to deliver than those coming from the current human con-
sultancy method. Similarly, a radiologist who needs 13
years of high-level education to read and diagnose diseases
from X-Ray images may soon be replaced by someone with
far less formal education who can leverage ML technology.
For companies, the question is shifting from should they
adopt these new technologies, to how they can adopt them
more quickly. The public cloud offerings from AWS, Azure
and Google offer great platforms for a company to start its
technology transition. There is in fact a rush to this transi-
tion, as evidenced by the massive growth in public cloud
migration. This, however, has led to new potential security
problems resulting from improperly planning and executing
the cloud migration.
Major Data Breaches
When it comes to cybersecurity, there are several areas that
need attention. One that stands out is the ability to protect
your cloud identity and access management (IAM) system.
The IAM system is a strong control and can protect your
data and resources when properly managed. If improperly
managed, there can be severe data losses. Here are a few
examples of data breaches caused mainly by poor IAM
management:
• 2013: The NSA/Snowden data breach, in which an
insider who had full access to many internal systems,
shared top secret data with other organizations. A
lengthy forensic investigation ended without a solid
conclusion due to the lack of auditing records during
the events. Snowden would have had a hard time
executing the breach if the NSA had enforced audit-
ing controls and proper IAM access control with
multi-factor authentication (MFA).
• 2014: Codespaces.com went out of business, when
its cloud services and data hosted on AWS was
hijacked and destroyed by the hacker because of an
unfulfilled ransom request. This is another case of no
MFA enforcement.
• 2017: The Equifax data breach, in which attackers
accessed a database that contained unencrypted cre-
dentials that they then used to access other internal
databases, resulting in a leak of the records of an
44 | THE DOPPLER |
FALL 2019
estimated 147 million people. This is also a case of
privileged accounts without MFA. Enabling MFA
could have prevented the hacker from accessing
other systems by merely using stolen passwords.
• 2019: Facebook’s 540 million-user data breach, in
which user accounts were stored in an open access
S3 bucket by third parties who had access to the
data. If Facebook had followed AWS S3 bucket policy
for access control best practices, the breach would
never have happened. AWS policy stipulates the S3
bucket should not have open access to everyone. An
S3 bucket that stores data must have a policy that
limits access only to its rightful owners.
Golden Keys to Cloud Kingdoms
One of the benefits of the cloud is its ability to help your
organization deploy your cloud applications quickly, and
store data redundantly. Agility is the goal, but to achieve
this, your application, operations and security teams may
need the next level of training and preparation to adapt to
the nature of cloud services. However, typical early cloud
adopters tended to start with a proof of concept (PoC) by
someone in the organization. The PoC would then turn into
something larger, with applications and data. But there
would be no formal enterprise process to strategize and
assign proper access control policies to the resources in the
cloud. It is often the case that a new cloud deployment is
fully owned by a small group of people, if not just one or
two, who have full access to all cloud resources. These peo-
ple hold the golden keys to your cloud kingdoms.
DevOps and DevSecOps
DevOps and DevSecOps are the new models of rapid devel-
opment and innovation in the cloud. These models demand
that software developers either transform into full-stack
developers or work very closely with operations (DevOps)
or security and operations staff (DevSecOps). The end goal
is that developers and their supporting operations and
security counterparts will join forces to create some auto-
mation scripts to quickly and securely deploy applications,
along with infrastructure and tools, in the cloud. Sometimes
the new cloud-aware developers prefer to work and control
their cloud applications and infrastructure independently