Frank Kim, Fellow Instructor at SANS Institute, explains why presenting warnings that cloud security testers and researchers are unwanted and liable is also important and part of typical cloud security measures.
In our real world, we are used to a variety of signs and displays that indicate a certain physical area is privately owned and uninvited visitors are not necessarily welcome to be onsite at these premises. Based on the nature of the ownership and the type of activities being conducted at these premises, there may be additional fences, warning signs of fines and punishments, and protective measures to keep visitors of the premises.
The intention being that the everyday law-abiding citizens will stay clear of encroachment on private property, while any violators are either hostile or unknown.
Today’s world of cloud deployment is in a somewhat similar situation. It is relatively easy to acquire and take possession of a cloud property. But it is relatively challenging to secure the property, and to ensure that only legitimate visitors enter the cloud property and utilize available services.
Cloud is a transformative and disruptive technology, that has shot into the limelight since the arrival of the pandemic. It is a required platform to enable teams to work remotely and collaborate efficiently during the post-pandemic and lock down times. Moreover, the cloud will continue to define the technology landscape for years to come.
To manage cloud requires a good blend of skills around applications, code, and automation. Due to the ease of enabling and activating a cloud property, cloud is growing at brisk pace. But cloud security skills and investment that need to be growing alongside are not keeping pace. How to secure a cloud property remains a specialized role requiring training and experience.
There are various types of skills and roles that go around protecting a cloud property. These include Cloud Security Manager, responsible for leading; Cloud Security Architecture, responsible for designing; Cloud Security Engineer, responsible for building security capabilities; Cloud Security Analyst, responsible for enabling defenses and analyzing issues; and DevOps Professional, responsible for building applications and systems.
By default, when acquiring a cloud property, there are just a few security fences around the property and it is left to the leasers or those who are renting the cloud space to build their own security fences. The ongoing lack of such investment into cloud security creates three types of visitor groups.
The first is the genuine visitor who comes and goes and consumes available services from the cloud property. They do little to threaten the existing cloud security fences. The second group of visitors are those who have no malicious intent but are keen to test the security defences of the cloud property and if fallible offer their own expertise to rebuild the fences of that cloud property. They are cloud security testers and researchers in a manner of speaking. The third are the malicious threat actors who will continue to aggressively threaten the cloud property once they have decided the corporate entity and its assets are of interest to them.
In some ways, the entry of the second group of visitors, that is the visitor who is testing the security of the cloud property, can be damaging similar to the third malicious group. Owners of cloud properties need to take proactive measures such as signs and warnings to ward off the intrusive behaviour of cloud security testers and researchers, as well, who unknowingly and unwittingly may cause damage, similar to malicious threat actors.
Not all cloud property owners invest huge sums of money and sophistication into cloud security fences. For cloud security testers and researchers, breaching cloud security perimeters may give them access to an organizations data and assets. Further exposing the organization’s vulnerabilities, data and assets to authorities as a way of gaining entry for the cloud testers’ professional services may unknowingly cause damage to the organization, through exposure of its data and assets into the public domain.
Placing warning signs to inform cloud testers and researchers that their activities are unwanted and amounting to infringement with punishment and liability puts the organization on the right side of jurisdiction and compliance. The better way for cloud testers and researchers is to approach the organization with their services of an ethical hack with clearly defined rules of engagement to move forward.