The cloud has been victim to several high-profile breaches in recent weeks. The latest involves Pharmaceutical giant Pfizer, which suffered a significant breach of unsecured cloud data.

According to Security Boulevard:

The exposed data, including email addresses, home addresses, full names, and other HIPAA related information, was found on a misconfigured Google Cloud storage bucket. It is believed that highly confidential medical information came from automated customer support software stored in the Google database. It is unclear how long this data had been stored or who had access to this information. 

The Pfizer breach comes on the heels of other marquee names that have suffered cloud security issues. Companies are liberally using the public cloud as their data storage repository, but the cloud is a complex ecosystem that belies its ease of use, and that means MSPs must be on guard.

Cloud security has shown great promise for businesses, but like all good things in cybersecurity, hackers have found vulnerabilities to exploit. Smarter MSP caught up with Grand Canyon University professor Khester Kendrick to discuss proactive steps in tackling cloud security issues.

A proactive approach is an idea or concept of setting up measures to see what attackers are doing and gathering intelligence that directly reflects the newest and greatest things,” Kendrick says. Some of the measures Kendrick recommends:

Good reconnaissance

Kendrick explains that there is value in monitoring the dark web and social media like Twitter to find out what is “in” among hackers.

“Hackers like to talk geek on forums and other venues to get insights into what other people doing. This social interaction means you should have a team that is constantly exploring what’s going on in those websites,” Kendrick says. “You need to look to see what people are talking about. Are they showing code?” You’d think that hackers would be more discreet, but Kendrick says this often is not the case.

“You would be amazed at what people are sharing, so a mining of this platform is crucial to threat intelligence,” Kendrick adds.

And there’s nothing like a useful honeypot to flush out the bad guys:

“Organizations should set up a honeypot or honeynet to see what attackers are doing in real-time,” Kendrick advises. In the honeypots, one can sift out the amateurish script and see what the organized hackers are doing and how they are maneuvering in the network.

“The trick of a honeypot or honeynet is to fool the attacker into thinking they are in a real network with valuable data they can sell. The more realistic the network, the better for us as defenders to analyze and create defensive strategies,” Kendrick notes.

Talk to one another

Kendrick says forging relationships is an effective way to head off attacks even if it means exposing that your organization has been hacked.

“Organizations and companies don’t like to say ‘we’ve been hacked’ and cloud services are the same way. It’s terrible for reputation and bad for business. However, we are all in this together regardless of our competitive nature,” Kendrick explains. MSPs should talk to other MSPs.

“It’s important for us to communicate and share what we find, and that means openly telling others (researchers, competitors, security organizations) what we find so that honest businesses can be prepared for these security threats” Kendrick says, adding that it’s critical that companies ensure they have an open communication pipeline with other organizations.

Monitoring the shared responsibility model

The cloud operates on a shared responsibility model that can cause cloud companies to wash their hands of breaches, meaning it is incumbent upon other stakeholders – like the MSP – to step up the security.

“Shared responsibility is mostly a legal separation than anything else, and to be quite honest, I don’t blame cloud providers for taking this stance. It’s a legal nightmare if they don’t,” Kendrick points out.

Amazon Web Services (AWS), one of the largest security companies, describes their shared model this way:

Security and Compliance is a shared responsibility between AWS and the customer. This shared model can help relieve the customer’s operational burden as AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates. The customer assumes the responsibility and management of the guest operating system.

Kendrick says that cloud security becomes a cost vs. reward calculation for many businesses. He adds most companies aren’t running state-of-the-art research and development on a cloud server, and instead are running simplistic data and personal information. The data is encrypted and protected, and if a hacker breaches it, while troublesome, usually isn’t a life or death situation.

“If you have that type of information, you are not connecting it online, you’re throwing it behind an air-gapped system and ensuring physical security controls are in place to ensure no ever gets a hold of it,” Kendrick says. So it comes down to how much risk a business wants to incur while on the cloud.

It’s up to a business to decide if the risk is worth the cost savings by continually reevaluating the technology and provider.

Still, Kendrick advises, it is in the best interest of cloud security providers to protect their systems. If there is a breach, it is terrible for business and reputation. But cloud providers don’t want the risk either, so they put it in the consumer’s hands.

“It is like renting a storage unit,” he adds. “They provide some basic rules about storing livestock and food, tell you not to live in there, but they don’t go around checking your boxes as you bring them in, and they don’t go inspecting your storage unit. That would be an invasion of privacy and it’s the same concept for a cloud provider.”

MSPs shouldn’t assume that cloud providers are providing all the security. Instead, they should implement a proactive, forward-thinking approach which can save a lot of headaches farther down the road.

Photo: Photo Kozyr / Shutterstock

Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published. Required fields are marked *