An anonymous jury of 12 security professionals representig large enterprises met during the latest Technology Conference of the Security Interest Group Switzerland (SIGS).
We worked together for an hour to qualitatively assess and rate different approaches to securing the information system that is in the cloud.
A PDF with the complete vote results is available in the attachments below.
Summary of findings:
- Data confidentiality was considered as the biggest risk.
- Identity and Access Management and Database Encryption were the favored solutions.
- Placing security governance at the right place in the organization is a universally true recommendation.
- Mobile device management systems, a vulnerability management program, and using web proxies are baseline technical recommendations.
- Three of the five top risks have budget assigned in 2018 to address them.
- Although judged a top risk, rebound attacks have no budget to address them.
- The vendor of a cloud service not fully understanding the security impact of new technologies is considered a top risk, but there is no recommended solution.
- Everyone has budget to address application level vulnerabilities.
- Recommended countermeasures were found to be vulnerability management, dynamic application security testing, web application firewalls, container security, and certificate management.
- There was no consensus on whether to recommend bug bounties, static application security testing, cloud access security brokers, passive network analyzers, or sandboxing.
- BlockChain technologies and Big Data obtained negative scores for whether they are recommendable.
- Lobbying for sectorial or national regulation and laws was not seen as a viable solution.
The attendees voted on the vulnerabilities that are most frequently attacked and separately on which cause the highest damage. The resulting combined score identified "access to sensitive data by unauthorized 3rd parties" as the most significant risk. If some of your sensitive data is on “someone else's computer”, then these “someone else” can also potentially access your sensitive data.
At the same time, the most recommended solutions were "Identity and Access Management" and "Database Encryption". When asked about this, attendees affirmed that IAM and encryption are their goto countermeasures, even for the aforementioned risk of "access to sensitive data by unauthorized 3rd parties". If you are able to account for who accessed what wherever your information system is (Cloud or not) then the risk of data leaking is significantly reduced.
The attendees found that "placing security governance at the right place in the organization" is amongst the top recommendations that they have for their colleagues. This organizational recommendation comes alongside more specific technical recommendations such as to use a mobile device management system, to have a vulnerability management program in place, and to route traffic through web proxies.
Of the top 5 risks that were identified only 3 have agreement that there is budget to address these otherwise top-rated risks in 2018.
Participants agreed that there was no budget to address "rebound attacks", attacks against the on-premise devices that rebound off of a cloud based system.
Whilst being a top risk, there was no consensus on whether there is budget to address "insufficiently understood impact of new technologies used by vendor".
The one vulnerability that has budget with all attendees is application level vulnerabilities. There was consensus to recommend the following technical countermeasures: vulnerability management, dynamic application security testing, web application firewalls, container security, and certificate management as countermeasures.
However, there was no consensus on whether to recommend bug bounties, static application security testing, cloud access security brokers, passive network analyzer, or sandboxing at all.
Meanwhile BlockChain technologies and Big Data were not regarded as being recommendable countermeasures to address vulnerabilities introduced by cloud services.
HIPAA and GDPR promise to align the interests of the data subject, such as not being discriminated against because of data mining or having their identity stolen, with the data processor/controller. Security professionals have often complained that the business process owners are far too willing to accept risks; and yet, during the anonymous vote, the audience agreed that lobbying for sectorial or government regulation and laws was not a recommended approach to secure cloud services.
Find the complete slide deck of the vote results as PDF below in the attachements.
I’d like to thank the attendees for participating so assiduously in this exercise and the organizers for their help in letting me give this inhabituel presentation during the conference.