“Content management systems, especially Wordpress, Joomla and Django, are used as platforms for web applications far more than most people realize and have numerous vulnerabilities,” says Govshteyn. “It’s possible to keep these systems secure, but only if you understand what web frameworks and platforms your development teams tend to use. Most security people barely pay attention to these details, and make decisions based on bad assumptions.”
To minimize the impact from cloud threats, Alert Logic has three primary recommendations:
- Rely on application whitelisting and block access to unknown programs. This includes doing risk vs. value assessments for each app used in the organization.
- Understand your own patching process and prioritize deployment of patches.
- Restrict administrative and access privileges based on current user duties. This will require keeping privileges for both applications and operating systems up to date.
How to secure the cloud
According to a survey by market researcher VansonBourne and sponsored by network monitoring solutions provider Gigamon, 73 percent of respondents expect the majority of their application workloads to be in the public or private cloud. Yet, 35 percent of those respondents expect to handle network security in “exactly the same manner” as they do for their on-premises operations. The remainder, while reluctant to change, believe they have no choice but to change their security strategy for the cloud.
Granted, not every company is migrating sensitive or critical data to the cloud, so for them there is less reason to change strategy. However, most companies are migrating critical and proprietary company information (56 percent) or marketing assets (53 percent). Forty-seven percent expect to have personally identifiable information in the cloud, which has implications due to new privacy regulations such as the EU’s GDPR.
Companies should focus on three main areas for their cloud security strategy, according to Govshteyn:
- Tools. The security tools you deploy in cloud environments must be native to the cloud and able to protect web applications and cloud workloads. “Security technologies formulated for endpoint protection are focused on a set of attack vectors not commonly seen in the cloud, and are ill equipped to deal with OWASP Top 10 threats, which constitute 75 percent of all cloud attacks,” says Govshteyn. He notes that endpoint threats target web browsers and client software, while infrastructure threats target servers and application frameworks.
- Architecture. Define your architecture around the security and management benefits offered by the cloud, not the same architecture you use in your traditional data centers. “We now have data showing that pure public environments allow enterprises to experience lower incident rates, but this is only achievable if you use cloud capabilities to design more secure infrastructure,” says Govshteyn. He recommends that you isolate each application or micro-service in its own virtual private cloud, which reduces the blast radius of any intrusion. “Major breaches such as Yahoo began with trivial web applications as the initial entry vector, so the least important applications often become your biggest problem.” Also, don’t patch vulnerabilities in your cloud deployments. Instead, deploy new cloud infrastructure running the most recent code and decommission your old infrastructure. “You can only do this if you automate your deployments, but you will gain the level of control over your infrastructure you could never achieve in traditional data centers,” says Govshteyn.
- Connection points. Identify points where your cloud deployments are interconnected to traditional data centers running legacy code. “Those are likely to be your biggest source of problems, as we see a clear trend that hybrid cloud deployments tend to see most security incidents,” he says.
Sign up for CIO Asia eNewsletters.