Cloudy With A Chance Of Security

hi everybody and welcome to cladio the Chan of security uh my name is Sasha barath I'm a computer science student at the University of War um I'm currently on placement with burbury in the network and infrastructure team now a natural starting place when talking about the cloud would be to introduce it many different sources have their own definitions of cloud but when we look at all of these five key characteristics which were quite succinctly identified by NY seem to present themselves and this can be used to understand the cloud first amongst these would be on demand self-service users can provision resources whether that be compute storage Etc whenever they need automatically without having to leas with the cloud service provider

or CSP team of humans directly secondly we have elasticity resources are required and freed as demand varies for the user therefore you can dynamically assign more resources in periods of high demand and release them once you finish using them thirdly we have broad network access cloud services can be accessible by clients from pretty much anywhere globally as long as you have a stable internet connection we have resource pooling where csps ensure that there's a supply of available resources which they manage on behalf of and allocate to the customers so the users doesn't really need to concern themselves with the location or maintenance of the servers and lastly we have measured service utilization of the resources are

carefully monitored and controlled to ensure the most efficient usage of them and so that users only be charged for precisely what they use now embedded into the notion of the cloud is a Handover of work and responsibility to the C CSP we the consumer rely on the service to be provided to us there are three common service models to do this firstly we have SAS or software as a solution consumers can simply connect to you and use cloudbased software while responsibility for the hosting maintenance still falls upon the csb a common examples of this would be Office 365 which we all know and love and Dropbox secondly we have pass or p form as a service where consumers can use a

service structure which is essentially just a complete Dev Dev environment um provided by the CSP to produce deliver and run your own applications again we have AWS elastic Beanstalk or Google app engine as common examples and thirdly we have IAS or infrastructure as a service consumers manage all aspects of the service except for the physical Hardware itself so virtual machine management OS configuration and any app to running above OS level but all fall on the user our common examples of this would be AWS elastic Compu cloud or ec2 and Microsoft a z and we have xas or anything as a service which is essentially the Cal for that we use to represent the family of

Technology Solutions now moving to the cloud now there are also several ways the cloud infrastructure itself can be constructed which referred to as the cloud deployment models firstly we have private Cloud which is where the organization deploys deploys their own internal solution and resources are completely controlled by the organization itself which will provide its own data centers and virtualization capabilities to offer card services this is often adopted for high security or Regulatory Compliance purposes second we have public Cloud CSP offers cloud services to pretty much any customer through a subscription model the resources are offered to a range of unrelated customers and the CSP managers and allocates these according to availability and demand and we also have

hybrid Cloud which is a model constructed by a combination of other deployment models which allows the organization to just reap the benefits of whichever ones is using so the natural question would be why are businesses migrating into the cloud there are several reasons for this firstly flexibility with the on demand self-service capabilities users can accesses access the resources they need as they like when they like this leads to very fast resource procurement versus other environments where it could potentially take days or even weeks to get Services which just leads to better overall operational efficiency secondly we have Global reach with broad network access and the global footprint of most csps now Services can be accessed from pretty pretty much

anywhere in the world so even if you're located geographically far away from your customers they can still access your services with low latency and this can be enhanced even further with content delivery networks thirdly we have ease of Maintenance with resource pooling the csps ensure that there's a supply of resources which they allocate for you so there's no need to manually allocate and deploy them or even have to try and estimate your infrastructure capacity in advance we have rapid deployment with elasticity your applications will be able to access resources in high periods of high demand without delay and you can release them instantaneously and stop building for them this helps to lower cost with measured service users will only be

charged for exactly what they use and they're not paying for resources once they're released alongside this the aggregation of many different Cloud customers allows public card providers to benefit from economies of scale which results in the lower prices for your customers and lastly security we can offload responsibility for security to the CSP to ensure the assets are protected and safe according to their standards therefore with all these different services that cloud can provide and they adaptable different deployments migrating from on premise to the cloud offers many different advantages so full sky cloud migration would be the perfect solution for everyone right no this definitely isn't the case there's a lot of major security risks that emerge in the adoption of coud

Computing let's just look at a couple cases of this firstly we have code spaces Cod spaces was a cloud-based development environment or IAS solution as mentioned earlier which works alongside GitHub which was flooded with a distributed distributed denal of service or DS attack Cloud spaces contacted the attacker and they kindly said that they'd stop if they paid a ransom but how was it they were able to contact the attacker well the attacker actually left their contact details in the eect control panel the de offs actually diverted the attention whilst in reality the AWS accounts had already been compromised and when code spaces tried to regain control the attacker had again already created backup loggings in the E2 panel

to ensure that they had persistent access once they realized Cod bace didn't intend to pay the ransom they just started to delete random artifacts second we have the case of Microsoft and the US government a hacking team referred to a storm 0558 breached an unidentified number of email accounts including some associated with the US and various other Western European government agencies the US government contacted Microsoft to alert them of the exploits they could find the vulnerability in the cloud service the hackers had used Forge authentication tokens to access email accounts with Outlook web access in exchange online and outlook.com in May remaining undetected for almost a month these are Amazon Amazon and Microsoft which are

two major players in the cloud industry so what exactly could go wrong several points firstly issues with Access Control access control is essentially determining who's able to access so C use modified delete the resources in question improper configuration can lead to vulnerabilities and organizations often depend upon the CSP or some other reporting tool to pick up these inconsistencies there's a high probability of this threat becoming an issue due to either knowledge gaps or lack of transparency between organization and any vendors they're interacting with secondly network access all of our cloud services now network accessible this is super convenient because they can be accessed by the internet however it also means we actually just created a

globally accessible 247 available attack Vector for malicious actors to access your assets thirdly we have division of responsibility of security there's often a blurred line between who's responsible for securing what which again inevitably some misunderstandings and ultimately no one addresses the risk with regards to data security we UST the CSP with our data and we'll assume that they'll take the necessary actions to keep it safe but what exact measures are they taking is the data encrypted are the SEC backups in place and again with monitoring and threat detection we do know that we have inbuilt monitoring but is it comprehensive enough we do have logs for admins to review but this is a reactive rather than proactive

preventative measure and lastly trusting the CSP when we engage them we do consider their reputation their size their brand visibility but we often conflate these for security do you trust that your data won't be leak or destroyed and do you believe they can guarantee the services they're providing you because we saw in the case of code spaces with Amazon and the government with Microsoft this wasn't the case so if any of the affirmation does go right what actually does this mean this could cause several issues for you firstly reputational damage it could do a reparable damage to your business reputation and trust with your stakeholders if you consider it from your customers perspective if a company

they hired had already demonstrated they were unprepared and couldn't protect the service or data that customers relied on them to it' be pretty unwise to trust that company again secondly Regulatory Compliance discovering that the organization has failed to comply with regulations or industry standards whether that be gdpr and data protection act or the ISO 27k standards failure could comply could just lead to Legal repercussions from governing bodies as well as possibly fundes we have data loss which would be problematic for pretty much any modern organization because it all depend on data it could have a demonstating effect on your customers if their data is lost though you can't provide them the services you promise and you'll incur

additional costs in data recovery there'll be damaged to the estate your Cloud estate might require redesign a rig configuration or in an extreme case be rendered completely unusable and just require rebuilding if an attack causes serious damage to functionality and lastly difficulty in recovery time is needed for disaster recovery and to get Services back online but this can be challenging depending on the severity of the attack and the Dr resources that you had at your disposal before in cases a lateral movement might be possible if for adversary if your Cloud environment wasn't isolated properly or your containers weren't secured which just means the damage will be even more widespread so if we consider the benefits versus the risk is cloud really

the best solution is it really cost effective when we take into account additional cost further resources whether that be monitoring tools or insurance and also considering the potential cost of a Cyber attack whether that be fines payouts and maybe even court fees this might not be the case and again is relinquishing control really correct move it's definitely easier but remember that critical assets and services and sensitive data and not be passed being passed over to the cloud service provider to look after we have to make some trade-offs in order to have all these advantages of the cloud don't worry there's another option previously forsaken on premise might actually be a better option in some cases why would this be well first

and foremost keeping control previously you've given up control to the CSP for flexibility in E this is understandable but it's definitely not always the right decision critical data might be are kept on Prem where you have complete control and visibility of what's stored where how it's being stored for how long and exactly who's accessing it this it also enables you to have business to ensure un monitor Regulatory Compliance they can adjust practices as and when they wish and you have a refined security approach you can deploy custom security measures for your organization you can disconnect it from the internet parts for the network which can reduce the attack vectors and you can apply encryption as

UCP secondly we're removing ambiguity in the multic cloud environments multi Cloud deployment are extremely useful but they do lead to more complexity and they require further resources to ensure correctness it's difficult to protect data and enforce Access Control policies consistently across a multicloud architecture which just means mistakes are more likely and it's more susceptible to it to attacks thirdly it allows for smoother integration with Legacy systems Legacy systems don't integrate well with Cloud we all know this but issues for due to issues with performance and security so staying or migrating to on Prem might be less convenient but actually a more sensible solution in some cases to ensure continuity so Le leads us to the classic

class question to cloud or not to Cloud now sometimes Cloud really is useful and would be the most beneficial option for your use case but it isn't the only option certainly isn't always the best so consider the following to help you decide what kind of data and assets does your organization have and what's the appropriate level of security for them what regions do you operate in and what's your Associated regulations when you do in cost analysis we always consider packs and AR packs but we should also be considering the worst case scenario or any potential Disaster Recovery costs as a result of the Cyber attack what Legacy systems you support and do you plan to continue supporting

them and often forsaken but important what are the future ventures of your organization and what are the corresponding changes to your it infrastructure as a result of this if you're planning to take on more high security government or military clients Security will be Paramount you're planning to just increase the number scale up and scale out options would be important but of course why not take a blended approach sometimes combining both premise and Cloud infrastructure in your architecture to meet differing requirements could be an good option too now depending on context Cloud on Prem or hybrid can all present themselves as valid Solutions however when adopting the cloud it's essential to address the security risks that

inevitably emerge with it firstly we have IM am control having a robust IM am strategy for the cloud to ensure the a correct access permissions of individuals and ensuring that appropriately restricted so setting up carefully planned groups roles and users with the the least privileged principle enforced secondly it's important that we're actively monitoring resources we know the CSP will monitor resources for billing purposes but your business should be able to detect regular resource USIS Behavior as well because this could signify early stages of an attack thirdly we need to be deploying IDs we ensure an appropriate Cloud IDs solution is active to allow for threats to be detected and also deploy Network IDs as this can help detect attempt

spreading across the network that could eventually impact your Cloud estate and lastly adopting a zero Cloud security model where we just assume all users of services aren't trusted at all times regardless of whether they're internal or external to the network therefore enforcing strict authentication and authorization rules which will lead to better overall security thank you very much for listening