New compliance requirements and penalties drive the pain level higher, says Pravin Kothari
Throughout 2017 and 2018 cyberattackers have attacked and successfully breached a wide variety of cloud infrastructure and software-as-a-service (SaaS) applications. These current events have shown us that most cyber defense advances to harden and improve the perimeters around our on-premise and cloud-based infrastructure have been met quickly by corresponding improvements in attacker tactics, techniques, and procedures. The problem is compounded by custom in-house and vendor-provided SaaS applications that just don’t seem to apply the best approaches for secure deployment in the cloud.
To understand this better, we need to revisit history. In early 2016 the Top Threats Working Group of the Cloud Security Alliance published its “The Treacherous 12” report on Cloud Computing Top Threats in 2016. This report assessed the top threats facing cloud users. Front and center at that time was concern over insecure software application programming interfaces (APIs) that customers use to interact with cloud services. The overall integrity of applications provided through cloud services depends on the integrity of these basic APIs, which are the most vulnerable and exposed parts of these systems. At that time the Cloud Security Alliance was unambiguously clear in stating that these “assets will be the targets of heavy attack, and adequate controls protecting them from the internet are the first line of defense and detection.”
Many SaaS application builders develop great applications, but they are not aware of the rapid evolution of industry best practices for cloud cyber defense nor the techniques they need to use to meet and mitigate current threats. These threats which were obvious in 2016 still presents a conundrum to application architects who don’t understand the nature of basic cloud security threats nor how to design for secure cloud deployment. These application architects have unknowingly designed, developed, and delivered applications where the SaaS application data remains vulnerable and the data can be exposed through multiple, well-known, well-documented cloud attack vectors. The pain level to their users and customers is raised even further by the emergence of new threats. The pain level then goes higher in consideration of new compliance requirements, and the potential draconian penalties for failure associated with new regulations such as the European Union General Data Protection Regulation (GDPR).
Examples of these challenges abound, even in world-class application software companies. Earlier in 2018 Salesforce privately announced data in their Marketing Cloud may have been accessed by unknown parties and/or possibly modified or corrupted. Consider the size of Salesforce and the scope of their customer base – this potential breach could affect thousands of their customers, across dozens of industries, that could, in turn potentially expose data pertaining to millions of individuals.
At the bottom of the issue appears to be an error involving the Salesforce API. This API in the Salesforce marketing cloud is designed to let third-party systems connect with Salesforce Marketing Cloud. Consider that Salesforce data, as can the data of many SaaS provider, can come with an optional tool, Shield, to encrypt the data within the database. Yet, as we have seen, several types of attacks, including the API-based variety, can access this seemingly protected and encrypted data at rest in the database.
The conclusion is obvious. Cloud SaaS data security architectures are broken. The cloud, while it brings many benefits also brings a new set of vulnerabilities to your extended enterprise and the data you must protect.
A recent and important emerging trend for hardening both on-premise and cloud security is the adoption of Zero Trust security. The fundamental premise for Zero Trust is the belief that users inside of your on-premise networks and within your clouds are to be considered as untrusted as anyone outside. Originally put forth by Forrester Research back in 2009, Zero Trust has evolved substantially with broader industry following and brings a more modern and capable strategy to your cyber defense.
A Zero Trust review of your cloud deployment strategy would show you that the only way to secure your data in cloud infrastructure and cloud SaaS-based applications is to encrypt it end-to-end. End-to-end, or Zero Trust, encryption ensures that data is completely protected throughout the application use cycle. Data is encrypted by the customer, before it is delivered to the cloud, and only decrypted by the customer when being accessed by authorized users with additional security controls beyond standard login credentials. Any breach which intercepts or steals data at any point within the cloud only provides the attacker with unintelligible content as the data is encrypted. If the stolen data is encrypted, there is no breach to report for compliance purposes.
This end-to-end or Zero Trust encryption applies to the entire lifecycle of the data. This includes at-rest (in the database), in motion (moving through the network, in APIs, middleware, etc.), and in use. By encrypting data “outside” of the cloud, you are no longer subject to breach due to misconfiguration, access to data encryption keys, access to encrypted databases through an API, or any other primary cloud threat. Your data is locked down with data encryption keys held by the customer, such that an attacker cannot put the pieces together to access your data. Zero Trust enables you to address the weakness inherent in broken SaaS application data security architectures, and meet the newest and most challenging data security demands of the latest compliance regulations.
Pravin Kothari is the founder and CEO of CipherCloud, which he founded in 2010 after realizing technology and enterprise efforts to control sensitive data hadn’t kept pace with cloud’s growth.