Does Your Organization Need a Cloud Security Architect? Part 2 of 2

Continuing the thought from my previous blog: Does Your Organization Need a Cloud Security Architect? – CyberOne (cyberonesecurity.com)

Building a Strong Cloud Posture: Key Considerations for Cloud Cyber Architects

When it comes to deploying and managing cloud services, security should be a top priority. In this blog, we will explore three vital aspects that organizations should focus on during the building out of their cloud environment: segmentation, policies (identity-based and organizational), and infrastructure as code (IaC). By understanding the importance of these elements, businesses can enhance their cloud security measures and mitigate potential risks.

Segmentation: A Fundamental Security Measure

One reason organizations separate workloads in data centers by geographical locations and within them is to satisfy security requirements. For the same reason, cloud environments should also establish segmentation boundaries for workloads. Thinking back to the house analogy in my previous post: a house has doors between various rooms; some of those doors leverage deadbolt locks, where others are secured by children who have simply posted on the door “Stay Out!”. The key takeaway here is segmentation should be defined to handle various types of sensitive workloads and data. Segmentation is accomplished by leveraging both cloud accounts and cloud objects. Regardless of the chosen CSP (AWS, Azure, GCP, etc), they all have essentially the same approach for organizing accounts as well as the constructs for cloud objects (VPCs, Subnets, NACLs, Security Groups). Organizations typically leverage segmentation to isolate the following environments: Production, Development, Sandbox – with possibly micro-segmentation taking place within those environments. Mature, security-minded organizations will leverage dedicated accounts for Security and Infrastructure services. Deploying all workloads in a single account, relying on a single VPC/Subnet, is suboptimal even for smaller organizations.

Establishing Effective Cloud Policies

After completing the segmentation, it is crucial for the organization to prioritize the establishment of policies for effectively controlling cloud consumption. This sequence is essential due to the nature of how cloud policies are formulated, which are primarily based on the account and object structures. Three key types of cloud policies exist:

  1. Account policies: These policies are applied at the organizational/account level, providing users with broad controls to limit actions. Examples include enforcing encryption, restricting object deployment to specific regions, and denying high-risk or unapproved cloud services.
  2. IAM policies: IAM (Identity and Access Management) policies define who can perform specific actions and should adhere to the principle of least privilege. They can be used independently or in conjunction with resource-level policies to establish a defense-in-depth posture.
  3. Resource-level policies: These policies limit the actions that can be performed on cloud objects and, like IAM policies, should prioritize the least amount of privilege.

Leveraging Infrastructure as Code (IaC) for Enhanced Security

One common approach for those new to the cloud is to obtain an account and then deploy objects directly from the CSP console – I’m guilty of this approach myself. Unlike the common approach of deploying objects directly from the CSP console, IaC offers an organized and discrete manner of provisioning cloud resources. IaC supports automation, agility, auditing, and compliance, etc. IaC also provides the ability for security teams to examine what the object owner intends to push to the cloud, aligning with the principles of DevSecOps. Security teams have two approaches for the inspection – manual review of code or leveraging cloud native or 3rd party tools. Obviously, the manual approach is time consuming but opens up opportunities for the security team to see specific aspects of the cloud service that might conflict with organizational policies. Leveraging tools, native or 3rd party, to perform the review can be beneficial seeing as they provide built-in compliance frameworks. Ideally, organizations should combine both approaches based on contextual insight, allowing for a comprehensive security assessment. Going back to the house analogy, IaC provides the ability to compartmentalize your cloud environment and allows for the possible reinspection by the security team to only consist of what is being requested to change.   

Final Thoughts

In today’s cloud-driven landscape, prioritizing security is paramount for organizations deploying and managing cloud services. Segmentation, accomplished through the strategic use of cloud accounts and objects, is vital for effectively handling different types of sensitive workloads and data. Establishing effective cloud policies allows for granular control over cloud consumption and fosters a defense-in-depth posture. By embracing IaC, organizations can provision cloud resources in an organized, automated, and compliant manner with effective collaboration between development, security, and operations teams. By combining manual review and tool-based assessments, organizations can achieve a comprehensive security assessment. Embracing these aspects empowers organizations to build a robust and secure cloud environment for their critical workloads.

 

About Marc 

Marc Hall is a senior security architect with CyberOne Security. Marc previously held a variety of roles at Raytheon Technologies over a span of 18 years focusing on architecture, design, and development of information systems within various business units and at Ericsson as a software developer. Over the years he has shaped enterprise cyber and infrastructure cloud strategy, established cybersecurity guardrails for cloud platforms and services leveraging cybersecurity frameworks, designed and developed mission critical defense systems, managed red teaming exercises targeting defense systems, and researched and developed novel solutions to support customer requirements. Marc is based in Dallas, TX and has a B.S. in Computer Science (University of Texas at Dallas) and a M.S. in Security Engineering (Southern Methodist University).

Does Your Organization Need a Cloud Security Architect? Part 1 of 2

Building a Strong Framework

Cloud almost always disrupts business as usual. A cloud security architect can see the cracks that can be missed by 3rd-party tools or native and less experienced non-cloud security professionals.

Over nearly a decade in cloud security, I’ve noticed some common missteps among enterprises that deploy cloud infrastructure and services, whether through Amazon Web Service (AWS), Microsoft Azure, or Google Cloud Platform (GCP). Often, they begin to consume cloud services without establishing a solid security foundation during the development and deployment of their cloud infrastructure and workloads. Similarly, cloud administrators may rely on overly permissive identity and access management (IAM) policies. Hiring a cloud security architect is like hiring a contractor to build a house. A professional has the experience and expertise to lay a strong foundation and oversee construction of the framework, so you can have confidence that your build will be secure even if you choose to add on in the future.

The Role of Cloud Security Architects

Cloud security architects bring deep experience from the trenches of designing and implementing secure cloud solutions. They may work with your application teams on one day and your infrastructure team on another. But their most valuable role is taking a broad view of your entire organization, its consumption of cloud, and how corporate and applicable regulatory/compliance security policies are adhered to on a day-to-day basis.

As a cloud security architect myself, I see the role as that of a contractor overseeing the construction or renovation of a house. All too often, the house has already been built on a poor foundation before the security team gets involved. This commonly occurs when a team has been directed to quickly move to the cloud and they take the assumption “the cloud is secure” – clearly, because someone else is managing it. When they start building the house, organizations tend to leverage agile approaches which certainly aligns with cloud adoption BUT thought must be put into the agile methodology pouring the foundation is considered. As well, organizations often don’t understand how existing corporate and compliance security policies apply to the cloud and/or they don’t understand cloud risks well enough to establish a strong foundation to build on. That can affect the entire organization down the road as cloud gains use across the enterprise. But when teams are told to “Go deploy!” they do, and commonly lay a weak foundation.

At that point, there is typically rework needed to ensure a solid foundation. There’s also a good probability that workloads will have to be moved while the rework tasks are being completed. 

Involving security early and often during all phases of development can help avoid this scenario. Otherwise, someone has to go back and fix the security foundation or, even more challenging, rooms that are built upon the foundation containing the workloads. If the walls are already up and people are working (and sometimes living) in the building, it’s much more time-consuming and expensive. This is an extremely common occurrence. A good cloud security architecture expert can help by shoring up security, even as your cloud consumption increases.

Cloud Is NOT Just Someone Else’s Datacenter

While traditional architecture shares some aspects of cloud services, such as virtual machines, storage, and networking objects, cloud services create more risk due to their flexibility. Most cloud services allow for data-flow connections to other cloud services, raising the risk of bypassing traditional security control points, even in cases where the data flows can be established to non-approved accounts. Similarly, the profusion of cloud APIs allow cloud consumers to be more granular with their infrastructure and workloads, but it also increases risk. You can compare cloud to a conference center where organizers use its spaces in different ways — perhaps for a tradeshow one week and a gala the next. This type of space provides flexibility, but securing it is more difficult. 

This difference between traditional architecture and cloud architecture is critical, and those who believe cloud is “just using someone else’s data center” are likely to make common mistakes that put their security at risk. One mistake is when organizations assign the role to an existing security architect who has spent his or her career supporting traditional data centers and three-tiered applications. Without cloud-specific training, a security architect may not know that cloud uses space differently or that how users move through the space impacts its security. 

Another all too common mistake I find is that cloud account roles are sometimes given full access to all APIs within a service — or even worse — everyone is a cloud administrator. Risk analysis should be performed on the cloud service APIs and guardrails should be established to reduce risk for the enterprise. 

As I previously said, cloud disrupts business and how we manage our infrastructure and workloads. It takes departments that were once carved up and siloed and fuses them together. Depending on how a company is organized, this can result in discussions about who owns which cloud objects and how certain business processes will function. To facilitate this shift, you need a cloud security architect with eyes across the company who can provide contextual insight into how business and security issues intersect. 

How to Rate a Cloud Security Architect

Before I get into how to choose a cloud security architect, I should point out that your organization shouldn’t solely rely on cloud security services that monitor and enforce security policies, whether native or third party. Even though services such as Microsoft Defender for Cloud are designed to monitor and assist in enforcing security policies in the cloud, at a minimum, they don’t understand context and generally speaking look for best practices and recommendations against industry standards and compliance frameworks. They lack the ability to automatically translate corporate policies and security architectural principles (i.e. don’t connect production to non-production workloads or networks). Whether your cloud environment is infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), software-as-a-service (SaaS) — or even a combination of the three — you need the expert eye of a cloud security architect to work alongside the various organizations consuming cloud to ensure a solid security posture. A seasoned cloud security architect leverages their insight into your business allowing them to maintain a high level of visibility across cloud resources, identify and manage risks before vulnerabilities are introduced within your cloud infrastructure and maintain security policies across your enterprise.

When you choose to hire a Cloud Security Architect, never solely rely on someone having a certification as sole proof that they are capable of designing, implementing, and defending your cloud security infrastructure. They may have the technical understanding of how to do the job, but the key way someone gains the skills and expertise needed to build and protect your house is through hands-on, trial-and-error experience. Ask prospective hires about their worst experiences supporting the design and implementation of cloud services. If they insist that every deployment was a success, they probably aren’t prepared for the worst. Hire someone who has war stories; someone who has experienced the good, the bad, and the ugly of securing enterprise cloud environments. Then you’ll feel confident they can defend your infrastructure against threats —no matter what type of unforeseen issues arise. 

Final Thoughts

It’s common for an enterprise to implement cloud environments with sub-par security postures because they are pressured to move fast and lack the knowledge needed to properly secure the cloud. One common challenge with the adoption of cloud is the application of the term agile, which is a more than acceptable approach when, and only when, the architecture and all supporting aspects of the environment have been thought through. People are people, and when they are working agile, they aren’t thinking about the repercussions of every decision they make. Rearchitecting your security after the fact is a huge undertaking and can be costly. Finding workarounds and optimizing your security based on the house you have and not the one you wish you had built requires the help of an expert who can make sure your cloud security infrastructure is strong enough to defend against attacks at all levels.

No matter where your organization is in its migration to the cloud, CyberOne has the expertise to help operationalize and optimize your security environment. Connect with us to get started.

 

About Marc 

Marc Hall is a senior security architect with CyberOne Security. Marc previously held a variety of roles at Raytheon Technologies over a span of 18 years focusing on architecture, design, and development of information systems within various business units and at Ericsson as a software developer. Over the years he has shaped enterprise cyber and infrastructure cloud strategy, established cybersecurity guardrails for cloud platforms and services leveraging cybersecurity frameworks, designed and developed mission critical defense systems, managed red teaming exercises targeting defense systems, and researched and developed novel solutions to support customer requirements. Marc is based in Dallas, TX and has a B.S. in Computer Science (University of Texas at Dallas) and a M.S. in Security Engineering (Southern Methodist University). 

Artificial Intelligence: What is on the horizon?

Artificial Intelligence: What Is on the Horizon?

The cybersecurity industry is under immense pressure as digital threats continue to increase and evolve. Artificial intelligence (AI) is widely understood to be a critical next step for optimizing cybersecurity processes and functions and enabling security operations centers (SOCs) to keep pace. Generative AI platforms like ChatGPT will play a leading role as SOCs find innovative ways to tap their potential for the benefit of cybersecurity teams. 

AI Continues to Advance Cybersecurity

AI offers better automation, faster, more accurate analysis and increased visibility into your network and systems, opening up exciting possibilities for security professionals.

Many SOCs already use AI and machine learning to drive risk assessments and prioritize events, incident response, and documentation. Newer technologies such as machine learning services (MLS) from Microsoft® Azure Security Center (ASC) will further enable SOCs to automate rules creation and centrally manage them within the MLS. One of many benefits is the ability to reduce false positives while simultaneously increasing detection accuracy levels overall.

Improved automation and greater risk assessment capabilities will also enable SOCs to utilize formal methods for use case content development. Automated penetration testing and breach attack simulation will become a standard requirement after each content change. 

GPT-4 Will Spark a Surge in Innovation

Chatbots are becoming increasingly vital cybersecurity tools. One of the most innovative is ChatGPT, the large language model developed by OpenAI.

ChatGPT is now in its fourth version, which the company promises to be its “most advanced system, producing safer and more useful responses.” GPT-4 can provide enhanced cybersecurity protection by utilizing AI, natural language processing (NLP), and machine learning algorithms to respond to complex cybersecurity threats.

With its gift for contextual understanding, GPT-4 can reduce or even replace many cybersecurity roles that are labor-intensive, iterative, and expensive. In addition to providing automated cybersecurity solutions at a fraction of the cost, GPT-4 can also quickly adapt to new cybersecurity threats as they arise.

Organizations that deploy ChatGPT technology for cybersecurity will progressively see their operations become more efficient, cost-effective, and secure. 

Get Ready for ChatGPT Versus ChatGPT 

Generative AI tools are transforming the matrix between how cyberattacks are coordinated and unleashed, and how successful organizations fight back. 

Bad actors are exploiting the endless possibilities of ChatGPT to quickly deploy and operationalize more sophisticated attacks. ChatGPT can mimic the input it is given and generate human-like responses that can be used to access personal data. This makes it a dangerous threat to cybersecurity teams.

ChatGPT’s ability to automatically mass produce business email compromise (BEC) communications should not be underestimated. Cleverly crafted messages can easily evade standard cybersecurity protection. It is up to us as cybersecurity practitioners to anticipate these kinds of threats and take proactive steps to tackle them before they become a real danger. Today’s cybersecurity environment has been described as an arms race between attackers and defenders, and ChatGPT is the weapon of choice.

Organizations that should be vigilant are struggling to keep pace, which makes it inevitable that this cybersecurity challenge will be a key focus in 2024 and beyond. As cyberattacks become increasingly complex and targeted, those organizations will need to fill more cybersecurity jobs while also looking for the latest cybersecurity tools to help protect their networks. ChatGPT fits the bill. It is advanced enough to automatically assess potential security threats and mitigate them with little to no human involvement, which makes it the perfect match for taking on a proliferation of ChatGPT-driven attacks.

ChatGPT Will Not Be Coming for Our Jobs

As revolutionary as ChatGPT is, it still has limitations and will never fully replace cybersecurity professionals — especially when it comes to being proactive and anticipating potential issues before they arise. 

At best, ChatGPT will assist with cybersecurity tasks that help make cybersecurity professionals more effective. It can also simplify tasks that once required expert-level skills, such as knowing how to update a firewall or a router to block an IP address. For example, ChatGPT might provide step-by-step instructions to walk less skilled team members through the changes.

ChatGPT can be useful for cybersecurity analytics, event log management, and audit compliance, and it can enable more efficient processes, including:

  • monitoring incoming traffic for malicious intent
  • identifying malicious actors
  • automating incident response
  • performing an attack analysis
  • detecting anomalies in security logs from different sources
  • and more

ChatGPT enables SOCs to automate security-related tasks that would otherwise be time-consuming or require iterative manual effort. Implementing it can quickly free up cybersecurity personnel so they can focus on larger, more strategic tasks that require specialized knowledge.

Cybersecurity experts will always be needed: ChatGPT will simply make them more efficient and effective, resulting in improved and evolving protection from emerging threats.

Conclusion

In the coming years, advanced AI will be an essential tool for updating security protocols and launching robust cyber defense initiatives. The newest version of ChatGPT, GPT-4, stands out for its advanced features that allow for greater security, faster deployment speeds, and improved performance. The platform is quickly becoming essential for preventing potential attacks or intrusions by bad actors who are already leveraging its AI-driven learning algorithms. Plus, it offers valuable guidance and role replacement capabilities. In our increasingly connected world, it is more important than ever to take advantage of this expansive technology to protect data and networks from malicious threats. Are you ready?

About the Author

Ricky Allen is the Field CISO for CyberOne Security, an ISSA Fellow and Past-President of the South Texas ISSA chapter. He holds certifications such as SABSA Security Architecture, CISSP, CISA, and Six Sigma. At CyberOne, Ricky provides security architecture design and leadership management for customers across the country. Ricky previously held roles at Accenture as an executive in their strategic information security consulting practice and at HP Enterprise Security Products as the practice lead for developing Security Operations programs for ArcSight SIEM products. Ricky was focused on retail and manufacturing industries while at PwC where he managed penetration testing and risk assessments for companies across the US. Ricky has presented at conferences such as BSides, Black Hat, API Cybersecurity, HOU.SEC.CON, SANS, SecureWorld, and Data Connectors. Ricky is based in Houston, TX and has a degree in Management Information Systems from Texas A&M University.

Attorney-Client Privilege and Cybersecurity: What’s Changed and How to Adapt

What does the recent Eastern District of Virginia decision mean for your company when you need incident response services?

What would have been a fairly straightforward question changed on May 26, 2020, with a court order issued in the Eastern District of Virginia?

The Interpretation of Attorney-Client Privilege in Cybersecurity Is Changing

In response to a March 2019 data breach, the breached company, which had an existing IR retainer with an incident response firm, decided to hire outside counsel. Outside counsel then executed a contract with the same IR vendor to conduct incident response services.

This had been standard practice for years. Until this ruling, in working with outside counsel, the report and all other work product would have been protected by the attorney-client privilege. However, the court ruled that the report must be disclosed. Prior to this decision, this was unheard of.

IR Reports Must Be Prepared in Response to Litigation for Privilege to Apply

From the ruling, the deciding issue was “whether the [IR company’s] report would have been prepared in substantially similar form but for the prospect of that litigation.” The court clarified its reasoning, stating that in order to receive protection under the work product doctrine, “the material must be prepared because of the prospect of litigation.”

While this was clearly the case, the court took the unusual position that this particular work would have been done in the ordinary course of business regardless of the prospect of litigation and was therefore not covered.

Existing Incident Response Engagements May Prohibit Attorney-Client Privilege

The published opinion indicates that the court weighed a number of factors in making that determination. Chief among these was an existing Master Service Agreement (MSA) the company had with the same IR vendor. The existing MSA dated back to 2015 and was supplemented with ongoing statements of work for similar services performed.

Pending appeal of this decision, this leaves companies who need incident response services in an awkward position.

Many Companies Have Long-Standing Incident Response Contracts

Companies that use incident response services often develop long-standing relationships with one or more IR firms. In some cases, cyber breach insurance companies demand it.

There is also an economic incentive for this kind of relationship as the IR firm learns the details of the company and can provide better service since it is familiar with the company’s environment. This decision, if upheld, would stand those established relationships on end.

It would also create a perverse incentive for the company to hire a separate IR firm through outside counsel to react to the most critical breaches where time is of the essence.

How Should You Adapt Your Incident Response Strategy?

So what can you do to limit the impact of the decision until the appeal is resolved? Below are some key items to ensure you work into your strategy.

Engage Outside Firms

In the event of a cyberattack or data breach, engage with outside counsel or forensic investigators, even when there is an existing relationship between your company and the forensics firm(s).

Clearly Delineate Separate IR Engagements

Make it clear internally that outside counsel is directing the incident response engagement and that such investigations are being conducted separately from any pre-existing cyber consulting activities with the forensic firm(s).

Ensure that it is clear in the Statement of Work for the specific engagement that the report is being prepared with the prospect of litigation in mind.

Employ the Principle of Least Privilege

The more widely the forensic report is distributed, the more likely it becomes that the court will not provide attorney work-product protection. The principle of least privilege (PoLP) can help safeguard against this.

The forensic firm should only share the report with those for whom access is necessary. In most cases, this means outside counsel. Outside counsel can then share the report with your company at their discretion.

Review the Contracts of Any Existing Relationships

If there is one overarching MSA, consider rewriting the MSA into separate agreements for consulting services and incident response services.

Ensure agreements covering the provision of such services make explicit that incident response services will be covered by an independent, unrelated agreement.

As part of this, ensure that the billing for the work is expressly billed as a legal expense.

Rely on Facts, Not Opinions

Ensure that the forensic firm writes a fact-based – not opinion-based – report for distribution from counsel to the company.

While it may well be necessary for the forensics firm to provide opinions, speculation, background, and technical explanation to provide the best advice to the company, those opinions should not be in the final report.

Create an attorney report separate from the client report to make clear that this work was done with the intent to prepare for litigation.