The following is a guest blog from Ann Arbor-based Duo Security‘s Security Evangelist, Mark Stanislav:
A recent article from Forbes titled, “Is Your Investment In Security Really Worth It?”, called into question whether or not the money spent for information security was having impactful returns for the investments being made. Kindly enough, the author reached out to various information security vendors for their rebuttals to this unflattering portrayal of security vendors as taking more than they were contributing back to their clients. One of the responses was from the CTO of Qualys who aptly noted, “Perimeter defenses (“hard shell, soft center”) and signature-based malware programs have lost much of their effectiveness over the last few years.”
This thought of course isn’t revolutionary for anyone who’s invested time and resources into cloud computing or mobile devices during the past decade. With a changing threat landscape that no longer has single-vendor networking stacks or applications from a handful of software companies, the effort to provide adequate security is becoming increasingly challenging. The question then becomes, where should you spend your money for a high return on security investment?
It was determined through a survey by IDG that, “42% of cloud-based projects are eventually brought back in-house,” with security concerns being the reason in 65% of cases. This is a concerning statistic for both cloud providers and security vendors. This retreat of cloud computing resources may be due in large part for organizations moving too quickly to cloud offerings without having a strategy behind security.
As Forrester points out in, “Defend Your Data From Mutating Threats With A Zero Trust Network,” the challenges of computing without rigid perimeters is not yet native to many organization’s mindsets, leading to a failure to handle cloud security properly. “Security professionals still place most network security controls at the perimeter (typically in a haphazard manner). But the traditional perimeter is no more.” Without an adjustment to information security process, organizations will continue to pullback from cloud initiatives when they realize that their traditional security decisions won’t scale to this dynamic and flexible landscape. For those moving to the cloud, this reassessment of security decisions will likely look towards which controls work best in a mixed-environment context.
For many organizations, a firewall and Intrusion Detection Systems (IDS) are staples of infrastructure security. Because network perimeters were both clearly defined and well managed, teams could rely on simply network controls to secure many assets for an organization. If, for example, I wanted to login to a payroll application for a corporation 15 years ago, I’d likely have to be at the office or connected via Virtual Private Network (VPN). Today, I may only have to visit a public web site and login directly. This reduction in network control allows attackers to leverage stolen credentials easier than ever to get to the real prizes of an organization: their data.
For most services in the cloud, whether software, platform, or infrastructure, a key to their functionality is authentication. Whether your team uses a customer relationship management (CRM) system, cloud server instances, or an application platform, each of these technologies will still ask you to login to access your resources. The benefit here is that security can be added to the authentication layer to reduce the risks associated with password-only security on the public Internet. As an Intel report pointed out about cloud computing, “the number-one concern of IT professionals is a lack of controls to enable them to effectively limit access to data and services to authorized users.” Because authentication is ubiquitous, it represents a realistic point of unified security that can provide actual benefit to organizational security and scale across providers, if handled appropriately.
Most commonly this security enhancement would be added through a form of two-factor authentication, such as leveraging a user’s cell phone and a mobile application to authenticate the user beyond a simple password. In the common case that someone’s password were to be stolen online, the attacker would still have no access to that person’s cell phone, rendering any potential use of stolen credentials moot. Additionally, because authentication is a regular step for any end-user, the organization’s employees won’t likely be inconvenienced by this addition of strong authentication.
MANDIANT stated in a recent report that in 100% of cases they responded to in 2011 an attacker used valid credentials. This means that during a breach, an attacker at some point will stop using exploits or other attacks and simply steal and utilize an employee’s credentials to gain further access. With the presence of two-factor authentication, this path for an attacker would be severely hindered. Considering that Verizon found in their 2012 data breach report that passwords were the second most common piece of stolen data from a breach after financial information, the reality of stolen credentials being used against a company is a very real possibility.
Moving resources to cloud providers can be a challenge for organizations, even before considering the security hurdles that must be faced. Having the organizational foresight to determine which security technologies will scale to cloud resources (and in-house) can be a huge benefit for all parties involved. By remembering to consider the lack of well-defined perimeters and network control, teams won’t make false starts to their cloud initiative. When attention is given to investing in security that scales and applies to many scenarios, organizations will be more capable than ever to benefit from the agile new technologies available to us.
Mark Stanislav, Security Evangelist, Duo Security
Mark Stanislav is the Security Evangelist for Duo Security, an Ann Arbor-based startup focused on two-factor authentication and mobile security. With a career spanning over a decade, Mark has worked within small business, academia, startup, and corporate environments, primarily focused on Linux architecture, information security, and web application development.
Mark earned his Bachelor of Science Degree in Networking & IT Administration and his Master of Science Degree in Technology Studies, focused on Information Assurance, both from Eastern Michigan University. Mark also holds his CISSP, Security+, Linux+, and CCSK certifications.
Mark recently partnered with Online Tech for two recorded webinars, Encryption at the Software Level: Linux and Windows; and Encryption at the Hardware and Storage Level.