Top 7 security mistakes when migrating to cloud-based apps

As organizations rush key apps to the cloud to support remote workers, they often create opportunities for attackers. These are the most common mistakes to avoid.

digital cloud computing cyber security digital data network future picture id1216520824
iStock

With the pandemic, many businesses have moved to more cloud-based applications out of necessity because more of us are working remotely. In a survey by Menlo Security of 200 IT managers, 40% of respondents said they are facing increasing threats from cloud applications and internet of things (IoT) attacks because of this trend.

There are good and bad ways to make this migration to the cloud. Many of the pitfalls aren’t exactly new. At one Gartner 2019 meeting, for example, two IT managers stated that their Office 365 deployments were stalled because of the need to upgrade legacy equipment. Now, the way we now use—and share—our home computers has changed. Our PCs are no longer personal. That same computer may support your child’s virtual schoolhouse and your spouse’s applications, too. A survey this summer from CyberArk found more than half of the respondents save their passwords in their corporate PC’s browsers. That doesn’t bode well for any security policy, to be sure.

Here are the top seven mistakes that negatively affect security and some tips on how to avoid them.

1. Using VPN for remote access

With all the remote workers, a VPN might not be the best answer for remote access. Look at what happened in December 2020 with the FireEye hack. A compromised VPN account apparently was the hacker’s entry point to stealing its tools. In the past, VPNs were the go-to way to secure remote workers. It is far better to replace VPNs with zero-trust networks, where identity is the control plane and provides the access context. Also, you should make sure you have home-based infosec policies that have been written since the pandemic began that take these situations (such as the multi-user home PC) into account. 

2. Setting up the wrong cloud portfolio

By this I mean looking at several factors. Do you need private clouds to keep your business-critical data segregated from the rest of the universe? Do you have the right OS sub-versions available to run particular apps that depend on certain configurations of Windows and Linux? Do you have the right kinds of connectors and authentication protections to run with your on-premises apps and equipment that you don’t migrate? If you have a legacy mainframe app, you probably want to run it in a private cloud first and then try to find the right environment that comes closest to this existing mainframe setup.

3. Your security posture isn't appropriate for the cloud

Common cloud security mistakes include unsecured storage containers, poorly set access rights and authentication parameters, and copious open ports. You want to maintain a consistent security posture whether you are on-premises or connecting from Timbuktu. You also want to weave in security from the get-go before you migrate a single app over to the cloud. Johnson & Johnson did this several years ago when they migrated most of their workloads to the cloud and centralized their security model. There is help: Netflix just released an open-source tool it calls ConsoleMe that can manage multiple Amazon Web Services (AWS) accounts into a single browser session.

4. Not testing disaster recovery plans 

When was the last time you tested your disaster recovery (DR) plan? Probably too long ago, especially if you have been busy with just keeping up with the daily challenges of supporting an at-home workforce. Just because your apps are in the cloud doesn’t mean that that they don’t depend on particular web and database servers and other infrastructure elements. Part of any good DR plan is documenting these dependencies and having a playbook that describes the most critical workflows. 

Another big part of any DR plan is doing continuous testing for partial cloud failures. Chances are you will have some outages. Even Amazon, Google, and Microsoft clouds experience these from time to time. Netflix was one of the first places to make overall chaos engineering popular several years ago with a tool it called Chaos Monkey. It was designed to test the company’s AWS infrastructure by constantly—and randomly—shutting down various production servers.

Use these lessons and tools to develop your own chaos-introduced failure testing, particularly with security-related tests that reveal weaknesses in your cloud configuration. The key element is to do this automatically and continuously to reveal bottlenecks and infrastructure flaws.  In addition to using the open-source tools from Netflix, there are commercial products such as Verodin/Mandiant’s Security Validation, SafeBreach’s Breach and Attack Simulation, Cymulate’s simulation tools and AttackIQ’s Security Optimization Platform.

5. Not optimizing authentication for a cloud-majority portfolio

You may have an identity and access management, SIEM, CASB or single-sign on tool that was purchased in the on-premises era and is now not the best fit for your authentication needs for a mostly cloud and mostly remote access world. Make sure you take a closer look at these tools to ensure that they can cover the kind of cloud environment and your entire applications portfolio that will protect your systems accordingly. For example, while CASBs are great at managing cloud app access, you may need one that can work with your particular in-house custom app, work with risk-based authentication, or protect you against more sophisticated and blended threats. 

6. An out-of-date Active Directory 

“Identity is now the new perimeter and data is flowing everywhere,” said David Mahdi and Steve Riley from Gartner in a presentation. “You have to give the right people the right access to the right resources at the right time for the right reason.” That is a lot of things to get right, to be sure. This means that your Active Directory (AD) may not reflect reality, both from a list of the current and authorized users and current and authorized apps and servers. Time to get out your pruning shears. The migration to the cloud will go more smoothly if you are migrating the most accurate information.

7. Failing to seek help

Many managed security services providers (MSSPs) specialize in these sorts of migrations, and you shouldn’t be shy about asking them for assistance. You might be too busy to give the migration your full attention and drop some important aspects unintentionally. Or in the rush to move everything to the cloud, you have left open a few backdoors or introduced vulnerabilities.

Copyright © 2021 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations