Securing Public and Private Cloud Application Services to Close Attack Launching Points
Cloud application services are great for any business, but things can go bad very quickly when cloud applications are compromised and used as attack launching points. It is crucial for businesses that fall under the PCI regulatory umbrella to head off these attacks and protect data that is shared to cloud applications. Champion works with financial organizations to identify security issues and implement security improvements for cloud application services, all while ensuring the services align with the institution’s overall security posture.
Cloud Applications Are Under Attack
According to a “state of the internet” report by Akamai, a major player in the Content Delivery Network services sector, there has been a large jump in the number of initiated attacks against cloud-based resources. Akamai also reported that roughly 60% of DDoS attacks were launched as multi-vector attacks, or by distributed DDoS attacks, making the defending of cloud-based applications and data an increasingly difficult task. This shows in the reported 26% increase in attacks against cloud-based applications.
Both public and private cloud-based applications see their biggest challenges as coming from DDoS attacks. This includes the compromising of one or more cloud-based applications with bots that can be used to initiate multi-vectored attacks or distributed DDoS attacks against a target company.
As the financial industry marches toward deeper and more reliant relationships with cloud-based application services, the security emphasis for 2017 must include a viable and multilayered solution that addresses both a financial institution’s cloud-based applications and its internally staged applications. And while cloud security is a newer concept in the financial world, it must be considered in any security posture. It is important to note that, cloud or not, any application that a business runs will have vulnerabilities, and these vulnerabilities will need to be addressed promptly and comprehensively.
Adding Layers to the Security Onion
When working with a financial organization to further secure its private and public cloud applications, it is important to keep the process simple as well as all-encompassing. Here are three primary focus points, which can be expanded or adapted as they apply to a client’s particular business needs:
1) Know what the ultimate security posture goals are and how they meet or exceed an organization’s regulatory and customer obligations
For example, there are varying levels of PCI DSS compliance, so a financial organization that needs to adhere to Level 3 PCI compliance will have different needs than an organization that needs to meet Level 1 PCI compliance requirements. This includes discovery into how compliance regulations apply to cloud applications and any data used by these applications.
One misstep I often see in this area is when an organization moves an application from physically based to cloud-based; the organization sees the application as no longer needing to meet PCI compliance because of its move to the cloud. This is simply not true; any application that is subject to regulatory compliance will always be subject to regulatory compliance, regardless of if it is physical, in the cloud, or both. Another potential issue I see far too often, and mostly in the public and hybrid cloud space, is a lack of understanding regarding the security model for shared applications. Although most cloud services will handle the security and patching aspect of the application infrastructure, the business is typically responsible for application level security, such as access accounts and application layer security functions. This can vary greatly from business to business, so it is important to have these security aspects of any cloud-based services well documented and drawn out as concisely as possible.
2) There will need to be a change in your data, infrastructure, and cloud security policies
If a business is new to the cloud, it typically becomes necessary to recreate the organization’s security posture. This becomes especially important for those financial institutions that move transactional data into the cloud or some other form of dynamic, always-in-motion cloud data.
3) You must treat your cloud-based applications and services as if they were on your network
This applies regardless of how much, or how little, involvement you have in managing the overall application. In taking the “I own it” approach, you not only ensure that your organization’s security policies are being applied and followed, but also ensure that financial organizations maintain the upper hand in security management of these systems as well as during regulatory audits.
You Will Want Help
Champion works with those in the financial industry to instill and maintain a high level of security when cloud-based application services appear on a business’s horizon. We work with you to engineer and implement a multi-layered solution which addresses your security needs of private, public or hybrid cloud application services. We work with you align your cloud needs with an industry leading host, such as Microsoft’s Azure Cloud Services, while bringing top notch multilayered tools like QRadar and Carbon Black into the fold to harden your environment.