Exorcising Dark Reading’s Cloud Demons

Dark Reading recently covered what it says are Cloud “blind spots”. Really, there is some considerable FUD here. Is there really anything unique to cloud with the issues called out?

I’m not pro or anti-cloud. It is “just another organisation’s computer platform” as they say, and whereas this phrase was coined as a warning about cloud, it also serves as a reminder that the differences with on-premise aren’t as much as many would have you believe. In some areas cloud makes things easier and its a chance to go greed field and fix the architecture. Some fairly new concepts such as “immutable architecture” will change security architecture radically but there is nothing carved in stone which says this can only be implemented in cloud. In case it needed calling out – you can implement microservices in your data centre if microservices are what does it for you!

Migrating to cloud – there’s a lot to talk about regards infosec, and i can’t make an attempt at doing that comprehensively here. But some points to make based on what seems to be popular misconceptions:

  • Remember you will never get access to the Cloud Service Provider’s (CSP) hypervisors. Your hardware is in their hands. Check your SLA’s and contract terms.
  • SaaS – it many cases it can be bad to hand over your operating systems to CSPs, and not just from a security perspective. In the case of on-premise, it was deemed a good business choice to have skilled staff to administer complex resources that present many configuration options that can be used and abused for fun and profit. So why does moving to cloud change that?
  • Saas and SIEM/VA: Remember this now means you lose most of your Vulnerability Assessment coverage. And SaaS and SIEM is getting more popular. Due to the critical nature of a SIEM manager, with trust relationships across the board, personally i want access to the OS of such a critical device, but that’s just me.

So picking out the areas covered briefly….

  • Multi-cloud purchasing – “The problem for security professionals is that security models and controls vary widely across providers” – if it takes a few weeks to switch from on-premise to Cloud, then for example, from Azure to Google, or AWS, chances are they were struggling with on-premise. Sorry but there’s no “ignorance” here. A machine is now a VM but it still speaks TCP/IP, and a firewall is now not something in the basement…ok i’ll leave it there.
  • Hybrid Architecture – tracking assets is easier in cloud than it is on-premise. If they find it hard to track assets in cloud, they certainly find it hard on-premise. Same for “monitoring activity”.
  • Likewise with Cloud Misconfiguration – they are also finding it hard on-premise if they struggle with Cloud.
  • Business Managed IT – not a cloud specific problem.
  • Containers – “new platforms like Kubernetes are introducing new classes of misconfigurations and vulnerabilities to cloud environments faster than security teams can even wrap their arms around how container technology works. ” – WHAT!!? So does the world hold back on these devops initiatives while infosec plays catch up? There is “devsecops” which is supposed to be the area of security of security which is specialised in devops. If they also struggle, then what does it say about security? I have to say that on a recent banking project, most of the security team would certainly not know what Docker is. This is not a problem with Cloud, its a problem with security professionals coming into the field with the wrong background.
  • Dark Data – now you’re just taking the proverbial.
  • Forensics and Threat-Hunting Telemetry – show yourself Satan! Don’t lurk in the shadows! Ignore the fancy title – this is about logging. “Not only do organizations struggle to get the right information fed from all of their different cloud resources” – This is a logging problem, not a cloud problem. Even SaaS SIEM solutions do not present customers with issues getting hold of log data.

What happened Dark Reading? You used to be good. Why does’t thou vex us so? Cloud is just someone else’s computer, and just someone else’s network – there are a few unique challenges with cloud migrations, but none of those are mentioned here.

“Cybersecurity Is About To Explode” – But in What Way?

I recently had the fortune to stumble across an interesting article: http://thetechnews.com/2019/08/17/cybersecurity-is-about-to-explode-heres-why/

The article probably was aimed at generating revenue for the likes of ISC2 (CISSP exam revenue) and so on, but i am open minded to the possibility that it was genuinely aimed at helping the sector. It is however hopelessly misleading. I would hate to think that this article was the thing that led a budding security wannabe to finally sign up. Certainly a more realistic outlook is needed.

Some comments on some of the points in said article:

“exciting headlines about data breaches” – exciting for who? The victims? 
“organizations have more resources to fight back ” – no they don’t. They spend lots but still cannot fight back.
“It’s become big enough that thought leaders, lawyers, and even academics are weighing in” – who are the thought leaders who are weighing in? If they are leading thought, i would like to know who they are.
“today’s cybercriminals are much more sophisticated than they were twenty years ago”. Do they need to be? I mean Wannacry exploited a basic firewall config problem. Actually firewall configs were better 20 years ago than they are today.
“employing the services of ethical hackers ” – i’m glad the hackers are ethical. They wouldn’t have the job if they had a criminal record. So what is the ‘ethical’ qualifier for? Does it mean the hackers are “nice” or… ?
“Include the use of new security technology like the blockchain and using psychology to trick, mislead, and confuse hackers before they ever reach sensitive data.” Psychology isn’t a defence method, it’s an attack method. Blockchain – there are no viable blue team use cases. 
“313,735 job openings in the cybersecurity field” – all of them are filled if this number is real (unlikely).
“since the need for security experts isn’t likely to drop anytime soon.” see Brexit. It’s dropping now. Today. Elsewhere its flat-line.
“You can take your pick of which industry you want to work in because just about every company needs to be concerned about the safety and security of their networks.” – “needing” to be concerned isn’t the same as being concerned. No. All sectors are still in the basic mode of just getting compliance. 
“Industries like healthcare, government, and fintech offer extensive opportunities for those who want to work in cybersecurity” – no, they do not. 
“90% of payment companies plan to switch over to blockchain technology by 2020” – can you tell your audience the source of this information?