Cloud provides flexibility, cost savings, and often also better technical security than on-premise solutions. However, if you are used to the on-premise world, the cloud environment may bring new risks that you haven’t encountered before. I interviewed Mattias Almeflo and Liisa Holopainen from Nixu about cloud threats and legislation related to the cloud. Mattias is a Principal Security Consultant with experience in military and defense security and security architecture. Liisa, a Lawyer, is an expert in cyberlaw and privacy. My experience is in threat modeling and application security, and I have evaluated risks is multiple cloud migration projects. We all agree that you need to threat model your cloud and do a risk analysis to make your cloud environment more secure.
Re-evaluate your business risks
Mattias compares the cloud transition to moving from a detached house to a block of flats. Now you have transferred some maintenance responsibilities to the housing co-operative, but now someone also has the master key. Besides, you must live by the common rules.
In the cloud world, maintenance access for your application developers and cloud service provider’s administrators is typically more open than in the on-premise world. Technical measures can mitigate some of these threats, but you should also consider processes related to security and privacy. Thinking about the three aspects of security, confidentiality, integrity, and availability helps you with risk analysis.
- Confidentiality: What kind of data are you going to process? Personal data, classified material, cutting-edge unpublished research, company confidential, or public data? What happens if some of that data leaks? Would somebody benefit from it? Will somebody be harmed? Can you trace who accessed your data? Outweigh the risks carefully and consider if you can reduce the confidentiality level of the data and restrict access.
- Integrity: Map all the persons and processes that can modify your data. How do you track changes? Where do you have the master data? What happens if the data is modified slightly or deleted entirely? Does your industrial process go haywire, does someone get a wrong medical diagnosis, or is it a minor annoyance?
- Availability: How often do you need to access the data or system? Every day, once a week, at the beginning of each month? How can you work without the data? Is there a workaround? How do fault detection and incident response work with multiple stakeholders and divided responsibilities?
As a part of the risk analysis, it’s important to consider who would be motivated to attack your systems or if configuration mistakes are more likely to happen. Data breach news is often about big companies that have a lot to lose. Don’t get too scared – try to be realistic with your threat scenarios.
Better availability – usually
Typically, organizations transition to cloud for better uptime and better scalability. But what’s worth considering is that what are the risks when relying on someone else’s services. What is the service level you need? Do you have alternatives?
Recently, many organizations were lacking instant messaging and teleconferencing channels as Microsoft forgot to update an authentication certificate for Teams on Office 365. Fixing the issue took almost an entire working day.
Of course, an expired certificate, misconfiguration, or technical failure could happen to you in your on-premise environment as well, but at least you would have more control over it. Also, situations like these are rare, and typically, there are viable alternatives, such as making a phone call, sending an email, or meeting face-to-face.
Especially if you think about the costs and effort of maintaining your systems, the cloud is still the best solution for many organizations. But if your organization or your line of work requires time-critical communication or data transfer, this is a place for weighing out the risks.
Intellectual property at stake
Sometimes organizations may be concerned about protecting intellectual property rights. Just before the turn of the year, news broke that the extent of Cloud Hopper attacks was much larger than earlier estimates. Cloud Hopper, a global cyberattack campaign attributed to the Chinese government, affected at least a dozen managed service providers around the world. The name, Cloud Hopper, refers to the technique of how the group got hold of sensitive data. The attackers, also known as APT10, breached the cloud service providers’ infrastructure and then hopped from tenant to tenant by using the service providers’ legitimate access to tenant data. This way, the attackers were able to steal, for example, intellectual property of medical equipment and electronics companies, security clearance details, and other corporate and government secrets.
The first warnings about the attacks came in 2017, and new information on the scale of the operation has been coming up since then. First Cloud Hopper attacks date to 2014, and the group is still believed to be active, although the amount of attacks has gone down in recent years.
Cloud Hopper and other upstream attacks remind us that it is not enough to protect and monitor your own interfaces and APIs. Third-party access and integrations may be the way into your network.
Know your supply-chain
Liisa Holopainen, Lawyer in Nixu Finland, brings up the importance of understanding the full supply-chain. It’s common for service providers to use contractors and subcontractors for customer support or operations so that the supply-chain can be quite long. According to Liisa, it may not be apparent at first glance that who is handling your data and are all the parties located in the EU region.
Liisa’s advice to cloud transitions it to first clarify your requirements about data security levels and handling, then find out all the parties handling your data and only then start dwelling into agreement details. “Even if your service provider resides in the EU, you need to know whether they use subcontractors, and where these are located. Check out also that your backup locations also in the same region, or if in emergency cases someone from another continent can start debugging your systems and data.”, Liisa explains.
Your line of business, the type of data you handle, where you do business, and how time-critical communications and access you need affect your threat landscape. They have an impact on your security requirements, and sometimes also the cloud service provider you can select. You can make your cloud secure, but first, you need to know what you are protecting and what is the risk level you can handle.
Would you like to stay up to date with the new cybersecurity trends? Subscribe to the Nixu newsletter.