Safeguarding the Cloud

By Mohit Twari, Associate Professor, The University of Texas at Austin

Mohit Twari, Associate Professor, The University of Texas at Austin

The velocity with which organizations are adopting the cloud has created an entirely new wave of security threats. Enterprise data is particularly vulnerable. Cloud storage has enabled companies and developers to push out production-grade, scalable applications at light speed. However, many organizations—from IT support all the way up to management—simply cannot keep up with the pace of change, leaving them defenseless against a barrage of new threats to data security that evolve as rapidly as they as they wreak havoc.

Currently, developers build complex database-backed applications, weaving delightful experiences out of complex open-source and third-party components. They can add tens of millions of new lines of code with just a few "import" statements. Production operation teams roll out new code multiple times a week to thousands of machines. The big draw to the cloud—efficiencies from streamlined development, scalability of microservices architectures and the ease of deploying cloud-native applications—creates evolving security threats that are impossible to completely contain without radically new approaches.

The widely reported breach of consumer credit giant, Equifax in 2017 (that exposed the personal information of 147 million people), was believed to have originated from a flaw deep inside the Apache Struts framework—in a common PDF upload library that most developers use.

This vulnerability went undetected in the framework for over eight years.

Equifax is the most high profile public example of this type of data breach. But most companies—large and small—are exposed to the very same web-application vulnerabilities.

"Protecting cloud-based data from attack will only be made possible if cybersecurity is woven into the very fabric of systems’ frameworks"

Unsung Heroes

Operations teams are the real unsung heroes who have to deal with the brunt of these issues and the fallout from attacks. They have to set up application firewalls for code they didn't write, monitor software behaviors they didn't define, and find needles in the proverbial haystack of high-dimensional alert-logs covering thousands of machines. With even the most advanced AI algorithms proving susceptible to adversarial inputs, these heroes now have to create robust algorithms for security logs—a notoriously difficult dataset to model accurately.

Essentially, we continue to react to attacks rather than proactively developing reliable preventative tools that might limit how much damage they cause. But when the security weaknesses in existing cloud frameworks are embedded into the very fabric of their design, this perpetual defensive loop that enterprise finds itself in isn’t going to change.

Cybersecurity is inherently asymmetric. And, cloud-based deployment models greatly amplify this asymmetry. Even a single vulnerability can lead to the next Equifax or a single configuration error to the next Capital One breach—another high profile example that impacted nearly 106 million innocent customers. In contrast, to try to combat these threats, development teams have to protect each and every application with roughly one security engineer per 100 developers in the organization—all already working under aggressive compliance deadlines mandated by GDPR, CCPA, and other data protection acts.

Developers have benefited greatly from using sophisticated tools to micro segment application-layer networks and streamline identity across applications. The next frontier is to enable developers and privacy engineers to protect data in a consistent, scalable manner. Privacy engineers can visualize and enforce data-compliance rules while state-of-the-art research can enable data protection to fit seamlessly within developer frameworks with very little impact on performance. At cloud-scale, small mistakes are amplified into big breaches that impact customers’ privacy and companies’ brands. Cloud-native companies that build data protection into their frameworks, on the other hand, can be agile while still safeguarding their users’ trust.

Weekly Brief

Read Also

A Cloud Services Security Playbook

A Cloud Services Security Playbook

Arun DeSouza, CISO & CPO, Nexteer Automotive
Managing Access-Point-Risk without Interfering Too Much With Business Processes Efficiency.

Managing Access-Point-Risk without Interfering Too Much With...

Luther Uthayakumaran, Head Strategy and Innovation, Sydney Water
Is your carrier keeping your SMS Two-Factor Authentication Secure?

Is your carrier keeping your SMS Two-Factor Authentication Secure?

Steve Buck, Chief of Security Business Unit, Mobileum
How Modernized Encryption Standards and TLS 1.3 May Impact Your Security Strategy

How Modernized Encryption Standards and TLS 1.3 May Impact Your...

Ben Schoenecker, CISSP, Director of Information Security, Hendrick Automotive Group
White Box Cryptography (WBC)

White Box Cryptography (WBC)

Dr. Tsirinsky, CTO, E.S. Embedded Solutions
Vulnerability Management - Don't Guess

Vulnerability Management - Don't Guess

Angelo Murano, CISSP, CRISC, CISM, Head of Information Security-ING Americas