Cloud computing myths have occupied the IT world since the cloud became a viable infrastructure hosting option a decade and a half ago. Those of us who worked in IT at the time remember the many misconceptions about what the cloud was and whether it was possible to host business-critical services in the cloud while maintaining security and regulatory compliance. 

The IT industry and the cloud have evolved beyond all recognition since those early days, and few people today doubt the value and power of the cloud computing model. In 2022, 67% of enterprise infrastructure and 83% of business workloads are hosted on a cloud platform

Yet cloud myths persist, particularly cloud security myths, although their nature has evolved along with the cloud. In the past, cloud security myths were unduly pessimistic. Today, they are just as likely to be unduly optimistic about cloud security and compliance. 

Myth 1: Cloud Platforms Are Insecure

This is the original cloud security myth, founded on the belief that businesses can’t trust infrastructure they don’t control. However, if we look at the pattern of security incidents involving cloud platforms, it becomes clear that they are rarely caused by vulnerabilities in the platform itself. They are almost always the result of cloud users’ misconfigurations and mistakes; 70% of cloud security challenges arise from configuration errors.

Myth 2: Vendors Take Care of Cloud Security

The opposite of our first cloud security myth is the mistaken belief that the cloud is inherently secure. Believers operate under the misconception that hosting software and data in the cloud is a shortcut to improved security. In reality, all cloud providers use a shared responsibility model for security. 

The provider takes responsibility for some security aspects—the physical infrastructure at a minimum, but often other aspects depending on the service. The user is then responsible for using those services securely. For example, connecting an unencrypted AWS elastic block storage device to an EC2 instance creates a potential data leak vulnerability. Amazon provides secure encrypted block storage, but it won’t stop the user from deploying an insecure configuration. 

Cloud users must understand which security aspects they are responsible for and how to configure their cloud environment to meet security and compliance requirements. If you’re worried that your business has cloud misconfigurations, consider a cloud security configuration assessment

Myth 3: Compliant Services Guarantee Regulatory Compliance

Many cloud providers advertise that their services are compliant with information security regulations. For example, Amazon’s S3 storage service is certified compliant with SOC, PCI DSS, HIPAA, and other regulatory standards. But what does that mean? Most importantly, it doesn’t mean that an S3-based data storage system automatically complies with those standards. 

This is something cloud vendors go to some lengths to communicate. For example, Amazon’s PCI DSS compliance documentation states that “AWS establishes itself as a PCI DSS Service Provider to enable, upon further configuration, the compliance of our customers.” The “upon further configuration” part is critical. S3’s PCI compliance means it can be used as part of a PCI-compliant system, but it needs to be configured correctly to do so. A simple configuration error may render any system non-compliant  that is built on S3, and it’s the user’s responsibility to make sure that doesn’t happen. 

Myth 4: Bad Actors Don’t Target the Cloud

It might be tempting to think that moving to a cloud platform will solve your business’s security problems. You’re at the end of your tether with the constant bombardment of malware, ransomware, phishing attacks, and bad bots. You want a secure infrastructure solution that is immune to the attention of cybercriminals. But the cloud can’t give you what you are looking for. Many of the biggest security breaches and data leaks of the last few years happened on the cloud. 

Criminals go where the data is, and they have become skilled at exploiting cloud vulnerabilities. As we established earlier in this article, most of those vulnerabilities are caused by cloud user mistakes. Does that mean cloud platforms can’t help you solve your security and compliance issues? In fact, they can, but you may need the help of an experienced cloud expert. 

Myth 5: You Don’t Need A Cloud Security Audit

A cloud security audit based on the Center for Information Security Benchmarks will help your business avoid the security and compliance risks we’ve highlighted in this article. Experienced information security experts will examine your AWS, Microsoft Azure, or Google Cloud Platform environment for configuration mistakes, security vulnerabilities, and data breach risks. An audit ensures you have the information to operate a secure and compliant cloud environment. To learn more, contact a cloud security specialist at KirkpatrickPrice today.

A cloud access security broker (CASB) is a software security service that acts as an intermediary between business cloud users and cloud providers. CASBs monitor data flow to and from cloud platforms, ensuring that cloud use comply with information security policies and regulations.  Much as a firewall enables businesses to enforce security policies for incoming and outgoing network traffic, a CASB enables them to enforce infrastructure and information security policies for cloud use. 

Before the advent of cloud computing, IT infrastructure was hosted in on-premise or colocated data centers. IT and security professionals could enforce security policies because they controlled the hardware and software stack. Businesses have less control over hardware and software in the cloud era, but a CASB allows them to extend security policies from on-premise environments to cloud environments.

What Does a Cloud Access Security Broker Do?

A CASB is a security service hosted either on-premise or in the cloud. It mediates connections between devices used by employees and cloud services. The primary purpose of CASB security systems is to reduce the risk of sensitive data being insecurely stored, accessed, and processed on cloud platforms. 

CASBs are sophisticated platforms that can enforce a broad range of security controls. CASB capabilities include:

  • Authentication and identity management with SSO and IAM integration
  • Risk assessment and data governance in line with regulatory frameworks
  • App discovery to ensure the business is aware of cloud applications accessed by employees
  • User activity monitoring
  • Behavioral analytics to identify and mitigate threats
  • Cloud configuration auditing
  • Malware detection
  • Encryption
  • Key management
  • Monitoring and alerting
  • Device profiling

CASBs are designed to solve a specific set of problems, so they may not include all of the features in this list. When selecting a CASB, businesses first assess their needs and then choose a CASB security solution that addresses their use case. Platform compatibility is one of the most critical factors. CASBs interact with cloud providers via APIs, which differ between platforms. For example, a business that uses AWS will choose a CASB that supports Amazon’s cloud platform, such as Bitglass.

Why Do Cloud Users Need a CASB?

Cloud platforms—whether SaaS, PaaS, or IaaS—attract businesses and employees because they reduce complexity, offer a versatile range of services, and are less expensive than self-managed infrastructure. However, companies quickly discover that a lack of “walled garden” control makes securing cloud environments more complex. 

Employees often use unsanctioned cloud services to circumvent security restrictions and limitations in approved software. This is the well-known shadow IT problem. In 2019, a McAfee study showed that businesses use hundreds more cloud services than they know about. These services are not subject to security policies, compliance oversight, or internal governance processes. 

CASBs were initially developed to address the shadow IT problem by helping businesses to gain visibility into the cloud applications employees use. Over time, they have been enhanced with numerous other features that empower businesses to take back control of infrastructure security and cloud compliance.

What Are the Four Pillars of CASB?

The Gartner IT research consultancy describes CASB solutions as having four main pillars of functionality:

  • Compliance. Cloud platforms provide IT services, but businesses are responsible for using them in compliance with relevant regulatory frameworks. CASB solutions help businesses identify potential compliance risks for regulations such as HIPAA and PCI DSS.
  • Visibility. CASBs monitor cloud services and applications for use that contravenes data security policies. They provide risk analyses and allow businesses to control, limit, or prevent access depending on the application, the user’s access levels, and other factors.
  • Data security. CASBs offer data security features to observe and protect data as it moves between on-premises infrastructure and cloud environments.
  • Threat protection. Because CASBs have visibility into data and app usage patterns, the software can identify and mitigate potential threats such as unauthorized access, data exfiltration attempts, and malware infections.

How Does a CASB Promote Compliance in the Cloud?

Cloud access security brokers facilitate secure and compliant cloud use. Because CASBs provide visibility into and control over data use in the cloud, businesses can more effectively enforce cloud security controls that support regulatory compliance goals. 

However, CASBs are only part of a comprehensive cloud security program. They are one component of a layered approach to cloud security that also includes security awareness training and cloud security audits conducted by qualified information security auditors. 

To learn more about cloud security and cloud compliance audits, visit KirkpatrickPrice’s cloud security resources, including dozens of educational videos and our free AWS security scanner.

You’re sitting at your desk when the first notification arrives. Uptime monitoring has detected unusually long response times for the servers hosting the business’s primary web app. Soon after, your manager calls to say customer support is getting complaints—many users can’t sign in and the app is slow for those who can.  You try to open the app to see for yourself, but the browser times out. 

With increasing concern, you check the network monitoring dashboard, which shows the app struggling to cope with thousands of connections from hundreds of IP addresses in locations around the world. You are the target of a massive Distributed Denial of Service (DDoS) attack. Ten minutes later, all customer-facing services go offline.

DDoS attacks can devastate a business, and any company that depends on IT infrastructure is vulnerable. There were more than 5.4 million DDoS attacks in the first half of 2021, costing $20,000 to $40,000 per hour. The good news is that DDoS protection services can mitigate the worst consequences, but only if businesses prepare before the attack hits. 

What is a DDoS Attack?

Denial of Service attacks exploit the fact that server and network resources are limited. No service has infinite resources, and, even if that were possible, the cost would be astronomical. Bad actors exploit these limitations with attacks that consume a service’s available resources, leaving it unable to serve legitimate users.

The “Distributed” in Distributed Denial of Service indicates that the attack comes from many directions at once. Attackers also have resource limits, and it’s straightforward to block attacks coming from a single source once it’s identified. In a DDoS attack, the attacker uses thousands of hacked servers known as bots to access massive amounts of bandwidth and computational power. 

DDoS attacks are much more difficult to mitigate because the source is constantly changing. Their distributed nature  also allow attackers to access many times the bandwidth. Last November,  the biggest ever DDoS attack leveraged 10,000 hacked devices to generate 3.7 terabytes per second—a flood of data that threatens even the biggest and most well-resourced online services.  

5 DDoS Mitigation Strategies

Stopping DDoS attacks at the source is beyond the capabilities of most businesses. However, it is possible to implement DDoS protection strategies, also known as DDoS prevention or DDoS mitigation, to help your services to survive a DDoS attack.  

1. Reduce Infrastructure Exposure to DDoS Attacks

The first step is to limit your service’s attack surface area. Attackers will exploit any opportunity. For example, WordPress websites expose an XML-RPC endpoint and a REST API. These are useful, but they can be targeted in DDoS attacks. If they aren’t used, they should be disabled. The same goes for unused network services, ports, protocols, and applications on your servers. 

2. Hide Key Services from the Internet

Businesses can use several strategies to protect origin servers by placing them behind resilient front-line services that take the brunt of a DDoS attack. They include content distribution networks, load balancers, and bastion servers. 

A content distribution network (CDN) is a geographically distributed cache. A service’s assets are cached on many servers worldwide. Users access the assets from their nearest cache and not the server hosting the service. One benefit of using a CDN is that it reduces traffic to the origin server and distributes it to multiple sources that can better cope with excess traffic. 

Load balancers distribute traffic over multiple origin nodes which are not directly connected to the internet. The load balancers can be used to monitor and drop potentially malicious traffic, and the origin servers behind the load balancers can be scaled to handle increasing resource demands. 

Bastion servers perform a similar function for businesses that want to expose potentially vulnerable services without putting origin servers at risk. For example, an SSH bastion server mediates SSH access to servers hosting an application. Only the bastion server is impacted if the SSH service comes under attack. 

3. Deploy Web Application Firewalls

Web applications firewalls (WAFs) monitor web app traffic and block malicious connections. Standard firewalls operate at the network layer. They can, for example, block all incoming connections to a specific port, but blocking all HTTP requests would knock a targeted website offline.

A WAF, in contrast,  blocks malicious HTTP traffic at the application layer. They offer a more flexible approach to DDoS mitigation based on the nature and contents of individual web requests. For example, a WAF could block malicious requests targeting and overloading a log-in page. 

4. Leverage Infrastructure Redundancy and Scaling

Until other DDoS mitigation strategies are implemented, a business’s only option may be to scale resources to absorb the additional traffic. Scaling can be an expensive proposition, but if an online service is essential to your business’s operations, growing server resources and network bandwidth will ensure that users can still access it. 

It’s worth noting that not all hosting providers can scale to support large DDoS attacks. Smaller hosting providers may instead take services offline to protect their network. Larger cloud providers like AWS and Microsoft Azure can scale to absorb large attacks, but even they struggle to accommodate very high bandwidth denial of service attempts. 

5. DDoS Protection Services

Finally, your business can utilize specialist DDoS protection and DDoS mitigation services. These often function much like a CDN. The DDoS mitigation provider’s infrastructure acts as an intermediary layer between your infrastructure and the internet. Their software detects DDoS attacks and drops suspect traffic before it reaches your infrastructure. Some of the best-known DDoS mitigation services include Cloudflare, AWS Shield, Fastly, and Akamai

How KirkpatrickPrice Helps Businesses To Secure Online Services

DDoS attacks are only one of the many security threats companies face in 2022. KirkpatrickPrices helps businesses to maintain security and compliance with services that include:

Contact an information security expert today to begin your journey to more secure online services.

What are the most significant security risks facing your organization? Your answer might include common external threats, such as brute force attacks, phishing attacks, ransomware, supply chain attacks, and attacks against vulnerable software, among many others. But the focus on external security risks misses an important point: External attacks often exploit vulnerabilities created by poor internal security controls and practices.  

According to the 2021 Verizon Data Breach Incident Report, 85% of breaches involve a human element. Brute force attacks succeed when employees use easy-to-guess passwords. Phishing attacks succeed when employees click on malicious links in emails from unverified sources. These risks can be mitigated when your organization integrates information security practices into all elements of its organizational culture. 

An organization with a dedicated information security culture aims to mitigate internal risks by giving employees the knowledge, support, and motivation to follow information security policies and procedures. 

What is Security Culture?

Culture is the norms, values, and attitudes shared by a group. These factors matter because they influence behavior—people act according to their beliefs and incentives. A security culture is one in which norms and values are aligned with information security policies and best practices. 

In more concrete terms, that means:

  • Employees understand the security threats relevant to their role and what they can do to mitigate risk. 
  • They feel supported and encouraged to report security threats and vulnerabilities. 
  • They believe the business prioritizes security relative to other values, such as efficiency. 
  • They feel encouraged to help colleagues and employees they manage to be more secure. 
  • Security is a significant component of business communication, onboarding, and training. 

A security culture encourages employees to make information security part of their day-to-day activities and rewards them for doing so. 

How to Foster a Positive Security Culture in Your Organization

A positive security culture doesn’t arise organically; businesses must make a proactive effort to foster a security culture within their organization. Let’s consider four ways your company can begin to lay the foundations of a positive security culture today. 

1. Create Simple, Transparent Information Security Policies

Information security policies and the procedures built on them are the foundation of an effective security culture. But it’s not enough to write security policies. They must also be communicated to employees, enforced within the organization, and supported by organizational structures. 

For example,  there is little benefit to implementing a vulnerability reporting policy if: 

  • Employees don’t know who to report to.
  • There is no system in place to act on reports.
  • Employees receive negative feedback for reporting.
  • Security policies and procedures are too technical for employees to understand. 

A thriving security culture is a holistic endeavor where employees and managers work together to implement security policies. Policies only support a security culture if they are accessible, achievable, and endorsed by leaders at all levels of the organization. 

2. Empower Employees with Security Awareness Training

Without training, many employees—especially those in non-technical roles—lack awareness of security threats and the knowledge required to mitigate risk. Lack of security awareness is the root cause of many security incidents. Around half of all security breaches are the result of employee error

To take just one example, 61% of breaches used authentication credentials that were shared, leaked, or otherwise exposed to the attacker. Security awareness training can significantly reduce this and many other security risks by helping employees to understand the threat and their role in mitigating risk. 

3. Make Information Security a Company Priority

If information security isn’t a priority for managers, it won’t be a priority for employees. Many of the biggest security breaches of recent years were caused, at least in part, by a company’s unwillingness to focus on and invest in security. 

There is a short-term cost to improving security, which some companies would prefer to avoid. However, security breaches cost businesses an average of $4.24 million. The long-term costs of a major security breach far outweigh the cost of an ongoing investment in fostering a positive security culture. 

4. Reward Employees for Contributing to a Positive Security Culture

Effective security cultures are based on positive reinforcement that encourages employees to follow security best practices. People are more willing to devote time and effort when they are rewarded for doing the right thing than when they are punished for making mistakes. 

There are many ways a company can reward secure behavior. Security awareness experts at the SANS Institute recommend public recognition. Use security-related communications such as newsletters to praise employees for reporting vulnerabilities and following security best practices. Managers can implement the same incentives by highlighting security issues and praising employees for improving security throughout the organization.  

KirkpatrickPrice Helps Businesses to Achieve a Positive Security Culture

KirkpatrickPrice offers information security services to help businesses improve their security culture, including:

We also offer a comprehensive range of security compliance audits for SOC 2, PCI DSS, HIPAA, FISMA, and more. To learn how KirkpatrickPrice can help your business to strengthen and verify security and compliance, contact our information security specialists.

AWS Network Firewall is a flexible managed firewall and intrusion detection service. It allows AWS users to control network access to resources within an AWS Virtual Private Cloud (VPC). We explored AWS Network Firewall and how it complements other AWS firewalls in What is AWS Network Firewall? In this article, we’ll dig a little deeper and show you how to deploy an AWS Network Firewall instance within a VPC hosted on your AWS cloud environment. 

At a high level, the process for deploying AWS Network Firewall involves the following four steps:

  1. Create rule groups with networking filtering rules.
  2. Create a firewall policy that includes your rule groups.
  3. Create a firewall that uses your firewall policy. 
  4. Configure VPC route tables so the firewall endpoint can process traffic as it moves between an internet gateway and subnets within your VPC. 

The details of Step 4 differ depending on how your VPC is configured, so we’ll focus on the first three steps here. 

AWS Network Firewall is a highly configurable service, and secure configuration depends on factors unique to your environment, including how your VPC, subnets, and gateways are configured. This article should not be taken as a guide to setting up a secure firewall for your AWS infrastructure. 

AWS Network Firewall Prerequisites

To follow the steps outlined here, you will need an AWS VPC with the following characteristics:

  • At least two subnets, one of which will be used only for the AWS Network Firewall. 
  • An Internet Gateway with routing configured to send incoming traffic to the other subnet, which should be configured to send outgoing traffic through the gateway. 

The firewall subnet must have at least one available IP address. Amazon calls this configuration a simple single zone architecture with an internet gateway.

Configure Firewall Security Rules 

Protecting Your AWS Cloud Infrastructure with AWS Network Firewall

The first step is to create firewall rules groups to contain your traffic filtering rules. For example, you might want to block incoming SSH traffic to your subnet. To do so, you would create a rule telling the firewall to drop SSH connections. 

  1. Open the AWS VPC console and select Network Firewall Rule Groups from the Network Firewall section of the sidebar menu. 
  2. Click the Create Network Firewall rule group button and give the group a name. 
  3. In the Capacity field, enter a number that represents the number of rules you expect to add to this group. If you’re experimenting, 10 should be sufficient, but be aware that you cannot change this number if you want to add more rules later. 
  4. Choose whether to create a stateless or stateful rule group. 
  5. Scroll down to the Add Rule section and enter the new rule’s protocol, name, and source and destination IP and port. 
  6. Choose whether packets matching the rule are dropped or passed. 
  7. Click the Add Rule button. 
  8. Add additional rules as required, and then click Create Stateful/Stateless Rule Group at the bottom of the page. 

Learn more about how to create security rules from Amazon’s documentation. 

Create a Firewall Policy

Now that you have created a rule, you can add it to a Firewall Policy. 

  1. Select Firewall Policies from the Network Firewall section of the VPC console. 
  2. Click the Create firewall policy button. 
  3. Enter a name and optional description before clicking Next. 
  4. Scroll down to the Stateless rule group or Stateful rule group forms. 
  5. Click the Add Rules Groups button, then Add my own stateful/stateless rule groups. 
  6. Choose the rule group you created in the previous step. 
  7. Click through the subsequent dialogs and then click Create firewall policy on the Review and create page. 

Learn more about firewall policies from Firewall policies in AWS Network Firewall.

Deploy AWS Firewall on Your Virtual Private Cloud

The next step is to create a firewall that uses the firewall policy created in the previous step. Once the firewall is configured, it will be deployed into the firewall subnet of the VPC. 

  1. Select Firewalls from the Network Firewall section of the VPC console. 
  2. Click the Create Firewall button. 
  3. Give the firewall a name and choose your VPC from the drop-down menu. 
  4. Select the availability zone that contains your firewall subnet and then the subnet itself. 
  5. In the Associated firewall policy section, choose Associate an existing firewall policy and then choose the policy created in the previous section from the dropdown. 
  6. At the bottom of the page, click Create Firewall. 

AWS will now deploy your firewall into the chosen subnet. However, the firewall does not automatically begin filtering content. To use the firewall, you must configure the VPC’s routing tables so that incoming and outgoing traffic is sent through the firewall’s endpoints. The specifics depend on how your VPC and subnets are configured, but you can learn more about VPC routing tables in Managing route tables for your VPC

Cloud Security and Compliance with KirkpatrickPrice

KirkpatrickPrice can help your business to secure its cloud infrastructure. Our cloud security audits and remote cloud security configuration assessments ensure your AWS infrastructure is configured for optimal security and compliance. To learn more, contact a cloud security and compliance specialist or visit our cloud security resources.