Modern businesses are migrating to a cloud-based model for hosting sensitive data to reap the benefits of agility and cost savings as well as to keep pace with customer demand. Cloud-Native methodologies such as DevSecOps, continuous delivery, containers and micro-services are essential building blocks in the digital business revolution. However, moving information and technologies from hardware to software poses a security concern – translating to a top challenge for both IT and the C-level, as applications built on top of micro-services and containers in a Cloud-Native environment utilize a wide variety of secrets for their proper functioning.
When it comes to cloud-native data and large volumes of information, secrets can come in all forms. Though, secrets can most simply be thought of as anything that if exposed would harm business reputation – much like we've seen in the most recent hacks from HBO, unveiling unaired episodes of Game of Thrones, and the now infamous Equifax breach which exposed millions of sensitive consumer records.
Similarly, cloud-native security has many types of secrets to protect, three of the main types that must be protected in the cloud are:
■ Sensitive Security Information (SSI) is confidential business materials like revenue and profits, even cyber threat information.
■ Personally Identifiable Information (PII) is any information that pertains to you as an individual, for example name, address, social security number, etc.
■ IT Systems Security Information is the information that makes up the technology infrastructure of a company, such as encryption keys (private and symmetric), certificates, and cloud service access credentials (e.g. AWS IAM).
In an effort to not become the "next Equifax" and keep these cloud-native methodologies secure, there are several obstacles IT departments must address:
Secrets proliferation – having various secrets in multiple locations (on-premises, in the cloud and hybrid) make their management cumbersome as the secrets are decentralized and difficult to control. In addition, having secrets managed by different administrators translates to lack of control and commonly results in personnel oversight. Segmented visibility causes the confusion for local administrators because they don't have clarity of the access and usage information by different applications across the organization.
Another challenge organizations are facing are the use of dual infrastructures – legacy IT and modern Cloud-Native environments, in which keys are duplicated in both the classical IT environment as well as in the cloud. The ultimate issue lies in the reality that cloud-native systems cannot securely access resources that are external to the cloud environment.
The third issue is the high level of trust in hardware – causing it to be viewed as the security standard due to its rooted elements for securing secrets. Hardware Security Modules (HSMs) and Trusted Platform Modules (TPMs) do not have an architectural fit in software-defined security due to their physical aspects. However, given the demand for businesses to migrate to the cloud, companies are looking to overcome this obstacle. As such, cloud-native security must be scalable, interconnected and dynamic – and mirror the expanse and capabilities of the cloud methodologies while remaining as secure as hardware.
Once realizing that the above obstacles leave holes that can gravely impact business, we must comprehend the possible security breaches that are associated with lack of proper secrets protection.
A data breach, man-in-the-middle attack and certificate or credential theft are just a few examples of the potential types of cyberattacks that can occur when cloud-native secrets are not protected properly. Once hacked, business implications are costly and even devastating. Remembering back the Home Depot and Target breaches – the impact on sales was long-lasting, even for brands of their magnitude. Other implications could be law suits if you are a company who holds sensitive information like home addresses and social security numbers – much like Equifax. According to the research by British insurance company Lloyd, the damage from hacks costs businesses $400 billion a year.
The Software Vault
As potential damage of a breach is seen in reality, a different set of vault-like tools begin to emerge in the Cloud-Native ecosystem for containment of secrets. Encrypted data can rest within the software-defined vault and be transferred to applications as needed – an easy and scalable option for large enterprises. However, in the same way that a physical vault is only as secure as the hiding place of the key that unlocks it, it's content must be protected to ensure the security of the data, as it highly coveted by attackers. To keep vaulted cloud-native secrets secure, encryption keys must be safeguarded, meaning the keys require their own security measures.
There are many obstacles to overcome with a cloud-based security model – securing secrets and sensitive information is paramount in today's risk-prone world. With security breaches becoming more prevalent and brands taking heavy-hits as a result, a software-defined strategy can offer various benefits to modern companies such as scalability, agility and security. Companies who choose to utilize the power of encryption in the cloud need to secure their data in a two-fold process – the data directly and the access to it. The logistics and vastness of the cloud can at times seem daunting but proper security measures can help to make the cloud a viable and safe solution for the enterprise.