Getting Your "Digital" Clouds Under Control

Steve Strom:
Good morning, everybody, and welcome to our monthly webinar on Practical Cybersecurity.

Today, we’re going to talk about a really interesting topic as we talk about the idea of getting your digital clouds under control. The whole subject of clouds and what we do with them is really an interesting and important topic in the realm of cybersecurity. And it’s important because clouds are everywhere, and it seems like it’s so easy to use the cloud of some kind or another for some particular purpose that we want to do.

So this morning, as we talk about clouds, we’re going to talk about it primarily from the user perspective, but as well as from the business perspective too. We’re not going into the technical so much, but perhaps it’d be a good idea to begin by just asking the simple question. What do we mean when we speak about the cloud?

Well, when we talk about the cloud, the simplest definition I’ve heard for the cloud that helps me to understand what’s taking place is simply this definition: the cloud is simply someone else’s computer.

Now we have lots of examples of a cloud and clouds that can be in use. Lots of different examples of people that have created clouds or business clouds that are out there. And some of the examples of different types of clouds that we might talk about can be seen here on the screen.

You’re probably familiar with Amazon’s AWS or Microsoft’s Azure or Google’s cloud platform. And if you’re going to do things like put your infrastructure in the cloud, those are great places to do it. Many people are using Microsoft 365, which is itself a cloud product, or Google’s competitor, the Google Workspace products.

Those are all clouds. Your data, the software, the products, they all run off of the cloud.

You may be familiar with Dropbox. Something like Dropbox or some other services are likewise examples of the cloud ’cause you’re storing your data in someone else’s computer someplace else.

But what we often forget is that things like our security cameras or building control systems or other OT kinds of stuff may be examples of cloud products.

I’m putting in some not Ring doorbells for the competitor, and that’s going to send the video off of that up into this competitor’s cloud and that data will be stored up there. And if I’ve got a building control system or I’ve got security cameras, those may work through a vendor’s cloud. And so my data, my pictures, my video, whatever are definitely going through that and that’s an important thing to learn and to keep in place.

Then I put down here vendor specific clouds. It’s not unusual to find out that a vendor for their particular widget or whatever it is, has created some kind of a product that they’re calling a cloud product.

And at a space, wherever it is that this particular product comes back to. You’re passing data and running data on somebody else’s computer. And it could be everybody from a small one or two person shop that creates their own cloud product, quote, un-quote, to a larger vendor.

But whoever it is, and whatever the situation is, it comes back down to the fact that a cloud means that you’re using somebody else’s computer, and as such it means that you’re going to have your data on someone else’s computer.

So if you’ve got your data, and if you’re using somebody else’s computer, a good question to ask is what are the risks in using the cloud? In particular, what are the risks in using somebody else’s computer for this kind of stuff?

Well, some of the biggest risks that we run into as we deal with IT across a number of different clients is that sometimes you will find that cloud products are used by your employees because it’s easier to implement as a shadow it feature, than it is to try to get with IT to get a particular service or product implemented. And that’s OK. There’s nothing wrong with doing that as long as everything is known and the risks are considered and everybody’s aware of where the data is.

Using it as a shadow IT stuff may very well be something that’s appropriate, as it’s incorporated into the regular IT of the business. That’s quite possible, but another risk with using cloud is the risk of data leakage.

We have found all sorts of ways in which data can leak from clouds.

We’ve seen instances where employees established a cloud service as shadow IT, but I ended up using that to store business data into their personal or family type of cloud service.

Obviously, that’s gonna be a big no no. But it happens all the time.

Or you may have a cloud provider, that because of the way that they are…because of the way they’re run and they haven’t paid close attention to whatever, or there’s an accident, or there’s hardware failure…

Who knows what it may be that you end up with some kind of permanent data loss and we’ve actually seen that on some major cloud providers that there has been permanent data loss of some kind or another and you can’t get it back.

We’ll talk about how to handle that in just a few minutes

One of the scariest ones is that if you’re using somebody else’s cloud, depending on what the cloud is, it is possible that that cloud gives third party access to your network.

So let’s say that you’ve got a building control system, and that building control system runs using the vendor’s cloud. You were, in effect trusting the vendor that they’ve got security as a top priority for their particular cloud and and because it is a top priority, that means that they’re monitoring unauthorized access to it, and all of those kinds of things.

Because if a bad actor gets into that cloud and gets access to it and you’re running a building control system, that may mean, for example, that they’re able to unlock the doors into your facility and let somebody else in. Or it may mean that they’re able to monitor through the cameras and see what is going on.

There’s 1001 things that can happen.

So when we talk about using the cloud, it’s easy for us to set back and think that using the cloud is a risk free endeavor. That they’re bigger than we are. They’ve got everything all covered.

But in reality, when we use the cloud, when we use somebody else’s cloud, we need to evaluate it in much the same way that we evaluate anything within our network, because using the cloud does indeed come with a number of important risks. And the biggest ones that we’ve seen are listed on the screen right there in front of you.

So if the cloud means that I’m using somebody else’s computer, and if using the cloud means that there are indeed risks in using the cloud, how do I go about choosing cloud providers so that they are what I expect them to be.

Well, #1 characteristic, OK. Number one characteristic. Don’t choose cloud providers may solely on dollars.

Now I realize that there’s a dollar difference in a lot of cloud providers. I genuinely do, and I realize that we all have to be careful with cash within our world that we live in. I understand that completely.

But if you’ve got a cloud provider who’s wanting to offer something and their price is lower for whatever reason, you need to ask the question, why are they significantly lower?

For example, it may be they’re significantly lower because their cloud is run in another country where other people have access, where they hire employees from that country and they’re under a different set of rules than we are.

You have to ask do you want your data to be going through that kind of environment?

So don’t choose based solely on the dollars. There’s much more to choosing a cloud provider than just making a choice based on the dollars.

So I begin by carefully evaluating what my use case is. It may be that what you’re trying to do can be accomplished with another cloud provider that you already have, and so rather than increasing the sprawl of your cloud network, you can keep things more consolidated and use what you have instead of using somebody else.

It may be that as you evaluate your use case that it is better to spin up something in house as opposed to going out to a cloud provider. Granted, cloud providers are easy. They’re fast. They can be quick, I understand that, but it may not for your use case be the best evaluation. The best way to go with regards to your situation.

And then when you talk about your cloud providers, you’ve got 1001 other things to consider.

Now note that this list of items to consider, it’s not an exhaustive list. There are other things that you may want to besides these, but as you’re choosing a cloud provider, one of the things in today’s world that you have to consider, whether we like it or not, is that you have to consider the political landscape.

Does this cloud provider host your data in a country that is not friendly to the US? And if so, you’ve got to take a look at it.

Does this cloud provider host data in a country that is contrary to some particular security regulations you have? You may for example have GDPR which requires your data to be hosted in specific locales. Does this provider host things where it matters?

So the political landscape is a really important thing to consider.

I got a hint of myself when I mentioned GDPR, because that comes down into compliance requirements.

It is not all unusual that you’ve got compliance requirements for certain kinds of data that you have. And so as you consider that data, ask yourself, does that cloud provider meet the compliance requirements that I have for this particular data? If it does, great. And if it doesn’t, then you may need to look at something else.

The next item to consider is one that we don’t like to think about and don’t like to offen do. B,ut have we considered the terms of service under which that cloud provider runs now in terms of service, I mean that long document that we all agree to whenever we sign up for something online and that long document that talks about how that cloud provider runs. And legally, what the responsibilities are of both parties and all those kinds of things.

Have we read the terms of service?

It’s really important to do that and to understand what the terms of service state, so that you can make a so that you can make a competent informed decision on whether or not you’re going to use that cloud provider. For example, I’ve seen terms of service that state that any data that you put up in that particular cloud provider, that they do not guarantee that your data is secure, but rather if there’s any data loss that’s all on you.

So the terms of service would tell you right off the bat whether or not what the requirements are and what the provider’s responsibilities are in the event of data loss. And that’s something we should know.

We go into this assuming that cloud providers are going to keep all of our data and it’s never going to disappear, but that’s not the way life works.

Or another thing that we’ve seen I’ve seen in terms of services that basically state that any data you place in that cloud provider becomes the property of that cloud provider.

Well, So what does that mean?

Does that mean that they can use your data to begin training AI models? Or what does that mean to say that your data is now their property?

So understanding the terms of service is really critical as you choose a cloud provider so that you know what you’re getting into. You know, legally, what your responsibilities are, what the provider’s responsibilities are, and you can make appropriate ways to handle the risk that you discover that might come up.

If you’re dealing with a, particularly a smaller cloud provider, a vendor of some kind, smaller vendor of some kind, you may want to take a look at the cloud provider security certifications.

Now I do realize that there’s a project out there that tries to come up with a long list of things that you can send to any cloud provider you’re considering using, and come back with some kind of evaluation of what their security is like. That is a problem in a lot of cloud providers don’t want to fill those out or don’t want to take the time or they’ve got a general statement within their FAQs or something like that.

So whether or not you can evaluate the cloud provider security certifications where there’s ISO or whatnot is something that you should consider, but particularly if it’s a smaller vendor type of thing, not one of the big players, that would be worth looking at and as you consider your cloud providers, another area that I would look at is what’s the general industry acceptance of that particular provider?

Is this something that other peers within my industry group have found useful and are using? Or is this something that my peers within other within the industry group and other industry groups have kind of shied away from? And if so, why?

So as I look at the idea of how do I choose cloud providers, these are some of the things that I would consider.
Like I said, it’s not an exhaustive loss, but they are indeed some of the things I would consider if I look to implement a cloud within my environment.

Well, the question comes up though, how do I know what clouds are already in use within my environment?

For example, if I’ve got shadow IT and I’ve got employees that have signed up for clouds, how do I know what is there and what’s being in use. And indeed, how do I know if it’s being in use, whether or not it’s approved? What do I know about this?

Well, there’s a number of services out there that will let you discover. It will interrogate and evaluate your environment and let you discover just what cloud services are already in use within your environment.

I mentioned one on the screen., a SaaS management service that will discover one thing name Saslio. I believe it’s now owned by AVEC, if I remember right.

But you can run this within your environment and it will let you see what’s there.
And that’s a good way to discover shadow IT, things that people have signed up for that you weren’t aware of on there. Good thing to do.

But the interesting thing is, and this is really cool, if you’re running the Microsoft products, and we have a lot of our clients that run Microsoft 365 Business Premium, if you’re running Microsoft 365 Business Premium, you find that this cloud evaluation, this cloud interrogation that’s looking for was being used is already built into Microsoft 365 Business Premium.

And so you don’t have to go paying for something else. It is already part of what you’re paying for. If you use the Business Premium or the higher tiers like E3 and E5.

If you wanna look at that, you will find that the cloud application stuff is built into the security dashboard that’s all backed up by Windows Defender. And if you’re using Business Premium, man, there is no reason not to use Business defender. Every reason in the world to use Business Defender if you’re using Business Premium.

So that’s already tied into the security dashboard and that already will help you create an inventory of what clouds are in use, so you can come back and you can evaluate whether or not those clouds are authorized and you want to have them there.

Just for interest, I pulled up a copy of the screen from our Microsoft tenant, just a little piece of the screen of what’s currently in use within our tenant, and you can see as you look at the security dashboard that it has the Microsoft Defender stuff. And one section, as you Scroll down deals with cloud apps. So you can deal with cloud apps.

If we were to Scroll down on the screen, and I didn’t do that, so we could look at, if you were to Scroll down, you would find that it addresses all of the different apps that you have used. You can click the discovered apps tab for example, and find out what cloud apps that are being used within your organization.

This is important guys because this is important because this helps you understand what’s being used that is not approved and authorized by your organization.

OK, so the cloud discovery is all built into it you can set up, decide which policies, set up policies for what’s approved and what’s not. A lot of stuff you can do here to help manage your cloud. And I would really encourage you to do that.

So if I’m looking to using cloud, if I understand that cloud means somebody else’s computer, if I understand that, that means my data is going to go onto somebody else’s computer someplace, how do I manage the cloud risk that is associated with my data being on somebody else’s computer?

OK, this is not an exhaustive list, but let me suggest just a few items for you to consider as we think about how we can manage cloud risk on this particular situation.

Probably the first thing I would begin doing as I talk about cloud items is that I would set back and consider what services cloud services I actually need. And I would only use the services that I actually need. Because it’s so easy to point and click put in a credit card and sign up, you can find yourself with a cloud sprawl before you know it, and you can find yourself with clouds that you didn’t even think that you didn’t even know that you were using being used by people within your organization.

So I set back and evaluate what services I actually need. And then as I sit back and begin thinking about services I actually need, I would limit integration to my network from these services.

By that I mean sometimes you’ll have cloud services that have to have some kind of a tie in with enter ID and you have to build some kind of tie in for that service to work. Or you may find that that service runs an agent on your particular network and it pumps data from your live endpoints back to the cloud.

I don’t know what the situation is, but I would really consider what integration from this service do I need and is it really something that I have to have.

We talked about already that as I manage cloud risk that I really think about the political landscape. And so I’ve made choices in our organization not to use certain services, for example because they went to countries, they passed data through countries that were not friendly to the US. And that’s going to become quite possibly a bigger and bigger issue as we as we move forward.

I don’t know where this is going to go with the political landscape at this point in time, but it’s something that we should consider and we should be cognizant of as we begin thinking about and considering what clouds we’re going to use.

I would also, if I’m going to use clouds within my organization, I would establish some kind of business policy on what clouds are used, what clouds will be used, who makes the decision, who gives the approval on whether or not those clouds are used, how we manage the login credentials so we don’t suddenly find ourselves without access to a particular cloud environment that we’re paying for.

And I would do that because the goal is to try to stop–you don’t want employees to go establishing private personal clouds for one reason or another. In the same way, if we’re going to establish business policy on that, I would be sure that people for any cloud that’s established that we signed up with our business credentials and not with our private credentials.

I’ve seen that happen before where organizations let somebody sign up for a cloud, that sign up was done under personal credentials. Data was stored in that cloud for the organization and then when that employee left access to that data was gone because the business data no longer had access to those private credentials.

So I would really go through and establish business policy on how are we going to do this? How are we going to set it up? Who makes the decision on what we’re going to have.

I would also understand implementation directions and I would set and look at the implementation directions from a security-first mindset. Does that cloud allow us to establish 2FA and I would enforce as part of my business policy that all cloud providers have to have two FA and they have to be established.

Does that cloud provider if I’m using AWS or something? Do I understand all the settings between AWS and Azure for example so that I can store this database out there securely?

You would be amazed at the number of leaks of data that have come simply because people set up clouds incorrectly. And so if we’re going to set up a cloud, it isn’t secure all by itself automatically. We have to understand implementation and understand how we’re going to set that up.

We talked about under the terms of service, how that sometimes you’ll read cloud terms of services where it says the cloud provider is not responsible for your data. And so if that data is lost, that is on you if that happens.

Because of that, I would be sure and backup all my cloud data. If you’re running Microsoft 365, you’ve got OneDrive, you’ve got e-mail, you’ve got calendars and contacts. I would still back all of those things up, even though they’re in the cloud, because you don’t know what’s going to happen.

We had an instant not too long ago. It wasn’t one of the big ones, it was more like a second tier cloud provider, where a bunch of e-mail data was lost from that for that organization because that cloud provider lost it.

I would backup cloud data.

Backups are not that expensive. They are cheap anymore. If you wanna talk about backups, give us a call. We can help you figure that out.

But I would back up my cloud data so that it’s available someplace else besides just within the vendor’s cloud.

And probably the third thing I would do if I’m going to go and set up some kind of a cloud service, particularly in Google Cloud platform, AWS, Azure or even some kind of SaaS application, I would consider having a third party review. Get another set of eyes out there on it to look at it and to see whether or not we’ve done what we need to do to build out a security-first implementation in using that particular cloud platform.

Well, there’s no doubt cloud platforms have brought a lot of new availability to organizations and a lot of new capabilities to organizations. There are a lot of good things and I’m sure at all, I’m not saying don’t ever use the cloud, rather they’re part of life today and they can do a lot of good things.

But as you do it, let me encourage you to think through. Don’t just assume because clouds are so easy to use, that they’re safe and they’re secure. And automatically everything’s fine.

It’s not.

And many times the responsibility is on you to configure things and get it right so that your data is secured. If you end up with questions about how to do this, feel free to get in contact with us. You can see some e-mail address, phone number. We’d love to hear from you.

If you’re watching this later on YouTube or something, feel free to contact us if you have questions and we’d be happy to discuss with you as we would love to help you learn to get your digital clouds under control so that all of the data from your organization is secure and they’re running in an environment with security first.

All right.

Hey everybody. Thank you very much for stopping by and watching this.

We appreciate it.

We’ll see you next month on the next episode. All right, goodbye.