How cybersecurity has changed in recent months
During the year 2020 we have experienced an event that no one had foreseen and that no one would have liked to live through, a pandemic, although every cloud has a silver lining: we have given the definitive leap into the Cloud.
Businesses have embarked on the migration of their applications and services to cloud environments. Some out of necessity because they did not have the environments ready to access via VPN or if they had them they were for a few users and not for the whole company. Others because they have realised that it really is a good and cost-saving solution if you know how to use it.
These changes will lead us to see attacks on these environments in the coming months, which, however hard we try to say that they are secure (yes, they are), the insecurities come from other sides.
Companies should therefore reinforce aspects to which they have not paid much attention so far.
In the past, we followed the specifications of the manufacturer or the department where we were told what was needed, we provisioned it and we dedicated ourselves to securing accesses, either through network control, user control or various permissions. For some time now, most companies have been working with virtualised environments and almost everything is provisioned with this technology, either in complete systems or by means of containers, so can this be directly uploaded to Cloud environments? The truth is yes, and this would be our first security mistake and we should ask ourselves the following questions:
Have we checked the security of the code?
In a home environment it is a problem, but in an environment with network access it is a serious problem. But of course, there are two scenarios here as well, if we don't own the code it is very difficult for them to let us verify whether the code is secure or not, so I would recommend moving to a SaaS service and thus delegate security and responsibility to the provider, but if we own the code this would be a good start before uploading something to the cloud, checking for possible security bugs, whether in the technology or the code itself is essential to avoid later scares.
FortiFy y BugScout are two good tools, the first one has a high cost, so if your budget does not allow it, I would recommend the second one. Many people will say that Kuiwan has forgotten me, but I think that the first two are more powerful, but like everything else, it is debatable.
After knowing that our code is secure we might ask ourselves, how have we deployed the environment? It is clear that having a good bastioning of our cloud environmentWhether on a public or private network, this is something we will need to constantly review in the same way that we used to check that our networks were secure.
Have we automated deployment?
One thing we should plan for is the automation of the deployment of our services, either to be able to have an elastic environment that grows or shrinks according to the needs of each moment (or is turned off/on because there are hours when the system is not used and now it is pay-per-use, remember that).
Something I consider essential would be to have immutable environments and to be able to quickly isolate an environment because we have detected an incident and there is a need to continue providing the service with a new deployment.
This is very interesting from a security point of view, as having the possibility to isolate an environment in which we have detected an incident will allow us to study the problem and solve it more efficiently in subsequent deployments.
And finally, the identity management (IAM). In our internal services we were looking for a single sing-on where we normally relied on LDAP and Active Directory for authentication of the different systems and achieved the triple A (Authentication - Authorisation - Audit). So now we should have the same thing, but in a cloud environment where we will have to combine and stop thinking about roles per person and think about "where we access from, how we access and what we access".
A good IAM system should be able to integrate with the SaaS services we have contracted, as well as PaaS and IaaS systems, but it should also be able to integrate with our internal LDAP and Active Directory systems to achieve a single management of the different services we have available.
One last question about identity management, it is very complex and from my point of view it should not be approached as a single project, but as multiple projects that gradually integrate the different services, otherwise you can die trying.
I do not want to end these lines without reminding you that a fundamental part that we have to control is still the logs, perhaps more now than ever, because as a good friend once told me "in the logs you will find the truth of your system". Integrating into a good SIEM the logs of the cloud environments will greatly help us to understand what is going on in our environment and to detect possible attacks or unauthorised access.
For all these reasons, we can say that the profiles and services that will be most in demand in the coming months will be DEVSECOPS, cloud security architects and regulatory compliance architects to ensure that services do not breach or put systems at risk.
Reminder: the fact that there are new needs does not mean that we forget what we were doing until now until it stops providing the service completely and is de-supplied from our environment.
Article by José María PulgarCISO at Bosonit.
Can we help you in the digital transformation of your business? Get in touch with us.[contact-form-7 404 "Not Found"]