SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Pitfalls to avoid when configuring cloud firewalls
Mon, 10th Dec 2018
FYI, this story is more than a year old

Data breaches are giving cloud a bad reputation.

Simple configuration errors in cloud-based application deployments are still making a splash in the media – and they're not going away.

From the Target hack in 2013 to the World Wrestling Entertainment (WWE) and Verizon leaks in 2018, they are all based on misconfigurations.

These days, cybercriminals don't even bother with sophisticated hacks; instead simply looking for those simple errors to fulfil their goals.

If the industry does not get ahead of it, 2019 will be just as colourful.

Gartner predicts 95% of cloud security incidents will be the customer's fault by 2020.

The State of the Firewall Report 2018 uncovered the scale of the problem.

When it comes to managing firewalls in the cloud, security professionals are less likely to know who is responsible for cloud operations, with 33% of respondents saying they weren't sure who was responsible all.

This is how things spiral – if an on-premise environment isn't mirrored in the cloud, with the right controls, businesses could be subject to a world of pain.

Preparing for the year ahead

It is time companies consider their new year's cyber resolutions for 2019.

To do that, CIOs and CISOs need to be able to prioritise organisational and governance processes, without having to firefight all the time, getting distracted by cloud vendor challenges.

Knowledge is power when it comes to the cloud.

A deeper understanding of what the cloud provider affords the builder is essential if mistakes are to be avoided.

It's encouraging to see a provider like Amazon Web Services committing to adding security functionality and more prescriptive “best practice” blueprints for the less experienced cloud architects.

Flexibility and granularity of security controls are good but can still represent a risk for new cloud adopters that don't recognise some of the configuration pitfalls. 

Working with vendors is a collaboration, and both partners need to pull the necessary weight to make it work.

A cloud vendor isn't responsible for a business' security strategy.

This means a company's network operations team need to know all about the different offerings from cloud vendors - and when picking a cloud provider, advise the business on the implications of certain choices.

Prevention is about people and policy

When it comes to cloud security, consistency is key – cloud controls should mimic an on-premise security policy.

That way, security teams remain consistent and can easily enforce security policy in the cloud as well.

With a firewall, the controls in the cloud should mirror on-site firewall rules.

There are times when the person taking responsibility is someone who is familiar with a specific project, but not the business-wide security policy.

This can lead to unintentional configuration errors that allow inappropriate access through the firewall.

When hybrid and public clouds are introduced into a network, the principles of managing a firewall actually don't change, it's just in another place.

There are nuances that an organisation needs to think about though: whether the intention is to move an existing on-premise system into the cloud or create a whole new cloud deployment that doesn't have a home on-premise.

If the intention is to move an existing on-premise system, and the security controls in the new cloud implementation do not mimic those of the on-premise implementation, security teams are asking for trouble.

Thankfully, it can be solved easily, as it is often an operational issue.

As long as someone takes control of the cloud migration that knows the pre-existing security controls, and can mirror those same controls in the cloud, teams should be in the clear.

That's why sorting out ownership of cloud among the IT team is important.

This ownership is also key when creating new cloud deployments (those for which there is not a pre-existing on-premise system).

Developing the right security controls in this situation needs to involve all stakeholders across an organisation, simply to ensure a company strikes the right balance between business, operations and security.