Systemic Security Weaknesses in The Cloud

IT Sprawl has always made security a challenge in the datacenter. This challenge has grown significantly with the addition of Cloud. Even more so for hybrid-IT environments, that span On-Premise and Cloud. We can point to at least two widespread phenomenon that expose IT environments to breaches and hacks. First, the legacy security tools that worked quite well in the On-Premise datacenter, now lag the security vulnerabilities created by the new cloud-based environments. Second, the multi-location cloud-based stack has further blurred the line of responsibility for security.

While there are other more specific security issues, such systemic weaknesses are making it easier for hackers to disrupt the forward progress with Cloud. Breaches at Equifax, Facebook and Capital One are some of the more visible examples where hackers exploited such systemic weaknesses. i.e. most security breaches to date have not been due to technical weaknesses in the security components of cloud-based IT stack, but due to the systemic weaknesses.

Adoption-lag of advanced security solutions is well known issue. IT leaders in many companies will tell you that they are not even measured on security metrics. Instead, they are measured and rewarded on other metrics like availability and cost reduction. Such metrics naturally flow down from their business-leaders who are worried about application downtime, versus the applying a critical security patch that calls for downtime. C-level execs are also measured and rewarded on non-security metrics, UNTIL a breach occurs. Cloud’s inherent multi-vendor stack extends this adoption lag. Various vendors in the cloud stack continuously release their security patches and IT leaders find it hard to keep up. It is also not clear to IT leaders how these patches work together or impact the applications. This adoption lag has become a systemic weakness made worse by Cloud. So, while the hackers invent new hacks, their existing hacks and viruses keep exploiting cloud-based companies have this adoption lag.

Lack of clear responsibility is also a serious issue. There is more room for miscommunication in the cloud-stack. As the recent breaches have shown, cloud vendor had already released a patch for the known hack. Customer had the responsibility to apply this patch but did not realize or was late to apply it. Many customers are unclear about their responsibilities in the cloud-based IT stack. Meanwhile, known viruses keep working despite being in the crosshairs, because the finger on the trigger isn’t that of the person looking through the crosshairs. Increasingly complex responsibility matrix in the cloud-based stack is responsible for this weakness.

Such systemic weaknesses require equally systemic standards-based security frameworks for the cloud stack. Easier said than done. Shared Responsibility Model is helping add some clarity, by assigning responsibility “of” the cloud to the Platform provider, and the responsibility “in” the cloud to the Customer. After hearing the Platform providers claim for many years that cloud is more secure than the datacenter, customers may find it quite discouraging to read 3rd party reports (Gartner) suggesting that the ultimate responsibility for security lies with the data owner, the Customer! Meanwhile, Autonomous DB and OS for instance, are removing the adoption lag by applying security patches as soon as they become available. Too many versions of hardware and software also contribute to the problem by obscuring the lines of responsibility. IT stack ought to be as homogeneous and standardized as possible to simplify the responsibility matrix. A costly problem but may be well worth the investment when weighed against the risk of breach.

There are many other weaknesses besides these two: adoption lag, and unclear responsibility. Facebook for instance, cited poorly secured APIs as the point of entry for hackers behind the massive data breach in 2018. APIs are inherent to cloud-based architecture so many other companies are exposed to this structural weakness. The rapidly evolving cloud-stack requires a collaborative approach towards security with clear lines of responsibility, understood and agreed by the participants.

Plenty of data is available now to quantify the security risks of IT investments, including that of the do-nothing option. Quantification of risk can add further clarity in purchasing decisions.

Security isn’t cheap, but may be cost-effective compared to reputation loss due to breach!

#systemicweakness #systemicsecurity #cloudsecurity #cybersecurity #cloudcomputing #informationsecurity #malware #cybercrime #cyberattack #databreach #dataprotection #dataprotection #databasepatching #autonomousdb #ransomware #sharedresponsibilitymodel