By Chinatu Uzuegbu, CISSP, CEO/Managing Cyber Security Consultant at RoseTech CyberCrime Solutions Ltd.
(ISC)² Security Congress 2022 was a huge success with engaging speakers from around the world filled with insights. The theme of this year’s event was Empower a Safer, More Secure Cyber World and they certainly inspired many to do so.
In this blog, we would be sharing the excerpts from Top Cloud Security Fails and How to Avoid Them delivered by Karl Ots, CISSP, Head of Cloud Security, EPAM and Linkedin Learning Instructor. (ISC)² Security Congress attendees can earn CPE credits by watching this and all other sessions from the event on-demand.
According to Karl, “Data breaches are more likely to happen because of mis-configured cloud services than external attacks or application vulnerabilities”. He further implied that the most successful attacks on the Cloud are as a result of Mis-configurations, Mismanagements and Mistakes by the cloud customers. He advised security and risk management leaders to pay close attention to strict cloud security posture and best practices that would remediate and mitigate the risks proactively.
Karl categorized his presentation into two main sections:
3 Security Impacts of Moving to the Cloud:
- Ephemeral workloads: Event driven agent-less monitoring must be applied.
- Perimeter changes: Identity-based Perimeter and micro-segmentation must be applied.
- Growing share of the OSS: Supply chain life-cycle security is needed.
The 5 Cloud Security Fails or Threats (and how to avoid them):
- Asymmetric Approach to Cloud Security:
- Implementation of a built-in cloud native security architecture.
- Cloud Credential Creep:
- Enforce strict authentication policies.
- Apply role-based access control with a focus on access scope.
- Embrace Identity and Access Management (IAM) as a code.
- Broken Data Plane Access Control:
- Storage access key and connection string to be stored in key vault and rotated programmatically.
- Use data plane Role-based Access Control (RBAC).
- Enforce storage bucket/account settings with policies.
- Exposed Public Endpoints:
- Treat every public IP address as a risk that must be managed and reviewed.
- Your Infrastructure as a Service (IaaS) environments should be secured with native cloud networking services such as Access Control Lists (ACL) and firewalls.
- Your Platform as a Service (PaaS) data services should be secured and enforced with resource firewalls and other policies.
- Mis-managed Mis-configurations:
- Best management practices from the Cloud Service Provider (CSP).
- Strict enforcement of policies.
- Automated Remediation of identified mis-configurations.
- Infrastructure as code security scanning.
Karl summarized his presentation by reinforcing that “nearly all successful attacks on cloud services are the result of customer mis-configurations, mismanagements and mistakes. Security and risk management leaders should invest in cloud security posture managements processes and tools to proactively and reactively identify and remediate the risks.”
Interested in discovering more about Cloud Security? The new Certificate Program from (ISC)² is available to you anytime, anywhere.Advance your skills in cloud security and move your cybersecurity career forward with the Cloud Security Certificate, learn more: https://www.isc2.org/certificate/cloud-security-certificate.