Cloud security: The castle vs open-ended city model

Hacker overlooking a city

With cloud security, the boundary for the system stops being the edge of your physical network but the individuals who use it.

When you see major breaches of either cloud services or corporate networks, it’s not usually the external boundaries of the organisation that have been compromised, it’s more often the identity of an individual.

The Verizon Data Breach Investigations Report 2017 proves that that security is continually having to change in order to keep up with fluctuations in the threat landscape. With 81% of hacking-related breaches leveraging either stolen or weak passwords, it’s no wonder that identity is a new focal point.

Changing boundaries

How are the boundaries changing for organisations in terms of security? In the last ten years, security boundaries have changed so much so that they have become invisible or, at the very least, barely recognisable. In its redefined state, security now starts with identity, authentication, and account security.

Adoption of cloud-based services is partly to blame, according to Richard Walters, CTO CensorNet, as unstructured data now resides in cloud-storage applications.

“Work is no longer a place. It’s an activity,” he says. “Users have an expectation of instant, 24/7 access to apps and data regardless of location, using whichever device is convenient and close to hand. Just when we thought we’d got a handle on things, along came millions of IoT devices that connect to cloud servers. The identity of things is becoming as important as the Identity of human beings.”

IT's shift beyond the physical boundaries of a company means the goalposts have moved, with security focusing on protecting applications, data and identity instead of simply guarding entrances and exits to the network.

“This radically changes the role of the traditional firewalls,” says Wieland Alge, EMEA general manager at Barracuda Networks.

“For a while, experts predicted that dedicated firewalls would eventually be absorbed by network equipment and become a feature of a router. Since we build infrastructures bottom-up now, everything starts with users and their access to applications, regardless where they are physically; the firewalls not only need to be user and application-aware, but also to show the same agility and deployment flexibility as the respective entities they protect.”

The castle vs the open city

Is security in the modern digital world like an open city, as opposed to traditional corporate computing, which is more like a castle?

A castle’s spiral stairs turn clockwise to give an advantage to right-handed sword-wielding defenders. According to Memset’s head of security, Thomas Owen, that kind of subtlety and defence in depth (plus the motte and bailey, moat, keep, etc.) are where the state of the cyber-security art now lies.

“The increase in adoption of identity federation or outsourced/crowdsourced Security-as-a-Service capabilities, such as Tenable.io or HackerOne, speak of democratisation and an increase in trust of third parties, but if you’re lazy on patching or have flabby access control in place you’re still going to get hacked,” he says.

“Open cities still have rings of trust, policers/enforcers, strictly private spaces, laws, etc. We’ve not been in a place where a ‘single castle wall’ is sufficient for decades.”

Nigel Hawthorn, chief European spokesperson at Skyhigh Networks, says that another issue with the castle-based cybersecurity approach is that there are a lot of keys to secure.

“Each employee who has access to networks is a potential threat. They could begin acting maliciously or have their details stolen by cybercriminals who then have keys to the kingdom. With the number of credential thefts ever-increasing, no company that utilises a castle approach is truly safe,” he says.

Stopping hackers acquiring identities

Hawthorn says that businesses must become better at detecting when an employee’s credentials have been hijacked.

He says the issue is that many still rely on a single authentication process, with access being granted on the basis of having a company email address and password.” For example, the ‘heist’ on the Central Bank of Bangladesh, in which $81 million was stolen, took place after hackers gained the SWIFT log-in credentials of a few employees. Had the bank had more stringent identity checks the attack may have been mitigated.”

The best approach is behavioural analytics, which works in a similar way to how credit card companies detect and prevent fraud, according to Barry Shteiman, director of Threat Research at Exabeam.

“It creates a baseline of normal activity for each individual person, then compares each new activity against the baseline. In the same way that Visa would block a UK-based consumer from buying a TV in Beijing for the first time, corporations will detect hackers trying to use valid but stolen credentials.”

He says that with one customer, a national retailer, suddenly saw an employee in the HR department attempt to access 1,500 point-of-sale systems in the retail stores.

“She’d never done it before. In fact, no one in her department had done so before. It turns out that she was on holiday and her corporate credentials had been stolen and were being used by a hacker to steal credit card info. The password was valid, so the question wasn’t 'can she access this system' but instead, 'should she be accessing this system?',” says Shteiman.

Evolving security models

Over the next few years, security models will need to be updated to include cloud-based monitoring and controls, says Jeremy Rasmussen, director of cybersecurity at Abacode.

“Typically, there is a shared security responsibility for systems hosted in the cloud. The cloud service provider is responsible for security of the underlying infrastructure. However, protecting anything stored on that infrastructure - from the operating system up to applications – is the responsibility of the individual organisation,” he says.

Hawthorn says that as the cloud and applications continue to become more vital to operations, businesses must begin to view them as an extension of the firm.

“Data controls need to be enforced at the cloud application level, as opposed to stopping at the business’ network perimeter. Companies and their cloud third parties are being forced into a shared responsibility model due to GDPR, so there will be a greater focus on protecting data wherever it is in its journey.”

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.