Nicolas Engel

Idea(ls) on cybersecurity

Is the cloud the best bulwark against cyberattacks?

Talking about the cyber threat, whether in companies or with individuals, is too often a challenge because of its intangible nature, which makes it difficult to perceive for a neophyte. Cyberattacks such as ransomware or other phishing are real for everyone, but the ways to protect yourself from them often remain obscure. A pragmatic approach consists in categorizing the surfaces of exposure, which favor the implementation of these threats.

The cloud comes to upset all of these subjects both from the point of view of the cyber attacker and for those who try to protect from it.

An architecture designed around internal uses

In the early 2000s, the norm for IT departments that had the means to do so, was to concentrate their core business in their own server room in order to control the architecture and operating costs. To understand the impacts, it is necessary to recall a few elements of context.

Digitization initiated a revolution in uses with the advent of Google solutions and the democratization of social networks such as Facebook or Linkedin. However, professional IT remained centered around large ERPs such as SAP and inter-application exchanges remained essentially within the company’s network.

Guaranteeing operational continuity by making the information system more reliable prevailed over a cyber threat, which was less significant than today. Business continuity and disaster recovery plans were therefore essentially focused on internal infrastructures. Cybersecurity focused on external threats, particularly with the new uses of web 2.0. CIOs were convinced of controlling their security within their network via security measures such as:

These few measures, far from constituting a comprehensive panel, are nevertheless representative of the securing of an internal perimeter by CIOs. The use of the cloud has reshuffled these cards to a great extent.

Digital transformation as a openness factor

The opening of information system to the outside took place under the pressure of digital transformation. Whether web portals (allowing content sharing or eCommerce) or the rise of CRMs such as Salesforce have led to the design of exchange gateways between the company’s internal network and these external services. Now the DMZs, although still necessary, are no longer sufficient to meet the needs. APIs manager have taken over to expose and consume more application flows, which are more functionally complex and require more granular security measures (with roles and usage profiles in particular).

At the same time with this hybridization of exchanges between internal and external solutions, data has become one of a company’s key assets. Quite naturally, cyber attacks have followed this trend by becoming more complex and encrypting this asset via ransomware.

Interestingly, ransomware has forced CIOs to adapt. Network modernization projects to prevent risks (for example by micro-segmenting inter-application flows) turn out to be less costly than completely rebuilding a data center in the cloud following a damageful attack.

However, the trend remains the same. Applications are migrating to the cloud and with them, security issues. EDRs must adapt to the proliferation of associated technical architectures, thus reducing the effectiveness of their protection.

The cloud, a new paradigm for cybersecurity

Behind this vague definition of application cloud hides an amalgamation of several concepts that need to be clarified.

The reality of the cloud is therefore protean but its common point is to have industrialized the deployment of the required instances (whether it is a container hosting a virtual machine, an application server or directly a ready-to-use service) via what is called infrastructure as a code.

The infrastructure as a code allows via a tool such as Terraform to instantiate virtual machines or clusters of servers almost instantly. Ansible then takes over to configure the instance by deploying, for example, a ready-to-use server configuration.

Therefore, when a security incident occurs, it becomes easier to replace the compromised instance with a new secure instance, rather than patching the existing one that is compromised. The unavailability period for end users is thus shortened.

Towards anticipatory security

The paradigm shift between a locally administered data center and instances in the cloud is redefining the way to secure an information system.

The presence of infrastructure as a code makes technical audits easier to automate. The concept of “Cloud Security Posture Management” (CSPM) clearly describes the importance for a cloud to secure itself by systematically updating its components and libraries, avoiding disproportionately exposing network interfaces, finely managing user roles and permissions or avoiding leaving unencrypted passwords in the code.

Sample CSPM Dashboard

Can we therefore consider that the “traditional” approach to securing servers has been swept away by the cloud ? Nothing is less certain.

Admittedly, the ability to easily audit the instances that make up an application cloud is appealing. In particular, it makes it possible to have a readable dashboard and therefore a seller with IT decision-makers. Which security manager has never dreamed of having the attack paths on his IS automatically correlated to his vulnerabilities as the solution below allows?

Attack path modeled by the solution

Beyond these more or less healthy aspirations, this type of solution is not intended to replace the traditional threat remediation services offered by classic EDRs. However, they greatly improve the cloud monitoring, which due to their ease of creation, do not encourage good cyber practices. How many times has a server instance been created in the cloud for a one-time prototyping need without being destroyed afterwards ? This very widespread drift is in particular at the origin of the business of “finops” which aim to rationalize the use of instances in the cloud and therefore to manage their costs.

In summary

There would still be many things to say about cybersecurity in the cloud. The challenge here is less to be exhaustive than to understand the underlying mechanisms that govern cloud security. The infrastructure as a code has promoted the reproducibility of instances as well as its compliance with best practices. Rather than securing a compromised instance, the cloud favors replacing it with a new secure instance. This ease of creation through evermore intuitive processes should not, however, hide the other side of the coin. The instances created must be managed throughout their lifecycle to be modernized and adapt to changes in the IS. This is the main question that the concept of cloud security posture management answers. The costs engendered by the cloud require thinking about its uses upstream. However, the resilience it offers in terms of cybersecurity as well as business challenges make it an essential element of the information system of tomorrow.

Don’t judge me by my success, judge me by how many times I fell and got back up again.

Nelson Mandela

Leave a Reply

Your email address will not be published. Required fields are marked *