Continuous Monitoring - why is it key to your cloud survival
Updated: Nov 22, 2020
Are we cloud Safe?
How would you know when something goes wrong before it does? Easy! Keep an eye on it and know when it happens with alerts and signals.
In this article, we will explore the how and why of continuous monitoring.
Some Statistics from the latest Cloud security report
The top four public cloud security threats: the leading threats cited by respondents was a misconfiguration of the cloud platform (68%), up from third in 2019’s survey. This was followed by unauthorized cloud access (58%), insecure interfaces (52%), and the hijacking of accounts (50%).
The main security barriers to cloud adoption: respondents named a lack of qualified staff (55%) as the biggest barrier to the adoption – up from the fifth place in last year’s survey. 46% cited budget constraints, 37% data privacy issues, and 36% a lack of integration with on-premises security.
Existing security tools struggle with public clouds: 82% said their traditional security solutions either don’t work at all, or only provide limited functions in cloud environments, up from 66% in 2019 – highlighting an increase in cloud security issues over the past 12 months.
Public cloud is riskier: 52% of respondents considered the risk of security breaches in public clouds higher than in traditional, on-premises IT environments. Just 17% see lower risks, and 30% believe the risks are about the same between the two environments
Cloud security budgets to rise: 59% of organizations expect their cloud security budget to increase over the next 12 months. On average, organizations allocate 27% of their security budget to cloud security.
Why Continuous Monitoring
Continuous monitoring is used to provide real-time visibility of users and their devices on a network. It can be viewed as a continuous and ongoing assessment of security controls. This is when they attempt to connect to or work on an enterprise network and is inclusive of all connected devices regardless of the type and allows IT, professionals, to stay ahead of cyber threats. With this strategy, IT professionals monitor and ensure compliance requirements regardless of where the data resides be it local storage, data centre or the cloud. In the year 2017, Capital One, an American bank, faced a major security breach that saw the theft of more than 100 million customer’s accounts and credit card applications. This has led to more than 100 million in damages from containing the data breach. The offending party, a former Amazon Web Services employee, was able to gain access to the data using a previously unknown vulnerability in the platform. The company and Amazon have since addressed the vulnerability. The question remains though, could this have been prevented?
Continuous monitoring if implemented could have at least prevented the theft of data if not the unauthorized access. As defined by the National Institute of Standards and Technology, the continuous monitoring process involves the following steps: definition of a continuous monitoring strategy, the establishment of metrics and assessment criteria, implementation of the program to collect the data, analysis of the findings, response to the reports and review and update of the continuous monitoring program. A continuous monitoring strategy is used to determine whether the existing security controls are adequate and effective against new exploits and attacks. Through continuous monitoring, Capital One could have been able to detect a rogue unrecognised device on their network. This would have prevented the attacker from even being able to access services on their network. Should the attacker have disguised their device, for example, by changing their mac address, then the continuous monitoring process would have been able to detect an unusual amount of traffic between the device and the network. The attacker accessed accounts of more than 100,000 customers. This would have immediately raised a flag and the organization would have been able to lock the attacker out of their network. Continuous monitoring would also have detected the vulnerability on the network through continuous evaluation of existing security practices on the network.
An IAM user is an entity created on the cloud and is used to interact with the cloud service. The primary role of the user is to provide credentials for persons or organizations using the cloud and normally consists of a username and password. Root privileges are provided to the account holder of the cloud account. The IAM role defines what the user can and cannot do on the cloud. Amazon recommends the use of the root user for provisioning of services and configuration on the cloud with other users being created to handle daily tasks. Despite this, this approach still possesses two critical challenges to cloud safety. The IAM user and role can be vulnerable in two major ways: misconfiguration and identity theft. Misconfiguration results from improper provisioning of services and user accounts and roles on the cloud. An improperly configured user can gain elevated privileges by use of services not originally in their domain of control. A normal user can gain access to the security services on the cloud if proper access is not restricted. The other major vulnerability of IAM roles and users is identity theft. A malicious user may gain the credentials of a user on the network using attack vectors such as ARP poisoning and if the user account has adequate privileges can gain access to the entire cloud infrastructure belonging to the organization. Of course, this can be countered using multi-factor authentication and encryption of data, but should the attacker have access to all of this then all of these can’t do anything to hinder him/her.
Misconfiguration is a major drawback to cloud security. Misconfiguration is defined as improper setting of standards and measures on the cloud. Misconfiguration normally occurs at the firewall level but is not limited in scope as any service or user that can be configured can also be misconfigured. Misconfiguration is a major hurdle to cloud security in two major ways: access control and user management. In order to properly secure a network, measures need to be put in place to restrict user access and provide authentication to users. When misconfigured, an unauthorized user can gain access to privileged information which would compromise the security of the organization’s data. In regards to user management, a misconfigured user can possess privileges they should not. This would allow the user to access and perform actions which they are not responsible for. An elevated user can trigger service start and stop and can theoretically remove security measures already in place. This can be seen in the Capital One case where the former employee was able to access data using credentials they possessed at the time of employment. In order to counter this, all users must be vetted and former employee credentials are revoked. The root user should also ensure the safety of the network by assigning roles based on task and constant review of users.
Continuous compliance is used to provide a single source of ground truth on the compliance of applications and workflows on the cloud. It is a managed service delivered by cloud technology partners which ensures that the user meets the compliance security and control requirements for the workloads running on publicly accessible clouds. The benefits of continuous compliance include:
Continuous monitoring of both technical and non-technical compliance controls in all levels of the cloud including IT compliance, corporate governance and regulatory controls on the cloud.
A centralised source of GRC (governance, risk and compliance) information for the cloud environments.
Reduced time and complexity of carrying out audits on the cloud as they can all be accessed from a central location.
The most up-to-date policies and regulations from the organization and continuous synchronization of new services and capabilities on the cloud.