Top 3 Ways to Protect Your Cloud Against Inside Threats
Just as the SolarWinds hack is consuming the attention of the technology industry as well as the public, there was another interesting piece of security news that has seemingly flown under the radar. An ex-Cisco employee was convicted and sentenced to two years in jail for compromising Cisco’s cloud infrastructure and deleting 16,000 WebEx accounts. An insider threat that cost Cisco $1 million just in customer refunds in addition to their own engineering costs and reputational damage.
This is the sort of thing that keeps business leaders and cloud practitioners alike up at night. Prior to the cloud era companies secured their datacenter infrastructure through a monolithic network perimeter, the vaunted corporate network. In the cloud, the identity (a user or service) serves as the perimeter in what’s often referred to as a Zero Trust Environment. Understanding what your cloud identities are doing as well as your overall cloud posture is fundamental to cloud security.
In the Cisco situation an ex-employee, who had a cloud identity, was able to do significant damage. So, how did this even happen and what can be done to ensure it doesn’t happen to your company? Intentional or not, there are plenty of ways to prevent this from happening.
Ensure you have visibility into your cloud and not just your pipelines
There are lots of great devsecops tools out there, both open source and proprietary. But these tools are often project oriented and don’t provide an organization-wide view. Also, while it’s absolutely critical to build security into your devops pipelines, you still need to track what’s actually in your cloud because that’s where your risk is. Many devops-forward organizations forget this and end up with blind spots.
Understand and track the users and identities making changes in your cloud
In the cloud there are many more non-human identities making changes to your environment and it’s critical to understand what they’re doing. Many times these non-human identities are cloud owned, so Microsoft or Amazon identities making changes as part of a cloud services. But increasingly often these non-human identities are actually Terraform deployments or other devops provisioning. More simply, you need to know the configuration drift that’s the result of changes made by both human and non-human identities.
Audit user identities and cloud inventory on a regular basis
If you have the right visibility in place you should be able to see everything you have and how it’s configured. When something changes about your environment, you should be able to easily identify who did it, what was changed, and what did it look like before. Your user identities, human and non-human, should be part of that inventory and it’s best-practice to audit these items regularly.
There are some real questions about the Cisco situation - like why wasn't the employee off-boarded after leaving the company – but what’s valuable to the rest of us is taking it as a lesson. Securing your cloud means ensuring your organization possess the visibility and intelligence you need to get control of your enterprise cloud environment and stay out of the headlines.