The recent Storm-0558 attack has highlighted the value of maintaining both in-house and cloud security providers when transitioning workloads to the cloud. The question of which is more secure on-premise vs cloud remains one of varying opinions and delicate nuances. Proponents of the cloud argue it is more secure due to SaaS providers being directly responsible for maintaining their cloud-based apps vice individual organizations. Furthermore, few on-premise environments can claim comprehensive data encryption, availability, and overall infrastructure resiliency to the extent of cloud datacenters. However on-premise supporters tend to offer a simpler rebuttal, they can more confidently say where there data is stored and who has access to it. Both perspectives offer valid points, yet tend to agree that the answer to this enduring question is relative to how organizations identify risk. There is one point however that both sides can agree upon and that is to make sure you bring your internal cyber program along for the cloud migration journey.
Our Take: There have been a plethora of cloud migration myths like moving to the cloud saves money or worse yet the service provider is secure, so as the customer you no longer need to maintain a robust internal cyber program. Needless to say, both of these myths are inaccurate and show a lack of understanding around risk and total cost of ownership. Regardless of where workloads are hosted, and data resides the organization still owns residual risk from cloud usage and every aspect of data protection. As such any consideration to outsource your cyber program in its entirety should take recent cyber-attacks into close consideration.
The Storm-0558 attack clearly illustrates the value of incorporating your internal cyber team with any cloud migration effort. In doing so the organization is pairing institutional knowledge of their current risk posture and defense in-depth strategies with the latest cloud centric security capabilities, which will enable more tailored defensive strategies for the workload being migrated. Case in-point, the internal cyber team at the US Dept of State (DoS) was involved with the DoS’s cloud email migration and identified a potential weakness in the cloud security offering. Which resulted in the creation of a custom alert known as the “Big Yellow Taxi” and would trigger would on any attempt to exploit the potential security gap. The combination of this one alert plus the watchful eyes of a diligent analyst enabled the detection of nation state activity within their email tenant. This discovery would grow to involve additional cloud tenants and expand to highlight poor token management and monitoring practices on behalf of the service provider.
The takeaway from this event is for organizations to consider augmenting their internal cyber teams in lieu of exchanging them entirely for a managed security service provider. Secondly, find ways to effectively address any identified security gaps; consider adding a comprehensive cloud security suite with robust asset discovery and compliance management like the Qualys Cloud Platform. Lastly, recognizing the increased targeting of cryptographic assets, consider adding a cryptographic discovery & visibility solution from InfoSecGlobal to your cyber toolkit.
By adopting a blended internal/cloud cyber security program, in conjunction with effective cyber tools, organizations can further buy down risk and help keep parity with constantly evolving cloud threats.
Additional Reading:
