close
Share with your friends

In the early days of enterprise cloud usage, security was a major concern. But the cloud service industry has matured, and current cloud providers now offer a suite of built-in tools to support security processes and a formidable array of cyber defenses. But these new tools may provide a false sense of security. The perception now is that if it’s in the cloud, it must be secure. But putting applications in the cloud doesn’t automatically make them safe.

The move to Platform as a Service (PaaS)

To clarify, the type of cloud platform we’re discussing here is Platform as a Service (PaaS). Moving to PaaS often involves a ‘lift and shift,’ with the application being re-deployed onto the cloud provider’s infrastructure with little else changing. But the move can offer an opportunity to enable many of the additional security features provided by the cloud provider to protect the application better. These include web application firewalls, improved data security and automated backups.

The move to PaaS can also be used to ‘open doors’ to the application, which previously resided in a closed data center with inflexible, often stifling rules. The move to the cloud is liberating — there’s no longer the need to deal with (often outsourced, SLA-driven) firewall administrator teams, and applications can just be opened with a few tweaks to the web application firewall guarding the system.

Even though developers often hated the clunky-ness of the closed data center, it did provide a level of security. The virtual private network connection offered an extra degree of authentication, for example, as part of a multi-factor authentication approach alongside more traditional passwords. Although there may be some security and usability pros and cons, for the most part, there’s no discussion — the cloud support cost savings drive the decision.

A quick case study

Consider the hospitality industry. Hotel chains often don’t have an integrated IT environment across all brands, let alone a single corporate data network. Yet, the booking system can be the cornerstone of a hotel’s revenue assurance and standard across all hotels. These critical systems with high availability requirements end up exposed to the internet. Moving these legacy applications to the cloud makes a lot of sense.

In one recent incident, a company experienced a data breach through a hospitality management system, which led to the compromise of a large volume of sensitive customer data. The application was exposed to the internet, but it did require a valid rotating username and password. The application had undergone regular rounds of penetration testing and was protected by a web application firewall, but it was missing the gold standard of authentication — multi-factor authentication (MFA).  

The attacker had obtained the application’s administrator’s password (not the whole cloud instance, just the application) and worked out how to access full customer account details. Using a simple approach to automation, they were able to exhaustively work through many customer identifiers, extracting large volumes of data quickly.

But what about the additional security offered by moving to the cloud?

The security monitoring tools did identify a spike in traffic and highlighted it to the analyst for review. However, the attacker had used their automated tools on the high-performance cloud application to extract all the records they needed well before the analyst could investigate. Ironically, had this attack occurred on an under-powered legacy data center, it might have taken longer, and the analyst might have had time to intervene. Even then, the timescales for action would have been demanding — and an hour can be a long time when dealing with a determined attacker.

Retroactive security

The organizations that scrambled into the cloud during the pandemic are beginning to retroactively review their applications' security. They now realize the gaps in their cloud security control environments, including the absence of MFA. MFA can’t repel all arrows launched by hackers, but it’s a good step forward and better than just relying on password authentication alone.

KPMG’s incident response experience suggests that cyber criminals are becoming much better at extracting value from compromised computers systematically, including reviewing saved browser passwords and trying them across multiple systems.  An attack against a hospitality application may have been opportunistic — a computer hacked by run-of-the-mill malware. But once inside, the approach is systematic, with the malware ‘phoning home’ to the criminals who then realize they have an opportunity worth exploiting.

Four key lessons from the pandemic

The pandemic has accelerated our move to the cloud. Learning from cloud incidents is critical to surviving in the new reality. Here are four key lessons to consider.

  1. Incident response on cloud applications must be automatic to be effective. It’s too late otherwise. Playbooks must be code, not manual, and need to block and contain attacks to buy incident responders time.
  2. Incident responders and red teamers can work together to simulate various breaches and establish sensible automatic reactions and responses.
  3. Analysts should focus on the early stages of an attack if they can. Even the smartest attackers look around before they strike. This stage provides early warning that something is amiss.
  4. And of course — multi-factor authentication. It’s better than relying on legacy passwords alone.

Throughout this website, “we”, “KPMG”, “us” and “our” refers to the global organization or to one or more of the member firms of KPMG International Limited (“KPMG International”), each of which is a separate legal entity.