Synopsis
A cloud service delivery model has been proven to provide material operational cost savings and improve infrastructure agility spanning geopolitical boundaries and time zones. All levels of the Australian government have facilitated the transition by issuing policy guidelines on the type of workloads permitted to run on cloud infrastructure.
In response, some cloud services providers (CSPs), such as AWS and Microsoft Azure, have partitioned their infrastructure to create dedicated certified hosting environments for protected workloads. They have also published guidelines, such as “Aligning to the NIST Cybersecurity Framework in the AWS Cloud”[1] and “Microsoft and CCSL,”[2] to assist with managing the compliance process by leveraging native security controls in their cloud service platforms.
Infrastructure alone cannot deliver security and compliance regardless of the comprehensiveness and sophistication of available tools. The guidance highlights the structural split in management responsibilities between regulated entities and CSPs; it is the responsibility of the regulated entities and their suppliers to focus their cybersecurity investments appropriately. Their effort should be commensurate with the information assets they are entrusted to protect on behalf of their customers and shareholders.
In the Australian context, the Prudential Standard CPS 234 compels the board of these organisations to prioritise Information Security Management System (ISMS) controls, and by association, Cyber Risk management, as part of their regulatory obligations, which naturally extends to the cloud in most cases. The use of a solution such as a Cloud Access Security Broker (CASB), is an often-used method to extend security control and visibility outside of a traditional corporate network, and across Infrastructure-as-a-Service (IaaS), Platform-as-a-service (PaaS) and Software-as-a-Service (SaaS) cloud environments.
Cybersecurity is a business problem under CPS 234
In November 2018, the Australian Prudential Regulation Authority (APRA) released Prudential Standard CPS 234 making the board of regulated entities accountable for ensuring the adequacy and sustainability of their information security program. This interpretation is echoed by several commentators including EY[3], Minter Ellison[4] and Deloitte[5].
APRA’s position was made clear in its response to the submission to the draft CPS 234[6], which states the intention to make boards accountable for information security. It clearly follows that information security is a business problem, not just an IT challenge. The article “APRA CPS 234: Will you comply?” explores some of these business challenges. A reasonable interpretation of APRA’s response is that the board is responsible for interpreting the materiality of information risk and adequacy of the controls.
The board’s need for cloud security visibility
One of the famous quotes attributed to Sun Tzu is “know your enemies and know yourself”[7]. This wasn’t easy to do in the 6th century BC and it isn’t getting any easier today. In fact, it is getting harder, particularly in a cloud-enabled environment due to limited physical separation and end-to-end visibility of cloud infrastructures.
As part of their offering, CSPs generally take responsibility for the security of the underlying application and its infrastructure. In other words, the provider protects against intrusions and attacks against their systems. CSPs also take responsibility for protecting their products from fraud and abuse and respond to incidents by notifying customers. However, securing the usage and data in the service is the customer’s responsibility, including how the service is used, who has access to data, and who is sharing what with whom.
This model, known as the shared responsibility model, is employed by almost every large CSP, including Microsoft, and Amazon. Simply put, they take care of securing their core application against intrusion and leave it to the customer to make sure the cloud service is being used in a secure and compliant manner. Threats arising from insider activity or negligent employees are the customer’s responsibility. However, most organisations lack visibility and control over their employees’ use of cloud services and therefore are not currently able to fulfil their responsibilities under this model.
Evaluating user activities beyond an initial login to include user movement across cloud services and the context with which that movement occurs allows a solution to protect corporate data across cloud systems. While several failed login attempts within a single cloud service, as an example, might not be cause for concern, if a user is suddenly triggering failed logins across multiple cloud services, it could be a sign of a real threat. Another example could be when a user downloads a large report from a cloud application and subsequently uploads it to an unsanctioned file sharing service. Detecting this activity as a potential threat can only be done with a comprehensive cloud security platform.
Under CPS 234, the board must be satisfied that the organisation not only has sufficient visibility into the risks, threats, and activities that span devices, networks, and core cloud services, but across the multitude of cloud services that most organisations inevitably onboard and consume over time.
How a cloud security platform translates visibility into readiness
The top cloud risks boards must typically be aware of include data loss, insufficient identity, credential and access management, account hijacking, malicious insiders, abuse of cloud resources, nefarious use of cloud services, denial of service attacks, insecure interfaces and Application Programming Interfaces (APIs), insufficient due diligence when migrating to, or making use of a cloud service, and system/shared technology vulnerabilities.
Today, a cloud security platform is typically implemented by using a Cloud Security Access Broker (CASB). The visibility provided by a CASB to address the risks mentioned above should at the very least include:
· The ability to enforce data protection policies across devices, network and cloud;
· Preventing the unauthorised sharing of data with the wrong people;
· Controlling the synchronisation and/or download of corporate data to personal devices;
· Detecting compromised accounts, insider threats, and malware;
· Encrypting cloud data with keys that only the organisation can access;
· Auditing and tightening the security settings of cloud services; and,
· Understanding cloud services in use and their associated risk profiles.
Another dimension to consider is the emerging trend of cloud providers “bringing the cloud to you” through initiatives such as AWS Outposts and Azure Stack. It is a somewhat ironic concept because the typical core value propositions of cloud services are scalability and geo redundancy. Reverse cloud philosophy would appear to go against these advantages.
Of late, there has been additional focus on workload management using constructs such as container orchestration using Kubernetes, independent of the underlying infrastructure design. But this also opens up a new frontier in the battle against shadow IT.
Above all else, a cloud security platform must be frictionless. It must be an enabler for business, while managing cyber risks in an agile manner and not get in the way of doing business. Because ultimately, what the board wants is the ability to drive the business forward as swiftly as possible while maintaining adequate visibility to manage risk.
Authors
Denny Wan is the principal consultant of Security Express and a postgraduate researcher at the Optus Macquarie University Cyber Security Hub. He has deep expertise in cyber risk quantification. His research focuses on applying cyber insurance concepts to supply chain risk management. He is the chair of the Sydney Chapter of the FAIR Institute.
Ian Yip is the Asia-Pacific Chief Technology Officer at McAfee. He has held a variety of Cyber Security leadership, advisory, strategy, sales, marketing, product management, and technical roles across Asia Pacific and Europe in some of the world’s leading companies including McAfee, Ernst & Young, and IBM.
[1] https://aws.amazon.com/blogs/security/updated-whitepaper-now-available-aligning-to-the-nist-cybersecurity-framework-in-the-aws-cloud/
[2] https://www.microsoft.com/en-us/trustcenter/compliance/ccsl
[3] https://www.ey.com/Publication/vwLUAssets/ey-CPS-234/$FILE/ey-CPS-234.pdf
[4] https://www.minterellison.com/articles/apra-prudential-standard-cps-234-information-security-has-been-released
[5] https://www2.deloitte.com/au/en/pages/risk/articles/apra-cps-234.html#
[6] https://www.apra.gov.au/sites/default/files/response_to_submissions_-_information_security_cross-industry_prudential_standard.pdf
[7] https://en.wikiquote.org/wiki/Sun_Tzu
Find the original article here: https://www.linkedin.com/pulse/apra-cps-234-readiness-cloud-denny-wan/