Dude, where’s my (cloud) firewall?

I have always claimed that the tech side of cloud security is not about the trust you have in a cloud provider, but rather about building appropriate security controls ACKNOWLEDGING the fact that your data is in the cloud and knowing quite well that your legacy controls may not apply to the cloud easily.

Let’s consider some recent examples of the public cloud security “architecture” on the wall-of-shame:

Example #1: exposing my ad to the internet seemed like a good idea at the time…

It seems popular to expose your (weak) authentication process to the Internet, where it can be either brute-forced or accessible from anywhere using stolen credentials. Even ADFS needed to mature to 3.0 to address basic brute-forcing DoS, and its fix is NOT enabled by default.

Example #2: bugs? what bugs?

Despite knowing the history of software security, people assume that the cloud fabric is faultless. For example, that it would not allow anyone to access your resources without authentication, right? Even your fancy two-factor-authentication (2FA) will not save you here.

Example #3: there’s a party in my cloud and everyone’s invited

Catastrophic user errors are still the norm. Using a bit of old-fashioned Google hacking of Office 365, researchers have found publicly-shared sensitive information using search engines, all shared by user error, and all shared by using the service’s default sharing policy of “public”.

Every single one of these would not be critical, if these services were behind your on-prem firewall.

Now, in the world of SaaS, we do not have the luxury of installing our network security controls at the provider. We typically have to provide alternative solutions to address these and similar threats. For example, allowing federated authentication only from authorized endpoints, using MFA to address the credentials’ strength, or using automated and near real-time audit tools that spot sharing ACL issues. However, the list does not include rushing head-on into the cloud, believing that the provider will provide all the security magic for you.

Be smart about your cloud security. Put on some extra layers to stay warm.