DevCentral plays Cloud Security Chess

Security is a chess board. Of the primary fundamentals in chess the King is the most valuable piece and the Queen is the most powerful piece (in terms of potential flexibility/impact). Stay with me... if we relate these rules to security we can assert the following supposition:

  • Data at rest = King: If you lose your data or worse, data is stolen and exposed, the game is over.  You lost the security game.
  • Data at motion = Queen: Data in motion gives us admins the most flexibility/impact for infrastructure planning and solution choices.  akin to the Queen, it offers flexibility and options but if exposed or captured, the death knell may be near.

If security is our chess board; the adoption of cloud infrastructure and resources increase the size of the board (IaaS, SaaS, and private cloud for this metaphor). Seriously... stay with me... if your board size increases, do you:

  1. Replace one-for-one the existing pawns with new ones? Not sure why you would do this because they have the same function... maybe you want new pieces on the board to make you feel like you're playing a new game.
  2. Change your style of gameplay to hopefully create value-add off existing game pieces? You can increase their usefulness across the larger board by being creative... right?
  3. Add additional pieces to compliment the existing pieces? Imagine if you had three more pawns, an extra rook, bishop, and knight?

If you didn't guess already, the other pieces on the board represent your IT security solutions.

  • You could get by for a while with answer B but sooner or later, your opponent is going to whittle you down.
  • If you answered A go into sales or marketing because you're selling up technology as a solution to a problem you never understood.
  • If you're someone who evaluated changes in the chess board and chose additional pieces to play, you know answer C is the correct one. Don't sabotage your existing security model because there's a few new pieces to play with.

The new game board allows for NEW attack vectors against your King, it doesn't necessarily remove the old ones. By the way, pieces != vendors, they represent solutions to prevent those spaces from exposure and exploitation. Our metaphor is mostly but you saw where I was going right?

 

Cloud Security Is The Same Security With A New Home

Security trends for 2017 seem to lead us towards new technology under the guise that we'e been doing it wrong this whole time and new product X will solve all your security needs. Threatstack summary of Gartner's 2017 Cloud Security key findings confirm what we already know:

  • Consensus doesn't exist on what constitutes best practices for cloud security; this is creating organizational issues for control process
  • Vendor focus on specific areas of cloud technologies (IaaS) is drawing attention away from other control vectors (SaaS) but is yet no less critical

Gartner's findings marry well to previous risk analysis; CSA's 2016 study of top 12 threats remain mostly unchanged (including top 5):

  1. Data breaches (Losing your King)
  2. Weak Identity, Credential, and Access Management
  3. Insecure APIs
  4. Account Hijacking
  5. Malicious Insiders

Emerging acronyms in cloud security deserve closer inspection which aim to address Gartner and CSA's analysis.

 

An Extra Knight For The Board: Cloud Access Security Brokers

CASBs are security policy enforcement points, placing inline security policies, encryption, identity management, and a host of other features against cloud service consumers and providers. Yes, it's existing technologies wrapped up with a nice bow but is no less important on premise or in the cloud.  If you're already playing in the cloud chances are you already have some form of CASB, and if you're a datacenter traditionalist, you definitely have some of these services (TACACS, SSO/Federation services, RBAC). CASB's do encapsulate a lot of disparate solutions into a service offering which may alleviate administrative end point expansion, potentially lowering costs. However, with several new players offering CASB "solutions", there's a lot of contest on the proving grounds before enterprises can add those additional pieces to their security chess board.  Remember chess pieces != vendors... they represent solutions.

 

Cloud Workload Protection Platform: Protect the Queen Wherever She May Go

There are many ways vendors are massaging CWPP definitions to meet their products functionality. Using the term workload as the key jump point, the purpose of CWPP's are to classify data through governance policies, and be apply rulesets to that data in flight and when it lands. This allows InfoSec departments the ability to expand data governance rules to more complex hybrid and cloud deployments to ensure data is landing only where authorized and by only the correct parties. Think SELinux for cloud data; policy-based security policies applied across an organization regardless of data's location.  New vendors and existing vendors are deploying CWPP features but unless they can seamlessly integrate into your existing infrastructure and meet your policy needs, you're implementing a half-complete solution. You've left chess board tiles exposed. Can CWPP address a lot of security issues? If your InfoSec program is mature enough, then yes.

 

CASB and CWPP's are new solutions to old problems and are a welcome addition to the expanding chess board.  But don't throw away your existing solutions because they're "old".  Traditional vulnerabilities still exist and we re-expose ourselves if we shift focus away to new attack methods.  InfoSec's responsibility is to evaluate the changing security landscape and adjust accordingly, not purchase the shiny new toy your CISO saw advertised in the airline magazine.  The game's expanding and so should your security solution footprint.  Adjust smartly and according to your business requirements.  An informed InfoSec team is much more effective than one kept in the dark; looking at you Sales & Marketing Shadow IT!  Give me a shout out with your thoughts; if you disagree we can argue security trends until SGDQ.  I have my priorities straight.