End Users Need to Take More Responsibility for Cloud Security

Last week, Vodafone announced that it had decided to “pause” the use of Huawei equipment in its core networks across Europe. This marked the latest incidence of a telecommunications firm disassociating itself from Huawei since it was claimed that the latter’s hardware was being used by the Chinese government for espionage. Additional moves to remove Huawei technology from phone networks are only likely to grow in number as new 5G mobile networks are rolled out in 2019. Historically, sensitive information at the core of telecommunications networks would be protected by confining high risk vendor equipment to the edge of networks. 5G networks collapse the distinction between core and edge, opening an entire network to an increased level of threat. However, a focus on the security of hardware is an unwanted distraction. As enterprises move to the cloud, a discussion needs to be had about a well-established but underappreciated security risk--attacks focused on cloud service providers and third parties who contribute to the IT supply chain.

Why did supply chain security become a more pressing issue for cloud users in 2018?

The Growing Number of Risk Sources:In January 2018, the UK National Cyber Security Centre (NCSC) published guidance on how to protect against the four most prevalent supply chain attacks. The guidance highlights third-party software providers, website builders, and external data stores as the most security prone in any company’s IT supply chain. As enterprises move to the cloud, they might not be fully aware of the vendors with which it is linked. Third-party service providers can engage fourth parties; as the supply chain grows, principals are less likely to be able to identify service providers. Every provider, known or unknown, represents a point of vulnerability. This multiplication of risk grows in tandem with the complexity of the IT supply chain.

The Growth of Multi-Cloud Markets:The security risk carried by the IT supply chain is also exacerbated by the emergence of multi-cloud markets. On the one hand, the emergence of a multi-cloud market allows end users to avoid vendor lock-in and spread and mitigate security risk. By equal measure, the custom use of various cloud vendors’ or software suppliers’ services means that the security supply chain becomes even more complex and multi-faceted. Enterprises, particularly SMEs, would be hard pressed to find and afford the resources to assess numerous cloud and software suppliers’ security risks. By equal measure, large and multinational firms are more likely to have subscribed to complex supply chains and the multiplication of risk this entails.

Increasing Rate of Leading Cloud Buckets Incidents: In the last year, notable organizations such as Uber, Verizon, Viacom, Dow Jones, and even U.S. military organizations have been affected by such incidents. Every public cloud storage service offers buckets, which house data objects on the cloud. Leaking Cloud Buckets incidents refers to the exposure of data on public clouds. This leakage is the direct result of a misconfigured storage bucket. Enterprises can choose how storage buckets are configured, including (1) the region in which each bucket is maintained, (2) the lifecycle rules for objects in the bucket, and (3) general access rights.

ABI Research recommends a three-pronged strategy for enterprises wishing to improve the security of their infrastructure:

Invest in Hybrid Cloud Infrastructures: The emergence of multi-cloud markets has been paralleled by the rise of hybrid cloud markets. The number of hybrid cloud offerings multiplied in 2018. With the exception of AWS, all the major public cloud giants developed private cloud offerings. Enterprises can benefit from the scalability and flexibility of public clouds while storing their most sensitive data on a private cloud.

Take Simple Precautions to Avoid Leaking Cloud Buckets: Measures include (1) encrypting data stored on public clouds and ensuring that access to encryption keys is available to a select number of staff, (2) using a multi-layer access control system that starts from the access permissions of the bucket itself, (3) investing in data loss protection (DLP) software, and (4) using Enterprise Mobility Management (EMM) and Mobile Device Management (MDM) tools to eliminate shadow IT and create secure productivity spaces within corporate-provided and BYOD (bring your own device). Enterprises can also arrange periodic penetration tests.

Take Greater Responsibility for Their Software Suppliers’ Security Standards: Enterprises need to move quickly and consistently to ensure that security standards are being met across the supply chain. An annual questionnaire that vets the security of vendors will not suffice. As more enterprises move to the cloud, hackers will inevitably discover additional security vulnerabilities. The swift evolution of supply chain attacks must be met by equally responsive and agile reactions from enterprises. These reactions could include increasing the capacity of due diligence staff. Enterprises may be unwilling to incur the increased cost of due diligence activities. However, the cost of recovery, including damage to one’s brand, could far exceed that of the most expensive security setup.

Ultimately, proactive initiatives and end-user monitoring of supply chain security risks should not be viewed as a panacea. Despite the recommendations noted above, cloud vendors, software suppliers, and government agencies can also act to improve the security of the supply chain. There is no one-size-fits-all solution for enterprises wishing to improve the security of their cloud infrastructures.  Security strategies will inevitably depend on (1) regulatory and regional landscapes, (2) the complexity of different IT supply chains, and (3) enterprises’ current and future investments in cybersecurity due diligence.