Realign Your Security Strategy When Navigating Digital Disruptions

We know you’re sick of hearing about COVID-19’s role in speeding up digital transformation but let’s face it: It was a pivotal moment. Nowhere else has there been such unanticipated and extraordinary growth in the digital sectors, which have exploded in response to the COVID-19 crisis, pushing people and organisations to embrace entirely new digital experiences.

Almost everything is now connected and digitalised, and the cloud has made the transition a lot easier for many companies that want to keep up. “When you shift a lot of things to the cloud, such as from the scalability, risk transference, and resource management perspective, you’re putting these things online,” said Vincent Danen, Vice President, Product Security, Red Hat Global in an exclusive interview with DSA. “You don’t need a team of operators if you have a team of developers.”

He added that in terms of personnel, not many people are required to perform certain operational work such as doing security updates. From a security and risk transference standpoint, it’s now the cloud vendor’s responsibility, and they’re getting paid to do it.

Mindset Change Required When Securing the Cloud

Since security has become a top priority for many businesses, Vincent gave a reminder that for any online service migrations, security has to be top of the mind. It starts by looking into the best practices and having a better grasp of how the environment differs.

For many organisations, cloud migration means that the threat surface will change. “When you think of traditional on-prem, you’re in your own data centre, with your own virtual private networks, VLANs, firewalls, and all of the other things you need to run your business, and there’s a perimeter around your environment,” he explained.

Whereas on the cloud, everything is available to everyone at any time. According to Vincent, instead of having a single ingestion point, such as an internet-accessible proxy server that sends data to a database backend, you have many ingestion points since you want everything to be accessible to everyone, and everything is saved in the cloud. Hence, taking the same security practices that used to work on-prem and simply applying them to the cloud may be a recipe for disaster.

“We’re coming from a place of traditional security, which is bare metal and virtual machines, and you’d generally have a server with multiple services on it,” says Vincent. “So, when you’re looking at the threat surface there, if I can compromise one service, then I can pivot to other services, a database or anything.”

And when things are built on the cloud, and he particularly mentioned containers, you end up with a slew of microservices. According to Vincent, one of the unpleasant things that some people do is having the mindset of “I can take exactly what I’m doing in a virtual machine and dump it into a container, and then there I am, I’m in the cloud, I’m good to go.”

“We have to think about containers as microservices with isolated and host protection, and not just monolithic bare metal machines or virtual machines. So, there’s a really significant shift in the way you must think about security. Because if you think about container security the same way you think about security for virtual machines and bare metal, you’re going to do this wrong.”

Beware of Leaky Cloud Configurations

For traditional environments, a lot of focus is placed on addressing software vulnerabilities. But for companies that are bringing their services online, they should look beyond those. That isn’t to say that software vulnerabilities don’t exist; they just aren’t the most common way for a company to be hacked, in fact, “Very few are breached through software vulnerabilities,” claimed Vincent. Instead, misconfiguration should probably be a bigger concern, along with insider threats, and state-sponsored and social engineering attacks.

He went on to say that if the software challenge (such as a software update or a software vulnerability) is the only thing being focused on, and all other factors are ignored, they become potential entry points for an attack – especially misconfiguration.

Vincent gave a common AWS misconfiguration as an example, referring to it as “leaky AWS S3 buckets,” since people weren’t configuring them with security and authentication. “For whatever reason, the default was to make these things accessible, and people found them, and then they started looking for them because they realised how many of them were already available.” He then reiterated, “That’s not a software vulnerability; that’s a misconfiguration.”

Therefore, he emphasised the significance of identifying and maintaining minimum security requirements (your baseline) in order to prevent others from circumventing them. And, whenever there’s change, ensure that it still adheres to the same standard.

Taking an Open Approach to Security

Red Hat is best known for being one of the world’s largest open-source companies. They create and support open-source products that are based on open-source projects. And, while open-source software has a reputation for being less secure, Vincent claims that all software, including proprietary software, is less secure.

“When it comes to bridging infrastructure and security gaps, one of the nice things about open-source is that if we have some lower moderate rated vulnerabilities that we choose not to fix because we don’t believe they’re very impactful, any customer can see that information, see that we’re not going to fix it, see potential mitigations, and they know it exists,” he explained.

Although open-source has many advantages, it does not mean that it is without flaws. In fact, open-source software poses just as much risk as proprietary software because people are the ones writing the code. He added that one of the risks of open-source is that you have to rely on upstream communities for a number of things.

“When you’re dealing with upstream directly, you really have to pay attention, know what you’re downloading, where you’re installing it,” he explained. “When you want to patch for a security issue, you have to grab the latest version, which may have the security fix but it may also have some other bug fixes, and new features.”

Although Red Hat isn’t known for being a cybersecurity company, Vincent believes they are because of their focus on security.

Red Hat Advanced Cluster Security (ACS) solution is an example of that. He believes that ACS is a solution that you should use when you’re using something like OpenShift, where configurations are one of the key security concerns. Through auditing, security-related configuration management, threat detection, and incident response, the ACS solution provides insight into the security of your cluster, vulnerability management, and security compliance.

In addition, unlike many vendors, Red Hat offers layered, defence-in-depth security as a code approach in order to enable organisations to implement security across their entire infrastructure, application stack and life cycle.