Craig Humphreys from Tesserent explains why stakeholders need to rethink their cloud security strategies.
While the cloud offers organisations unprecedented opportunities to quickly and proactively pivot to meet new challenges, it also opens up a range of new threat surfaces that can be exploited by malicious parties.
The traditional view of information systems being under an organisation's specific control has changed with interconnectedness and shared resources now far more common than independently operated systems.
Supply chain attacks are not new or specific to the cloud. If you want to stop someone from making a product, you can either sabotage the factory or you can compromise the supply of a vital component. This is easy to manage in the physical world. If you want to stop a shoemaker from producing a pair of boots, disrupt their access to the rubber they need for the soles.
In the cloud world malware that exploits vulnerabilities such as OMIGOD, which was silently installed by Microsoft on more than half of all Azure instances as part of an Open Management Infrastructure update, this highlighted a new type of consideration with supply chain risks. You may now become vulnerable to something you didn’t install or have any control over. One of the key elements of threat assessment is auditing your assets so you know what you have.
But in the cloud, that is almost impossible. This exacerbates the difficulties with handling software-based supply chain risks.
One of the key benefits that come from cloud-based applications and services is the way these can be easily integrated. For example, a cloud-based accounts system can interchange data with a CRM and that might directly link into a cloud-based email platform.
In a situation like this, there may be a single user account but then each application is also authenticated. And while you may have taken the wise precaution of using multi-factor authentication to secure users, you may not have done the same with those systems-to-system or machine-to-machine accounts.
This can expose organisations to identity-based supply chain risk. This type of risk arises from granting permissions within your environment to third parties. Cloud software comes in many different forms. It’s common to have third party agents running on virtual machines, as well as third party Amazon machine images, container images, and/or Lambda functions. All these elements mean that creating and maintaining a cloud asset inventory in 2022 will be a huge challenge for security teams. Without such an inventory, it’s easy to miss insecure third-party software in your cloud environment.
It takes many things for a supply chain to work effectively and efficiently. But one of the most important pieces of any supply chain is trust. There was a time when we operated on the basis of trusted third parties we dealt with by default. The phrase co-opted by Ronald Reagan, which was originally a Russian proverb, then became the default: trust, but verify.
We are now in a new era. Today’s catchcry is zero trust. We operate on the basis that no user account, system or application is to be trusted. This means using tools such as multi-factor authentication, using a robust identity and access management regime, and putting in place controls and monitoring that can detect any unexpected activity. And that monitoring is continuous with real-time reporting of suspicious log-ins, data movement, network activity or anything else that might be an indicator of a breach or attack.
Although the dependence on cloud and other IT services is constantly growing, this is still a blind spot for many organisations, especially SMEs. The times of trust by default have come to an end. The time has come to ask the hard questions about third parties, cloud services and supply chain risk.
The cloud has completely changed the way organisations in every sector operate. When the underlying fabric of how we do things changes, it makes sense to rethink the way we approach trust and cyber security. Cloud-based platforms deliver great utility, but they also introduce new risks. That means organisations need to rethink how they assess risks and put appropriate mitigation strategies in place.
Craig Humphreys is the managing partner, cloud at Tesserent.