requires thoughtful planning and execution. Cybersecurity incidents can occur when network infrastructure becomes disjointed, responsibility for security is fragmented, and long-term funding is absent. Before deciding that applications and services belong in cloud infrastructure, triple-check those factors to ensure they can support your cloud initiative through its lifetime.
As cloud computing becomes a better understood technology, keep abreast of additional developments in the space. According to Gartner at a recent conference, factors that also need to be considered in a cloud migration (besides cost) include: availability of talent to administer a cloud infrastructure in the context of a likely-diverse environment, organizational politics involved in managing that environment. Learn more about getting your DNS ready for the cloud here.
NSA and CISA: Protective DNS key to network defense
U.S. cyber agencies now point to protective DNS as a defense strategy, confirming what BlueCat already knew: DNS is critical to detecting network threats.
SUNBURST/Solorigate Situation Briefing
BlueCat leaders discuss how the malware attack via SolarWind’s Orion platform exploited DNS and how BlueCat Edge could have helped to detect it.
January 21, 2021: Learn more about how the SUNBURST/Solorigate malware exploited DNS to execute its attack.
Customer situation brief on SUNBURST/Solorigate
Learn more about the attack via the SolarWinds Orion platform and how BlueCat products use DNS to help protect customers against compromises like it.