By 2025, it is predicted that worldwide data will grow to 175 zettabytes (ZB), with 49% of data residing in the public Cloud, according to IDC. Of this, 90 ZB of data will be created on IoT devices. It is irrefutable that the Cloud brings huge benefits such as greater agility, efficiency, and accessibility to organisations as they embark on their digital transformation journeys. Embracing the Cloud is no longer an option for most organisations if they want to remain competitive and stay ahead of the game.
But all new technologies come with new risks. Cloud isn’t spared. Across all Cloud technologies—from Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) to Software-as-a-Service (SaaS)—organisations can expect an enlarged digital attack surface. It’s where cyber threat actors can now leverage new pathways and means to conduct their malicious activities and compromise systems. Two of the top few risks that organisations must grapple with are cyber supply chain and API-related threats. With Cloud, threat actors evolve their Tactics, Techniques and Procedures to conduct their activities upstream, embedding malicious codes in the software or hardware developed by manufacturers and vendors. This poses challenges to many organisations. These codes come in as ‘trusted sources’ which, without the right processes and means for detecting them, will likely remain hidden. This can ultimately result in opening a backdoor for hackers to exploit and conduct their ransomware or data exfiltration activities.
As organisations embark on their Cloud journey, they need to understand the unique attributes of the Cloud that are absent from traditional on-premise environments.
In a traditional on-premise environment, ownership of data, management, monitoring, and regulatory compliance mainly lie within the organisation. This has given organisations greater control over their cybersecurity posture. But this has changed with Cloud. Referencing the CISA Cloud Security Technical Reference Architecture v2.0, responsibilities differ for different types of Cloud service models, i.e., IaaS, PaaS, and SaaS.
Figure 1: Responsibilities for different service models [1]
Although this makes management more complex, it also means that organisations can now also place more trust and ownership on vendors and service providers to fulfil certain requirements.
This brings the next point on cyber risk: Measuring and managing cyber risk now needs to go beyond the organisation. The Cloud vendors and service providers have to be considered as part of the organisation’s larger digital attack surface as a compromise or breach in their systems can lead to a downstream impact. Organisations should clearly define service level agreements and contracts, to have a common consensus with service providers on the shared responsibility of the Cloud systems that are going to be deployed.
One common pitfall of workload migration is having a ‘lift and shift’ mindset where applications and cybersecurity controls are moved from the on-premise environment to the Cloud without considerations of redesigning the workflow. Organisations have to understand that each cloud-native environment has a unique structure, vastly different from a traditional on-premise structure. This requires cybersecurity teams to be familiar with each specific environment and configure it to protect data from policy-violating behaviours. Moreover, with the Cloud, IT teams now have the flexibility to spin up new databases more frequently. An automated process must now be developed to monitor these new databases to detect any anomalous behaviours.
The strategy of building ‘high walls’ and limiting entry points on the perimeter layer is another mindset that must change. This does not work in today’s day and age. As organisations adopt Cloud technologies, crown jewels such as sensitive data can be anywhere in the Cloud. Furthermore, COVID-19 has resulted in a predominantly work-from-home culture, further blurring the lines between trusted and untrusted boundaries. It is from this blurring of lines that Zero-Trust has become necessary in a digitally connected enterprise. Zero-Trust is more than a conversation on technology; it is a strategy.
Ensign adopts a phased approach, aligned to the NIST Cybersecurity Framework of Identify, Protect, Detect, Respond and Recover, to help organisations implement Zero-Trust. We do this by first categorising and selecting key resources, and then helping them understand their communications flow, and the protocol and ports they use. We also look at the permissions of the users and roles to minimise the application-level permissions they have to the resource. Figure 2 shows Ensign’s approach to helping organisations implement Zero-Trust in their environments.
There are many more tools and frameworks available now compared to 5 years ago. This has made development work much more automated and streamlined. For example, the SG Tech Stack and Central Platforms such as Infrastructure-as-Code (SIaC), CloudSCAPE, shiphats, etc., are readily available resources for public use. These can help guide agencies and organisations adopt best practices to execute their digital or Cloud-based projects securely.
Cloud will not be fully optimised without the use of Machine Learning (ML) and Artificial Intelligence (AI) for Threat Detection in Cloud Security operations. Using AI/ML in the Ensign Security Operations Centre (EnSOC)—and integrating it with automation tools such as a Security Orchestration, Automation and Response (SOAR) Platform—provides us with the ability to detect and respond to advanced threats faster. Resources, once catered to perform manual operations, can now be diverted to higher-valued tasks such as threat hunting and incident response.
At Ensign, we drive Cyber AI across 3 main areas for greater efficacy of threat detection and response in our Security Operations Centre (SOC). They are in (i) Cyber AI Infrastructure, (ii) Data Science, and (iii) Machine Learning Operations.
[1] Cloud Security Technical Reference Architecture (June 2022), Cybersecurity and Infrastructure Security Agency, United States Digital Service, and Federal Risk and Authorization Management Program. Retrieved from: https://www.cisa.gov/sites/default/files/publications/Cloud%20Security%20Technical%20Reference%20Architecture.pdf