The rise in data breaches and other cyber security events have been making headlines and we should have a response to protect our data and critical services. This blog tries to describe the state of cyber security at a high level in layman’s terms, so that we understand what needs to be protected and from there, we are able to develop the appropriate defence in depth strategies. Defence in Depth is at the core of Australia’s response plan, as per the Department of Home Affairs’ “Cyber Shields” 

Over the last three years our data has been shifted significantly to online services. This is not just our holiday snaps, but personal identifiable information and other private information. This information can be used to impersonate us, which in most cases have devastating consequences, as they affect our finances, health, home, family and quality of life. They hit the core of our lives.

Threat actors’ modus operandi

The threat actors are organised and systematic. Often they work together, for instance, some may specialise in gathering information about potential targets. Others specialise in using that information to breach the target and then extract data. Lastly there are the marketplaces for the data where they are sold or the target organisations are ransomed to avoid public exposure of the data.

There are patterns to why threat actors are able to breach organisations. Organisations need to protect all areas that allow potential access to the data. There are numerous of these access points, for example building access and their online access points. It’s the online access points that have proliferated in recent years. Threat actors are able to find all online access points, test them for vulnerabilities and then exploit these vulnerabilities that allow them to gain access to the data.

Let’s take a simplified closer look at this breach pattern: first the online access points, then find vulnerabilities and then extract data. Online access points are not just the application endpoint (banking app, streaming, etc), but all online endpoints, like remote access gateways for working from home. These endpoints can be detected and are thus known to threat actors. Threat actors will gather information about the endpoint. With details about the endpoint, like the technologies used to run it, they go to vulnerability information knowledge bases to determine whether the technologies have any known vulnerabilities.

Technology vulnerabilities are publicly known too. They are therefore able to match a vulnerability to a technology used by the endpoint and from there they are potentially able to exploit it and gain a foothold in the organisation’s systems. The threat actors then repeat the process. Scan the organisation’s system they have accessed now, for information on technologies or other systems in the network. Typically they will find further information that allows them to move from the initial system of access to another system in the network. In some cases they are also able to find information that allow them to elevate their permissions in the environment. They repeat this process, until they find the data and then they start extracting the data. Sometimes the initial system breach provides access to the data and they can just exfiltrate the data from there. It’s also important to note that vulnerabilities are not just limited to technologies, but system configurations too, a misconfigured system or service (PaaS) could allow a threat actor to exploit the system.

New cyber concerns

There is nothing new in what has been described so far and organisations typically have well established security practices to protect against these threat patterns. What has changed is that organisations are now using cloud services and their security practices have not been updated for cloud. Moving to the cloud requires a fundamental change in how organisations think about cyber security. By design cloud has more online endpoints (APIs). We have the usual application endpoints, e.g. our online shopping services, but now all the backend management services, e.g. authentication, network, datastores, etc. are also API based. 

Traditional security practices defended the network, but in the cloud, identities are a new access point. Threat actors can gather identity information and then because the cloud authentication services are online, they can use those identities to gain access. In this case they have not had to find a vulnerability in a technology or in a configuration of a service, to gain access to the organisation’s environment. They will then use their usual techniques, after this initial access to find other systems to move to or try to elevate their permissions. If they are able to elevate their permissions they could create resources, such as servers and use them to support their activities in the environment.

Typically organisations leverage third parties for important capabilities such as backups, monitoring, etc and will also have partners for B2B functions. Often these third parties are provided elevated access to the organisation’s environment. In this case, if the third party is breached, the threat actors will have access to the organisation’s environment too, via the third party’s environment. So cloud identity is a vector of supply chain security. Supply chain security has typically only been understood and thus protected in the software context.

Cloud management and PaaS APIs also require careful configuration to ensure there are no security vulnerabilities introduced to the environment.

Defence at the cloud layer

Vault Cloud is engineered to address many of these cloud security concerns out of the box. We recognise that sensitive data needs to be protected, while still enabling organisations to adopt cloud. Cloud provides numerous benefits to organisations and therefore benefits us, the end consumer. Vault Cloud is government grade, having implemented the Australian Cyber Security Centre (ACSC) Information Security Manual (ISM) controls and the implementation of these controls have been Infosec Registered Assessors Program (IRAP) accredited.

Vault Cloud allows organisations to take control of their online endpoints (APIs) both the application and management endpoints. By design a Vault Cloud account does not allow any online endpoints. Even if someone in the organisation provisions an internet endpoint, it is only exposed once the necessary additional controls have been met. It is clear from what we see in the media that organisations are unable to control all their cloud endpoints. A big factor in this problem is that they don’t know where all their endpoints are and so are unable to secure them.

Vault Cloud provides state of the art secure internet gateways (SIG). These services allow Vault Cloud tenants to monitor their online endpoints, should they choose to have online endpoints. Vault Cloud SIG can be leveraged for web filtering, intrusion detection (IDS), intrusion prevention (IPS), Malware detection, data loss prevention (DLP), IP blocking, etc. These capabilities are backed by 24/7 Security and Network Operations Centers (SOC & NOC). The Vault personnel are subject matter experts, have government security clearance and have continuous security training.

Vault Cloud is a community cloud. Trust is important and is not fully achievable if literally anyone, including the threat actors, can leverage the cloud services your environment is built on. At Vault Cloud all new accounts are vetted for suitability. Vault is also sovereign, so entirely Australian owned and operated. This provides absolute data sovereignty guarantees.

We can see that these fundamental changes to how Vault engineered and operate its cloud services allow organisations to break the threat breach pattern that threat actors rely on. Online endpoints are absolutely controlled and known. They are then further protected by Vault SIG to control and detect what the endpoints are doing. Our accreditations ensure our Cloud services have best in class, government grade security practices to remove vulnerabilities. It is important to mention  that security is always a shared responsibility, Vault Cloud’s secure by design services provide protection at many layers, but not all.