Visibility of your infrastructure is critical, and the same applies on moving to the cloud
Moving to the cloud doesn't mean outsourcing your entire security infrastructure, argues Max Heinemeyer of Darktrace
More than nine in 10 organisations are expected to adopt the hybrid cloud by 2020. While this transition is undeniably beneficial for most businesses - from start-ups to existing multi-national firms - it also brings with it its own risks.
Alongside the growth in cloud adoption, the challenge of securing critical data has taken on a new dimension. As internal servers are so commonly affected by malware infections or insider threats, there exists a common misconception that the data stored within the cloud is somehow more secure than the data resting on company fileservers. However, this is not necessarily the case - the information stored on cloud infrastructure may be just as (un)safe as any other corporate data store.
Much of this risk comes from the misconception of the network position of cloud servers themselves. Although rented out for use by the company and used every day as part of fundamental business purposes, connections to cloud servers (if not facilitated by a VPN or other strong encrypted channels) cross the perimeter of the network and traverse the public internet. This means that data uploaded to and from the cloud is a prime target for man-in-the-middle attacks, carried out by opportunistic actors hoping to sniff usernames, passwords, and other sensitive details that they could then leverage for direct corporate data theft.
The reality is that while organisations can outsource their IT services, they cannot outsource their security function altogether. In fact, protecting the cloud comes with its own challenges, with most of the existing native security controls and third-party security solutions suffering from significant limitations.
Visibility is crucial - before and during investment
A City Government in the USA had outsourced the storage of SQL databases to a cloud storage provider. However, it had not interrogated the protocols that the server employed by default to upload and download information. Addresses, phone numbers, vehicle registration plate numbers: the city government was uploading it all to the external database via unencrypted connections.
This highly sensitive data was intended for limited access by select employees within the city government, but the security oversight had made the data available to any attacker clued-up enough to park themselves on the perimeter of the network and collect the data-rich MySQL packets that came their way.
Darktrace Cloud detected an unusual SQL connection to a rare external IP from a desktop device within the company. This communication was verified as being SQL-related via packet capture, which then revealed the sensitive public data.
The customer was unaware of this vulnerability, which remained under the radar of its entire security stack. An attacker could easily exploit it to gather material for spear phishing attacks or potentially even identity fraud.
In order to lower risk and identify atypical or suspicious behavior, full visibility of all cloud services is critical, as hosting data on external servers can create dangerous blind spots and introduce subtle threats that circumvent traditional signature-based tools.
