The cornerstone of digital transformation is the migration of apps and data to the cloud. There are obvious benefits to doing this. Businesses become more nimble and agile, and the cost of maintenance and development is off-loaded to a third-party. The benefits are so profound that, as of 2019, 84% of businesses used cloud-based SAAS (software as a service) apps.
However, there exists a common misperception that organizations can trust their security to the cloud provider. This however is almost always not the case, especially when it comes to large cloud providers like AWS, Oracle, and Microsoft, who rely on the shared responsibility security model. Such is the confusion around this model though that 82% of CISOs report a security incident related to misunderstanding or misinterpreting the shared responsibility model. Indeed, when polled, only 10% of CISOs stated that they really understood it.
This disconnect between cloud utilization and understanding how to secure the data in the cloud presents an obvious risk to organizations, but one that might be easier to manage than you think.
What is the shared responsibility model?
The shared responsibility model basically says that the cloud provider will secure the cloud architecture itself, while the customer is responsible for securing data and apps in the cloud. Sounds simple? In theory, yes. But in practice it can be much more difficult to do. Securing data housed in an offsite cloud may require intimate familiarization with the specifics of the cloud environment, and a lot of attention to detail when it comes to not only major security measures like firewalls, but even seemingly small things like configuring webapp headers. Regular patching and update cadences must be maintained, and regular management audits must be done to ensure data is secure.
This was already difficult for many teams when assets were primarily on-premise, but with the move to an off-site cloud there is the danger of an “out of sight, out of mind” mentality creeping in, and not everyone who has access to a cloud environment will be aware of the unique security risks and requirements.
Complicating matters further is that even if a CISO or security manager understands the shared responsibility model and is ensuring new cloud services are brought online properly, there is little guarantee that existing cloud infrastructure that was spun up years ago or under a predecessor was properly configured. Furthermore, infrastructure that was brought on board as part of an M&A deal may not be set up correctly, and geographical regions may have their own specific requirements. Shadow IT can make the job even more difficult, since by definition security teams are probably not even aware of apps or cloud services bought without their approval.
With security teams already overwhelmed, how can the task be made more manageable?
The solution starts with visibility
To ensure your cloud is secure, you need to know which clouds your organization is operating in and what data and apps are stored on them.
Sounds obvious, right?
However that’s typically one of the most difficult tasks security teams face. Traditionally, organizations have relied on highly manual processes like spreadsheets to try and track their assets, updates, patches, etc… but these “living” documents are highly error prone, time consuming, and lack a discovery function that let’s security teams find hidden or rogue assets.
First, managers must understand their organization’s attack surface. The attack surface is defined as the total sum of digital assets that can be exploited by hackers, including on-premise networks, but particularly cloud infrastructures and their potential vulnerabilities. The ability to assess where risk might be hiding throughout the entire digital ecosystem, and how well the organization’s security controls address that risk, is critical.
That’s where BitSight Attack Surface Analytics becomes a crucial part of an organization’s security stack, by helping security teams discover the entire extent of their digital ecosystem and shine a light on their vulnerabilities.
Securing your attack surface
Attack Surface Analytics provides a broader view of the attack surface and the effectiveness of the security controls used to protect it. It gives security leaders an easy, visual way to prioritize cyber risk management initiatives and collaborate internally (as well as externally with vendors) to strengthen the organization’s overall posture.
With Attack Surface Analytics, teams can discover all the clouds and apps in their digital ecosystem, even legacy clouds associated with an old merger or acquisition, or those in geographically distributed subsidiaries. Managers are often surprised by the extent of their ecosystem, but the first step to reducing risk is to know where the risk is present. Attack Surface Analytics can also show if there are any materially significant findings within the cloud, such as misconfigured webapp headers, bad or outdated SSL certs, malware, and more to help your team prioritize where to focus remediation efforts. Furthermore, comparative analysis lets security leaders evaluate the comparative security performance of different cloud providers or geos.
The data points from Attack Surface Analytics are presented in a way that is tailored for reporting, with easy-to-understand metrics and actionable data points. This allows security leaders to report on their work in meaningful ways and align their priorities to the business to improve outcomes and reduce the risk associated with digital transformation.
Read our white paper to learn more about how to reduce the risk in your cloud environment.
There’s no question about it: Being exposed to cyber risk is an inevitable part of doing business in today’s world. In fact, a recent ESG study found that 82% of organizations believe that cyber risk has increased over the past two years.
Your IT department spends a great deal of time distributing security information and maintaining your organization’s internal security processes. Unfortunately, a persistent threat, deemed shadow IT, is still making its way into your...
It’s every security manager's worst nightmare. A member of the IT department reaches to alert that malicious software has been detected on an internal network, and the hacker potentially has access to layers of sensitive data. In the...