The Security Reports of Cisco and Sans Highlighting Some of the Most Relevant Topics of the Year 2016
Essay by Hector Diaz • June 16, 2017 • Essay • 2,457 Words (10 Pages) • 1,233 Views
Essay Preview: The Security Reports of Cisco and Sans Highlighting Some of the Most Relevant Topics of the Year 2016
[pic 1]
Introduction
The following report is a summary of the security reports of cisco and sans highlighting some of the most relevant topics of the year 2016
Cloud Computing
Adoption of public cloud computing, in all forms, is continuing unabated. In 2015, 59% of respondents stated that they were currently using SaaS models for cloud deployments, and just under 30% each were using infrastructure-as-a-service (IaaS) and platform-as-aservice (PaaS). In 2016, those numbers are very similar. Fifty-six-percent of respondents are using SaaS, with another 14% planning to implement it in the next 12 months. We asked respondents to indicate whether they were using or planned to use a public or private IaaS offering, and more indicated a private IaaS service versus a public one (36% using private versus 28% using a public IaaS). More than half of the organizations indicated that they had no plans to implement public IaaS or PaaS. These responses seem to indicate that most organizations are using SaaS currently, with some using or planning to use private IaaS (private cloud in a public cloud provider environment) and fewer using or planning to use public IaaS or PaaS offerings. For those planning to deploy cloud services in the next 12 months, SaaS was ranked the highest at 14%. As for the workloads that many are moving into the cloud, the clear winners are email/messaging applications (85%), as well as collaboration tools (84%). Other key applications respondents have in the cloud include disaster recovery and backup services, chosen by 80%, followed by server virtualization, storage, workforce apps and other line-of-business apps, with 78%, 76%, 76% and 75%, respectively. In addition, 75% of respondents use security services in the cloud. One interesting development of note is the overwhelming use of private cloud services (or a mix of private and public) versus using only public cloud for most applications and workloads. Email and messaging applications saw the highest “public only” deployment scenario, with just under 27%. Collaboration and document management services were also heavily used in the public cloud (almost 17%) with another 24% using both publi and private collaboration services
Data and Cloud Security
In its 2016 “State of Cloud Security” report,5 the Cloud Security Alliance acknowledges that use of cloud computing is growing rapidly, but there are still many security shortcomings. First, cloud providers need to be more forthcoming with a variety of data, including threat intelligence and incident information, controls status and details, and support for open enterprise architectures. They also acknowledge that there is a significant skills gap in cloud security and a large shortage of qualified security analysts and operations staff to help design and maintain cloud security controls today. In 2015,6 40% of respondents stated that they were storing some forms of sensitive data in the cloud. Although this year we didn’t ask a generic question about whether they were storing any form of sensitive data in the cloud as we did in 2015, it seems that more sensitive data than ever is now being stored in the cloud. Almost half (48%) of the respondents indicated they were storing employee records in the cloud, followed by business intelligence and business financial and accounting records at 41% and 38%, respectively. Fewer are storing customer information (both personal data and financial data), along with intellectual property and healthcare information. Table 2 provides a year-over-year comparison of the types of data respondents’ organizations store in the public cloud
Cloud Attacks and Breaches
Respondents reported a slight increase in cloud breaches from 2015,7 with 10% claiming they had a breach involving cloud applications and data in 2016, compared to 9% in 2015. The good news is that more organizations are confident of their answers in this regard. In 2015, roughly 25% stated they weren’t sure about whether they had been breached or not, and in 2016 only 22% expressed doubt. This likely speaks to general improvement in monitoring and detection capabilities in the cloud, as well as the heightened awareness and attention being paid to cloud environments by security teams.
For the 10% of respondents who did experience attacks related to their cloud infrastructure, applications and data, the vast majority (50%) stated that account and credential hijacking played a role. This aligns with many breaches seen in the news today, notably the August 2016 revelation that Dropbox lost account data and passwords for 60 million customers in 2012, and the root cause was an employee’s password that was reused elsewhere, compromised and then used for ingress. With more organizations using public collaboration and document management services this type of breach may become more common. Although the total number of breaches was small, the percentage increase in breaches involving misappropriated credentials may represent a significant shift in the focus of attackers compared to 2015, when stolen credentials were involved in only 28% of breaches. For 2016, denial of service attacks and privileged user abuse were both seen in close to 29% of breach scenarios, and crossover flaws from other cloud apps, virtualization issues and data exfiltration from cloud applications were all seen 25% of the time. In 2015, the major attacks seen in cloud environments were attributed to malware infections9 and denial of service, which were somewhat less common this year.
Build better cloud defences
Sadly, many organizations still don’t have even the bare bones of policy and governance in place for cloud deployments. Just 48% have policies and a governance plan in place, but 39% indicated they do not, with another 13% unsure of this. Without an executive strategy and official policy to govern how systems, applications and data are moved into the cloud, it’s highly unlikely that organizations will be successful in securing those assets over time.
Based on the previous responses related to cloud security maturity, many organizations need to rethink how they’re approaching this overall. First, start with core foundational policy and controls requirements, such as multifactor authentication and strong passwords, along with contract needs such as SLAs and specific security assurance from the providers, then focus on the more tactical implementation specifics. Tracking the geographic location of data, as an example, is something that is likely to elude many organizations for the time being, because cloud providers don’t offer a means to do it. Regardless of whether they have a policy, however, organizations are finding at least some success in managing or outsourcing cloud security controls in a number of areas. VPN, network access controls, IDS/IPS, anti-malware and vulnerability scanning tools are predominantly managed in-house, and many organizations feel they have these under control for cloud environments. Because these are very stable, traditional security controls, it’s not surprising to find that many teams prefer to keep managing these. However, a number of other controls are being run in security-as-aservice (SecaaS) formats, primarily multifactor authentication (14%), behavioral and performance analytics (13%), and several other areas that include identity management and cloud encryption gateways and access security brokers. Overall, between inhouse management and third-party SecaaS providers, most organizations are feeling reasonably comfortable with the majority of foundational security controls and areas today
...
...