Security challenges in flexible, state-of-the-art cloud environments

Misconfigurations - underestimated risk with major implications

All the market-leading cloud platforms, whether Amazon Web Services (AWS), Google Cloud Platform (GCP) or Microsoft Azure, provide access to complex technologies in just a few mouse clicks. In the day to day, misconfigurations can happen due to mistakes or insufficient training, which can result in devastating consequences for companies and their customers.

One possible fallout is third parties gaining unauthorized access to sensitive information, such as personal or company data. This can result in considerable financial and reputational damage for companies.

Misconfiguring cloud and security functions seriously endangers the three essential security goals of confidentiality, integrity and availability. By using automated scans, attackers can look for and exploit these vulnerabilities to gain access to data and internal company networks, or carry out further attacks against the company and third parties.

Contemporary reaction time through automation

Tackling security gaps generally involves multiple steps, such as identification, evaluation, analysis and the ensuing reaction to an incident. However, the quick and easy provision of cloud technologies demands a more efficient response. Threats arising from misconfiguration, among other things, must be immediately identified, dealt with and applied to the entire cloud environment.

As manual processes cannot achieve the speed and efficiency required, we recommend that companies leverage the flexibility of the cloud environment and minimize manual user intervention. Automating relevant processes such as enforcing compliant configurations not only boosts security, but also allows companies to access the full potential of cloud environments.

Compliance management as integrative approach

To comply with regulatory and organizational requirements, companies must take various standards and best practices into account in a comprehensive IT security concept. Their cloud services must be seamlessly integrated into existing frameworks - otherwise they cannot ensure compliance with national and international standards and laws, such as ISO 27001, NIST or the EU's General Data Protection Regulation (GDPR). Non-compliance can result in a loss of trust on the side of customers and suppliers, as well as legal consequences.

To ensure their IT security compliance, organizations can follow the requirements of these industry-wide IT security standards to implement tailored measures (controls). Companies must establish a control framework that is tailored to the unique needs of their business. And, to guarantee continual compliance, this framework requires constant monitoring.

Misconfigurations corrected, almost in real-time

Integrating Deloitte Fortress, thereby establishing a solid control framework, enables cloud users to address all these challenges efficiently. Configurations that we recognize as secure are confirmed with our clients before they are automatically implemented in their cloud environments. We also support our clients to define and apply appropriate settings.

The bedrock of Deloitte Fortress is a protection requirement analysis tailored to our clients’ security needs, performed in advance for all relevant cloud services. This ensures all relevant cloud configura-tions are adapted to individual security requirements.

One straightforward example is differentiating applied rules between test- and production environments. After the desired configurations for relevant cloud services are defined, they are automatically applied within 2 minutes - whether during the initial setup or for changes to services already in operation.

Comprehensive and transparent compliance management

Our support services that define suitable configurations go one step further. Our technical controls selection is based on a broad framework of various IT security standards and industry-established best practices. This enables the direct assignment of regulatory and organizational requirements to rule sets that are applied automatically, allowing our customers to achieve and trace compliance with all technical controls for the entire cloud environment.

Deloitte Fortress’ freely configurable dashboard shows which technical rules were enforced within the respective cloud environments in a transparent way. This not only provides organizations with an overview of automatically resolved vulnerabilities but also enables them to trace compliance with standards of choice and to prove it in an audit.

Our customers can also use this information to identify their employees’ training needs in a systematic way. The knowledge base, which we can establish if needed, provides each employee with tailored information. This allows companies to achieve the most important non-technical requirement of many IT security standards: efficient and targeted employee awareness training.

Deloitte Fortress functionality and components

Deloitte Fortress’ secure configurations and compliance scanning are fully automated and performed almost in real-time, efficiently supporting the cloud services’ protection mechanisms and reducing the burden of IT administrators. If a misconfiguration is automatically corrected, the initiator receives an email notification of the incident. These notifications can also include references to relevant knowledge base entries and policies, if desired.

As only cloud-native services are used to implement Deloitte Fortress, only two components are required: an event hub and a serverless function. The event hub registers every creation and change event and then compares it with implemented rule sets and configurations that align with compliance requirements. If a configuration violates a control and/or rule, the implemented serverless function will automatically correct the misconfiguration, submit information to the central dashboard and optionally create a ticket (e.g., in ServiceNow) as well as notify the initiator.