By David Senf, Senior Cybersecurity Strategist, Bell, and Dominique Gagnon, General Manager, Cyber Security Practice, Bell
The move to the cloud has forced organizations to re-think how they implement and manage security. We know that securing data in the cloud is not the same as doing so on premise. As the network perimeter disappears and cloud providers take responsibility for more security controls, then traditional skills, tools and budget allocation needs to change. Regardless of whether cloud use is mainly SaaS-based or a migration of workloads to cloud-native applications, security requirements are different.
In response, Canadian organizations have begun to redirect their investments. Today, IDC says that more than 20% of companies’ security solutions spend is used for cloud security and it’s expected to grow to 35% by 2025. This raises a question – are those investments being properly directed? Do security professionals have the knowledge and skills to even make that call?
This is where frameworks like the NIST Cybersecurity Framework (NIST CSF) are so useful. They allow us to objectively evaluate our actions and investments based on a shared vocabulary and common standards.
Understanding the NIST CSF for cloud
NIST provides five areas for security professionals to focus on:
- Identify – discover data and assets (such as cloud services) and assign risk levels to each. This includes creating an inventory of assets and controls and keeping them up to date.
- Protect – this covers activities like deploying identity solutions, performing and testing backups, keeping devices, cloud infrastructure and applications updated and training users.
- Detect – collect and analyze logs and monitor for incidents. Understand normal activity and data flows so you can tell if an activity is abnormal.
- Respond – develop, implement and test incident response plans and keep them updated. Ensure appropriate action can be taken to stop or mitigate the attack. Keep stakeholders informed.
- Recover – this includes not only the actual technical recovery, but also activities such as communication with stakeholders, managing public relations and company reputation, and updating and testing recovery plans.
A shift in focus
If we look at an organization’s investments through this framework, most of the security spending today is directed at the Protect function. But in a cloud-centric world, is that the most appropriate or even most valuable area? Should more consideration be put toward the investment of other aspects, such as Identify, Detect, and Respond?
The organizational perimeter and the assets it contains changes constantly in the cloud as users implement and modify services, sometimes without IT’s knowledge. As a result, there must be continuous monitoring to identify new cloud services, configuration drift, access rights (sometimes referred to as entitlements) and even what “clouds” are in use. The software supply chain in a cloud world is much larger and more difficult to manage. If we cannot adequately identify our cloud assets, we will equally struggle to identify and manage risk. Tools such as cloud access security broker (CASB), attack surface management, cloud security posture management and cloud infrastructure entitlements management (CIEM) have emerged to help address these challenges.
The Detect and Respond functions also need more attention. Teams need to be aware of the top threats and vulnerabilities they are likely to face, but that alone is not enough. They also need to practice incident response within their new cloud architectures. No longer capable of restricting access behind a firewall, organizations need to be more aware and prepared. When the inevitable breach happens, security professionals need to be able to rapidly reduce access privileges, change configurations, spin down workloads (in platform services), re-route network access and take many other remediation actions. For those who can afford it, consideration may also be given to more aggressive threat hunting capabilities.
In the cloud, Recovery is very different to the same function performed on premise. A key benefit of the cloud is also one of its greatest challenges – assets are ephemeral and distributed. They are harder to discover and keep track of, but that can work in an organization’s favour as an attacker may have trouble maintaining persistence within the environment. Containers, infrastructure as code and cloud serverless functions lend themselves to more rapid recovery, but the knowledge required to leverage these abilities and tools may require new and upgraded skills.
While the case can be made for emphasizing Identify, Detect, Respond and Recover, the Protect function is still critical, even if overall spend shifts towards the other functions. In fact, certain facets of it are more important. For example, with single sign-on spanning both on premise and cloud environments, credentials are increasingly a target for attackers. Emphasis on an identity and access management program (IAM) becomes essential.
Similarly, good security hygiene must also continue to be an area of focus. Best practices that IT professionals have implemented for decades are equally important in the cloud. For example, the principle of least privilege for users – and monitoring to make sure those privileges are not increased – help prevent improper activity from outside threats and malicious, careless or compromised insiders. In addition, data loss prevention (DLP) may be tricky on premise, but in cloud environments the tools have improved. This capability is even more important in the cloud than it is in the on premise environment.
In a world where increasingly any misconfiguration can lead to disaster, monitoring configuration drift and auto-remediating can prevent unsecured and exposed credentials, storage buckets and data from pushing an unsuspecting company into the headlines.
Where do you start?
All this may seem overwhelming, especially in these days when the skills shortage means that it’s difficult to find infosec pros who can handle all of these tasks. It’s often wise to look outside the organization to companies like Bell, whose managed security services have a large team of people with the right expertise and security operations centres (SOCs) to provide 24/7 protection. A managed security services provider (MSSP) has an advantage over most companies – because of their scale they can afford to hire and retain top-tier security professionals and since they work with multiple clients, they can offer their services at a reasonable rate. Whether it is offering monitoring and protection on premise with Bell Managed Security Services, something for the cloud such as Bell Cloud Security Solutions or a unified operations management approach like Bell Security Unified Response Environment, customers know that the professionals watching over their organizations possess the required expertise to keep them safe.
Security dollars still need to be spent when you move to the cloud, but where they’re spent will change, as will the skills of the security professionals managing them. The investment to get there is worth it, given the improved security that can result. Frameworks like NIST help us to understand and have an effective dialogue about these investments with both our technical and business management teams.