Cloud provides flexibility, cost savings, and often also better technical security than on-premise solutions. However, if you are used to the on-premise world, the cloud environment may bring new risks that you haven’t encountered before.
In early 2020, I interviewed Mattias Almeflo and Liisa Holopainen about cloud threats and legislation related to the cloud. Mattias is a Principal Security Consultant at Nixu and has experience in military and defense security and security architecture. Liisa, a lawyer at the time, is an expert in cyberlaw and privacy. My experience is in threat modeling and application security, and I have evaluated risks in multiple cloud migration projects.
We all agree that you need to threat model your cloud and do a risk analysis to make your cloud environment more secure.
Re-evaluate your business risks
Mattias compared the cloud transition to moving from a detached house to a block of flats. You transfer some maintenance responsibilities to the housing co-operative, but now someone also has the master key. Besides, you must live by the common rules.
In the cloud world, maintenance access for your application developers and cloud service provider’s administrators is typically more open than in the on-premise world. Technical measures can mitigate some of these threats, but you should also consider processes related to security and privacy. Thinking about the three aspects of security, confidentiality, integrity, and availability helps you with risk analysis.
- Confidentiality: What kind of data are you going to process? Personal data, classified material, cutting-edge unpublished research, company confidential, or public data? What happens if some of that data leaks? Would somebody benefit from it? Will somebody be harmed? Can you trace who accessed your data? Weigh the risks carefully and consider if you can reduce the confidentiality level of the data and restrict access.
- Integrity: Map all the persons and processes that can modify your data. How do you track changes? Where do you have the master data? What happens if the data is modified slightly or deleted entirely? Does your industrial process go haywire, does someone get a wrong medical diagnosis, or is it a minor annoyance?
- Availability: How often do you need to access the data or system? Every day, once a week, at the beginning of each month? How can you work without the data? Is there a workaround? How do fault detection and incident response work with multiple stakeholders and divided responsibilities?
As a part of the risk analysis, it’s important to consider who would be motivated to attack your systems or if configuration mistakes are more likely to happen. Data breach news is often about big companies that have a lot to lose. Don’t get too scared – try to be realistic with your threat scenarios.
Planning to begin your cloud migration? Or already migrated, but still looking to improve your security? Read all about Nixu’s Cloud Services and contact us to learn more.
Better availability – usually
Typically, organizations transition to cloud for better uptime and better scalability. But what’s worth considering are the risks when relying on someone else’s services. What is the service level you need? Do you have alternatives?
In early 2020, many organizations were lacking instant messaging and teleconferencing channels as Microsoft forgot to update an authentication certificate for Teams on Office 365. Fixing the issue took almost an entire working day.
Of course, an expired certificate, misconfiguration, or technical failure could happen to you in your on-premise environment as well, but at least you would have more control over it. Also, situations like these are rare, and typically, there are viable alternatives, such as making a phone call, sending an email, or meeting face-to-face.
Especially if you think about the costs and effort of maintaining your systems, the cloud is still the best solution for many organizations. But if your organization or your line of work requires time-critical communication or data transfer, this is a place for weighing out the risks.
Intellectual property at stake
Sometimes organizations may be concerned about protecting intellectual property rights. Take for example Cloud Hopper, a global cyberattack campaign attributed to the Chinese government and whose name refers to the technique of how the group got hold of sensitive data. The Cloud Hopper campaign affected at least a dozen managed service providers around the world. In late 2019, news broke that the extent of Cloud Hopper attacks was much larger than earlier estimates.
The attackers, also known as APT10, breached the cloud service providers’ infrastructure and then hopped from tenant to tenant by using the service providers’ legitimate access to tenant data. This way, the attackers were able to steal, for example, intellectual property of medical equipment and electronics companies, security clearance details, and other corporate and government secrets.
First Cloud Hopper attacks date to 2014, and the group is still believed to be active, although the amount of attacks has gone down in recent years. This and other upstream attacks remind us that it is not enough to protect and monitor your own interfaces and APIs. Third-party access and integrations may be the way into your network.
Concerned about third-party interference? Download our whitepaper and check if your clouds ticks all the boxes: Whitepaper: Your to do list for a secure cloud – no more learning the hard way.
Know your supply-chain
Liisa Holopainen brought up the importance of understanding the full supply chain. It’s common for service providers to use contractors and subcontractors for customer support or operations, and the supply chain can be quite long. According to Liisa, it may not at first glance be apparent who is handling your data and whether all parties are located in the EU region.
Liisa’s advice to cloud transitions was to first clarify your requirements about data security levels and handling, then find out all the parties handling your data, and only then start dwelling into agreement details.
“Even if your service provider resides in the EU, you need to know whether they use subcontractors, and where these are located. Check out also that your backup locations are in the same region, or if in emergency cases someone from another continent can start debugging your systems and data.”, Liisa explained.
Your line of business, the type of data you handle, where you do business, and how time-critical communications and access you need: all these affect your threat landscape. They have an impact on your security requirements, and sometimes also the cloud service provider you can select. You can make your cloud secure, but first, you need to know what you are protecting and what is the risk level you can handle.
Moving to the cloud is not always easy – and even after it is done, questions may linger. Is my data safe? What threats am I facing? Am I seeing the big picture? If these questions sound familiar, Nixu’s Cloud professionals can help you.
Our elite Cloud team members (two of them MS Azure MVPs) each have 10+ years of experience and cloud expertise: they provide high value security solutions and services for Microsoft, Amazon and Google cloud environments and help you maximize your cloud security with our state-of-the-art tools.
Don’t take risks with your cloud: get in touch and let’s secure it together.
Would you like to stay up to date with the new cybersecurity trends? Subscribe to the Nixu newsletter.