STE WILLIAMS

Hackers at this year’s DEF CON Voting Village discovered new security flaws in previously vetted older voting machine systems, as well as security flaws in newer voting systems.

“Every single system was hacked on day one except for one because it arrived an hour before closing,” says Harri Hursti, one of the founders and organizers of the Voting Village, which had more than 100 systems on hand for hackers to inspect. “But it was hacked the first hour of the second day.”

Hursti is the first to admit that hacking voting systems isn’t really the main point of the Voting Village event, whose organizers presented a final report at an event on Capitol Hill today. He says it’s well-known that all voting machines can be hacked. The goal of the DEF CON event is about dealing with the risk of threat actors compromising them.

The new flaws hackers are finding in these boxes aren’t all typical security vulnerabilities. “These new things are not bugs. They are backdoors and hidden features [that] have been painstakingly carved into the DNA of the machine so it’s not easily discovered. They are features made by the vendors on purpose,” says Hursti, founder of Nordic Innovation Labs and a renowned election security expert.

Hursti says these design flaws of sorts — hardwired passwords, hidden register keys, and backdoors — are also mostly unknown by election officials who run the machines. Security features are disabled by default in much of the equipment.

Such maintenance “backdoors” left in by vendors historically had been a common but often hidden feature, or oversight, in all types of Internet of Things devices.

The Voting Village’s report, released today at the Congressional event hosted by Rep. Jackie Speier (D-Calif.), and with Sen. Ron Wyden (D-Ore.) and Congressman John Katko (D-N.Y.), details specific security flaws discovered in a snapshot of voting machine equipment in the Village — everything from e-poll books to newer-generation ballot-marking devices. All of the equipment in the Voting Village is currently still in use.

The report reiterates the Voting Village organizers’ recommendations for securing US elections: mandatory risk-limiting audits, hand-marked paper ballots, and security standards for all equipment and systems used in election administration.

The organizers also called out the need for better training election officials in cybersecurity threats. “Election officials need more training and better access to parties who can help them to navigate the consequences of technological choices around them,” the report said. “Election officials also need help to train their own staff to be more security minded and to gain ‘muscle memory’ for instincts to protect day-to-day operations, both during election cycles and between them.”

The Village also hosted a meetup, Unhack the Ballot, where election officials from California, Iowa, and Michigan connected with volunteer security experts. The goal was to provide them gratis security help, and several plan to continue to consult with the experts regularly, organizers say.

Key Hacks
Among the findings highlighted in the Voting Village report were flaws in ESS’s ExpressPoll Tablet Electronic Pollbook, where hackers were able to open the box, connect to an external USB port, and then print out the voter permission slip. They also found, among other weaknesses, that the device’s SD card storing encrypted voter data left its key stored in plaintext in an XML file, so an attacker could use that information to read the encrypted data.

In addition, there were no set BIOS passwords on the system, so hackers could access system settings, and the device boots by default from a USB — no password required. A maintenance password of “ESS” was stored in plaintext, and the Secureboot feature for preventing malicious code used by the commercial hardware platform was not activated or turned on.

There were other blatant security no-no’s: “The e-poll book operating system stack lacked any attempt to perform even the most rudimentary platform hardening. In fact, none of the bloatware that would come with a standard Toshiba tablet was removed. Apps for Netflix, Hulu, and Amazon were present in the e-poll book,” the report said.

Hackers were able to get root access on another system, the ESS AutoMARK Ballot-Marking Device, by striking the Windows key. The ballot-marking device lets voters cast their vote on a screen and then print out the ballot, which is then either scanned into an OCR or hand-counted. Hackers found that the device, which runs on Windows CE Embedded Operating System 5.0, had not been updated since late 2007, and had been last used in a special election in the City of Williamsburg, Va., in 2018. Among other weaknesses, the admin password was found in plaintext in the configuration file.

Another voting system highlighted in the report is the Dominion Imagecast Precinct, a combination optical paper-ballot scanner and ballot-marking device designed for voters with disabilities. In addition to open physical ports that were easily accessible by hackers, they found the system is based on Busybox Linux 1.7.4, known to contain 20 serious vulnerabilities. One vuln can cause a denial-of-service attack.

2020
Next year looms large as a US presidential election year, and also because it marks four years since Russia’s election-meddling and hacking activities during that US election were first revealed. Organizers of the DEF CON Voting Village already are mapping out plans for the next event in August 2020.

“One of the things we’re planning to do is start part of the activities in February or March [2020],” Hursti says. That way, hackers can do a fair amount of their preparation for the event in advance, before they get their hands on the equipment, he says.

In addition, they plan to include a forensics area in the Village where forensics experts can, for example, work on artifacts, firmware, and memory cards from the voting systems.

Meanwhile, Village organizers say they also still hold out hope that election vendors will willingly participate in the event.

But even with all of the groundbreaking work and awareness raised by the Voting Village the past three years, most security experts say US election systems are not much more secure than they were in 2016. “We’re slightly better off,” says one source close to the event who requested anonymity. “Virginia got rid of its remotely hackable voting system, Georgia got rid of its” insecure voting systems, and the move toward more paper ballot backups is encouraging. 

Adds the source: “I don’t see how we’re going to do anything to stop any nation-state attacks.”

Related Content:

• DARPA To Bring its Smart Ballot Boxes to DEF CON for Hacking
• DEF CON Rocks the Vote with Live Machine Hacking
• Voting System Hacks Prompt Push for Paper-Based Voting
• The ABCs of Hacking a Voting Machine

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Why Clouds Keep Leaking Data“

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/voting-machine-systems-new-and-old-contain-design-flaws/d/d-id/1335927?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

As businesses transition to technology as a service, production workloads will continue moving to public cloud platforms and server types are expected to shift from virtual machines (VMs) and bare metal to containers and serverless platforms. The growing complexity is expected to complicate security.

Enterprise Strategy Group (ESG) analysts polled 371 IT and security professionals in the United States and Canada to create “Security for DevOps – Enterprise Survey Report,” published today. All come from businesses mature in their use of public cloud services and containers, and all were responsible for evaluating, buying, and managing cloud security products and services.

Cloud-native applications are, and will continue to be, made up of heterogeneous microservices deployed across hybrid clouds, the report states. But while most organizations’ current server types lean toward VMs and bare metal, their choices are predicted to shift to containers and serverless platforms within the next two years, researchers report.

When ESG conducted a similar study in 2017, it didn’t ask about serverless functions “because it was just too early,” says Doug Cahill, ESG senior analyst and group practice director for cybersecurity. This year, researchers found 34% of respondents use serverless “extensively,” 18% use serverless on a limited basis, 16% plan to start using serverless within the next 12–24 months, and 28% are currently evaluating serverless. Only 3% don’t have plans to use it.

“Organizations already deploying cloud-native applications are starting to strongly adopt serverless function calls,” Cahill explains. “We also asked about the use of application containers, and that adoption has continued to grow over the last few years.” The drivers for serverless function adoption include improved security (73%), network-based tech to secure against attacks (66%), security functionality embedded in source code containing serverless function calls (64%), and faster time-to-market when developing new applications (57%).

There are security concerns. API vulnerabilities (32%) are the top worry when considering serverless functions, followed by “exposure of secrets” (26%), API calls that result in unencrypted data transfer (22%), escalated privileges (11%), and use of unapproved APIs (9%).

While he is surprised so many businesses are using serverless, Cahill is not surprised at the overall mix of server types used in production. There is “still a really heterogeneous mix,” he points out: 35% of respondents plan to use a mix of VMs, containers, and/or serverless.

The problem is, this mix of technologies compounds cloud security challenges. Cloud-native applications make it harder to protect hybrid and multicloud environments, researchers say.

Consistency is the biggest challenge. Forty-three percent of respondents are worried about maintaining consistency across their data centers and public cloud environments where cloud-native applications are deployed. Many believe existing security tools don’t support cloud-native applications, so businesses often use multiple point tools managed by separate teams.

Nearly three-quarters (73%) of respondents say their organization uses too many specialized tools to secure cloud-native applications. This drives cost and complexity as organizations typically assign separate teams to use separate controls for separate environments.

“I think what we’ll see is the convergence of cloud security point tools over time … and also the convergence of API security tools,” notes Cahill. He hypothesizes there could be a single API security product to provide coverage across a range of programming languages and APIs.

Securing DevOps: A Shift in Mindset
DevSecOps is emerging as the primary means of protecting cloud-native applications. More than half (55%) of respondents have incorporated security into DevOps, and 22% plan to do so. Twenty percent are evaluating security use cases that can be built into the DevOps process.

However, only 8% of organizations are currently securing 75% or more of their cloud-native applications using DevSecOps practices. Researchers anticipate that number will grow to hit 68% within two years as DevOps teams create repeatable and scalable DevOps integrations. As more applications are secured with this methodology, the need for automation will increase.

Cahill points to a need to rethink the people, process, and technology behind development in order for this to work. With respect to the first two, “we need organizational alignment on making security share responsibility across all members of a product chain,” he explains. While security has traditionally been “bolted on” toward the end of development, “it’s really hard to bolt on security when you’re doing continuous integration and continuous delivery (CI/CD).”

The two groups are historically different. DevOps is all about speed; security all about caution. DevOps thinks security will slow progress; security thinks DevOps is “running with scissors.”

If you can integrate security with tools for CI/CD, Cahill says, you can securely move at the speed of DevOps. The move to include security in development is slow: While 52% of businesses involve the security team in protecting cloud-native apps before they push to production, many do so reactively: after an incident, for funding, or due to concerns around data stored in the cloud. One-third include security from the start of the development process.

In addition to involving security with the product team, Cahill points to another people-related challenge: ensuring both sides, but especially security, understand the attack types and methods adversaries are using. “What is different about apps that make them susceptible to threats?” he says. Once security professionals understand the points of vulnerability in APIs and serverless functions, they can better work with the dev team to secure them, he explains.

Related Content:

• Bridging the Gap Between Security DevOps
• Why You Need to Think About API Security
• 5 Updates from PCI SSC That You Need to Know
• How to Define Prioritize Risk Management Goals

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “Why Clouds Keep Leaking Data.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/cloud-native-applications-shift-to-serverless-is-underway/d/d-id/1335931?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Concerns are high over widespread attacks targeting a newly disclosed remotely exploitable vulnerability in the popular vBulletin online forum app even though a patch for the flaw is now available.

The vulnerability—a zero-day threat when it was first disclosed Monday—affects 5.x versions of vBulletin. It gives unauthenticated attackers a way to remotely execute any command that the legitimate administrator of the underlying server would be able to execute.

The flaw, which been assigned a critical severity rating of 9.8 in the National Vulnerability Database, lets attackers potentially take complete control of a host system and use the access to drop malware, move laterally, steal data, and carry out other malicious activities.

An anonymous security researcher disclosed the vulnerability and code for exploiting it on Monday without apparently informing vBulletin about it first. The researcher also published so-called Google Dorks—or search strings that allow attackers to quickly search for servers running vulnerable versions of the bulletin board app.

vBulletin, which powers online forums on tens of thousands of sites around the world including some well-known companies such as Sony, NASA, EA, and Zynga, released a patch for the flaw late Wednesday.

But already there have been several reports of the flaw being attacked in the wild. In a report Thursday, security vendor Imperva said that it first observed attempts to exploit the issue just hours after the vulnerability was disclosed. The security vendor said that, as of Thursday morning, it had detected over 10,000 attempts to exploit the vBulletin flaw in the wild. Scripts have become available that allow attackers to search for vulnerable versions of the software in automated fashion.

“The vulnerability exists where URL parameters are passed to a widget file within the forum software itself,” Imperva said. “These parameters are then parsed on the server without any security checks – the malicious attacker can then inject commands and is able to remotely execute code on the application server.”

One researcher—Chaouki  Bekrar, founder and CEO of Zerodium, a company that purchases zero-day bugs—said his company has known about the bug for at least three years. In a tweet, he described the flaw as a backdoor and a perfect candidate for the Pwnie Awards 0220.

A Drop-Everything-Kind-of-Threat

Tenable, which conducted an independent analysis of the threat Wednesday, described the issue as a “drop everything” kind of threat that merited immediate attention. The company said it had tested and confirmed that the publicly available exploit works on default configurations of vBulletin and allows attackers to execute remote commands on host systems.

Ryan Seguin, research engineer at Tenable, says the flaw allows remote attackers to do anything that the vBulletin admin can. “More seriously, vBulletin can run shell scripts on its host,” he says. “If the vBulletin service account isn’t locked down, then an attacker has a foothold on your network. Once that happens, your whole organization is likely going to get infected with ransomware or hijacked.”

Concerns are especially high because the vulnerability is extremely easy to exploit. The simple exploit code that was publicly posted is all that is needed to take full control of all vulnerable 5.x versions of vBulletin, Seguin says.

An attacker could do a simple Shodan search for vulnerable vBulletin servers and hit them with the script. “The server will respond in JSON format with whatever command the attacker attempted to run,” he says.

An attacker can pull specific files on the target to get a complete list of all user accounts on the Linux host, he adds. 

Ilia Kolochenko, founder and CEO of Web security firm ImmuniWeb, says the vBulletin flaw is likely to trigger numerous automated hacking and Web server back-dooring campaigns.

“Attackers can take full control of the Web server on which the vulnerable forum is located and potentially expand their control to all the interconnected systems in the network,” he cautions.

Criminals might try to reuse admin and user passwords on other systems. Or they could try and conduct sophisticated spear-phishing campaigns against forum users or infect forum pages with malware and compromise the systems of those using those forums.

“Many cyber gangs will not miss such a windfall and pass by such low-hanging fruit,” Kolochenko says. Many groups are fully equipped to launch mass exploitation campaigns within minutes of a zero-day public disclosure. “There are cybergangs that sell lists of global websites running specific Web software. All they need to do is to buy a recent list, adopt the exploit and start getting Web shells.”

Related Content:

• When Every Attack Is a Zero Day
• War on Zero-Days: 4 Lessons from Recent Google Microsoft Vulns
• Project Zero Turns 5: How Google’s Zero-Day Hunt Has Grown
• 5 Updates from PCI SSC That You Need to Know

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/mass-exploitation-of-vbulletin-flaw-raises-alarm/d/d-id/1335933?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Officials are investigating a series of four cyberattacks against Airbus suppliers Rolls-Royce, French technology consultancy Expleo, and two separate French contractors working for the aerospace manufacturer, the Agence France-Presse (AFP) reports. Sources suspect Chinese attackers are behind the incidents; however, investigators have not confirmed attribution.

Airbus’ technology has made it an appealing target for cyberattacks. In January, for example, it reported a security incident led to unauthorized data access. Now it seems adversaries are trying to steal trade secrets in a broader operation targeting suppliers.

Expleo’s systems appear to have been breached before an attack was discovered at the end of 2018. The company would neither “confirm nor deny” it had been targeted; however, a source spoke with AFP on condition of anonymity. Intruders reportedly launched an advanced attack to gain access to the VPN connecting Expleo with Airbus. Other supplier-focused attacks used similar tactics: one affected a British subsidiary of Expleo; another hit Rolls-Royce.

Sources say the attackers may be after technical documents related to certification of Airbus plane components; they were also interested in Airbus passenger plane propulsion systems and avionics systems. Some of the stolen files held data on Airbus military transport plane engines.

No sources could name who might be behind the attacks. They suspect China may be to blame, citing its previous attempts to steal commercial data and struggles in airplane certification.

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “The Beginner’s Guide to Denial-of-Service Attacks: A Breakdown of Shutdowns.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/airbus-cyberattack-landed-on-suppliers-networks/d/d-id/1335925?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Last month, I had the eye-opening experience of attending my first pure-play DevOps conference, DevOps World, put on by CloudBees. Inconveniently one week after Black Hat, the conference could not have been more dissimilar. Suffice it to say it was a significant learning experience for a career security person. I learned about security through the eyes of DevOps engineers, many of whom spoke candidly in ways they might not have spoken with security people in the room in a corporate setting.

I felt at times like I was dropped behind enemy lines, surrounded by a foreign and seemingly hostile population. What I learned is important enough to pass on to my security colleagues. This is particularly the case for security teams working with pipeline owners to pull security testing into the CI/CD (continuous integration and continuous deliver) workflow.

The starting point for any meaningful conversation with DevOps is understanding how to best position security. Here’s what I learned.

Admit You Have a Problem
Many DevOps engineers representing security-conscious organizations are looking for security platforms to help them release code to production faster. This leads to a false perception of the security teams as a hindrance to achieving production goals. The good news is that many security-aware DevOps engineers I spoke to are earnestly looking for ways to solve this problem. The bad news: They have no idea where to start. This represents an opportunity for security leaders to serve up recommendations for security tooling along with an honest conversation about security in CI/CD pipelines.

The ABCs of Security
From a security perspective, DevOps engineers have a learning curve around security tools and platforms. From my vantage point, anecdotally, they seem to have a broad familiarity with security products, and an ability to spout off a name or two of the leaders in the industry. However, most could not distinguish between code-scanning platforms versus platforms that handle container security or other facets of the security landscape. Educating DevOps engineers on security product classes is an opportunity for security teams to offer useful advice to pipeline owners. Here’s the rub: Security practitioners will need to learn DevOps terminology and product names to engage in meaningful conversations with their developer peers.

“Get Security Off My Back”
There was definitely a negative vibe around security in many of the conversations we had at DevOps World. There is a certain momentum DevOps engineers have — backed up with business support — to move faster. Woe be the security person who tries to stem the tide. My recommendation is to accept the fact that this vibe exists in certain circles and use it to your advantage. Negotiate to have certain security scans built into the pipeline but be cognizant of the fact that security scans do slow down pipelines. Consider pre-release code scanning or post-release live testing as alternatives. This will promote confidence between the two teams, reassuring security that the latest build didn’t introduce a scary vulnerability while demonstrating to DevOps that security didn’t slow software releases for which they are responsible.

Don’t Break the Build
In one session I sat through, a particularly passionate DevOps engineer flatly stated, “When in doubt, rip it out” while referencing security tools in the pipeline. Although this might represent one speaker in a moment of candor in front of a friendly audience of other DevOps enthusiasts, it betrays a particular train of thought that certain engineers with little exposure to security might have. Security professionals trying to win hearts and minds are well served to understand this emotion exists and allay these fears before they arise. That said, if you are lucky enough to have vulnerability scanners performing security checks in your pipeline, make sure to have an alternative workflow in case you break the build. You can’t offer up a one-off manual process when automated application vulnerability tools exist that can be integrated into CI/CD pipelines.

Security professionals have a strong incentive to work to bridge the gap between security and DevOps. I hope these insights from DevOps World can help begin that process.

Related Content:

• 6 Ways Mature DevOps Teams Are Killing It in Security
• Black Hat: A Summer Break from the Mundane and Controllable
• Taking a Fresh Look at Security Ops: 10 Tips

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “The Beginner’s Guide to Denial-of-Service Attacks: A Breakdown of Shutdowns“

John Dickson is an internationally recognized security leader, entrepreneur, and Principal at Denim Group Ltd. He has nearly 20 years of hands-on experience in intrusion detection, network security, and application security in the commercial, public, and military sectors. As … View Full Bio

Article source: https://www.darkreading.com/application-security/bridging-the-gap-between-security-and-devops/a/d-id/1335834?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

While cloud services boast many welcome benefits – cost savings, fewer personnel, productivity gains – infosec professionals are bumping into some regular configuration challenges as they move more of their organizations’ security functions to the cloud, experts say.

“When we see problems, we see configuration issues on the customer side,” says Ryan Bergsma, training director for the Cloud Security Alliance (CSA). The most common issues? “We see lots of challenges with key management, access control, and exposed data storage,” he says.

These issues are mostly straightforward to address, but first it’s helpful to examine why security services in the cloud pose different challenges than a typical cloud service.

Service Providers’ Limitations
Security services (and their attending configurations) aren’t a one-size-fits-all proposition, unlike other X-as-a-service cloud offerings, many of which rely on a templated approach to accessing and storing data. With security, however, customer configurations are highly customized in order to handle some combination of legacy systems, regulatory requirements, and organizational practices for safeguarding customers, users, and all of their data.

So why don’t Amazon Web Services (AWS), Microsoft Azure, and Google do more troubleshooting for enterprise customers? As every good security practitioner knows, there’s a fine line between vigilant and creepy, and most cloud service providers (CSPs) work hard to make sure they don’t cross it. 

CSPs do a good job advising customers with best practices for cloud security, according to Doug Cahill, senior analyst and group director at consultancy Enterprise Strategy Group. But they share sparingly. “Major CSPs are rightfully reticent to supply a lot of details about how things are configured in the cloud so that they don’t give their playbook to potential adversaries,” he adds. 

CSPs may provide advisories about specific customer configuration; Microsoft scans some GitHub posts to see what has been stored in source code, for example, and AWS alerts customers if they have misconfigured S3 buckets, Cahill explains.

“But how much should a CSP be scanning a customer’s environment and warning them about bad management or open, sensitive data?” Cahill wonders aloud. “This is something the major CSPs really wrestle with.”

Public Exposure by Default
Poorly configured data storage is a problem that can lead to unauthorized access and data loss. In fact, recent research from Digital Shadows found that 2.3 billion files are exposed this way. Unfortunately, “public” is the default access setting for many cloud data storage configurations, says John Yeoh, global VP of research at the CSA.

“Proper management of services with educated architects and developers is needed for secure use,” he says. He’d like to see CSPs step up their notification game where end-user misconfigurations, change of services, and defaults are concerned. For example, Amazon recently released its Block Public Access tool for EC2 accounts to address this issue.

Access Control
Access control, including privileged user access, appears to be the biggest cause of data breaches or loss, according to the CSA’s Bergsma. The root of the problem lies in the insecure default configurations, as well as sloppy maintenance of access controls, such as old users not being removed, or overuse of admin controls allowed, he adds.

Consequently, some networks are moving to zero-trust approaches, only allowing previously vetted resources access to the network and further securing those connections with a network that also uses software-defined perimeters. 

“For public-facing services and cloud, multifactor authentication and the use of multiple accounts for privilege is a way to limit the compromising of accounts and the access of any accounts that become compromised,” Bergsma says.

A primary concern for Internet-as-a-service (IaaS), in particular, is locking down the root account immediately upon its creation and creating super admin accounts for work to begin. “The key for that root account needs to be managed in a way that it will never be lost or compromised,” he emphasizes. 

The overarching issue, however, is allowing too much access, Bergsma adds. “Documenting and implementing least-privilege policies is a must.”

Key Management
Most cloud customers use encryption to some degree, which then requires them to have flexible, robust key management processes. CSA’s Yeoh recommends companies get clear about their requirements, specifically:

• Check compliance requirements to see whether you’re obligated to use a hardware security module (HSM), an external device that manages and protects digital keys for strong authentication and also handles crypto-processes.
• The organization’s internally created governance policies may also point to the need for a specific key management approach. Check with legal and risk management executives.
• Certain customer contracts may require handling keys in a certain way. Sales and legal personnel can help here.

Regardless of whether encrypted data is on-premises or in the cloud, scaling up key management in a workable way is a primary customer challenge, Yeoh adds. 

“The biggest risks are with segregation of duties and data segregation for the key management components being used across multiple cloud services, on-prem environments, cloud brokers, and customers who manage their own keys,” he explains. Further complicating the picture is the fact that CSPs still use their own key management solutions. 

And that’s why many customers have turned to using third-party key management brokers. But that won’t work for all customers, not to mention adding yet another service provider to manage – and pay.

“Industry buy-in of an open API for cloud key management could be a potential solution to manage keys across IaaS, PaaS, SaaS, and on-prem environments,” Yeoh says. “Using customer-managed key solutions when possible is one of CSA’s recommendations.”

Moving Forward
Taken collectively, the CSA’s suggestions will not only improve the secure functioning of cloud-based security services, but all cloud services in general. But it’s clear that day is still out on the horizon.

“There is a cloud security readiness gap,” ESG’s Cahill notes. “The degree to which organizations are already consuming cloud is well ahead of their ability to secure use of those services.”

Related Articles:

• Moving on Up: Ready for Your Apps to Live in the Cloud?
• There’s a Security Incident in the Cloud: Who’s Responsible?
• 7 Biggest Cloud Security Blind Spots
• The 2019 State of Cloud Security

Terry Sweeney is a Los Angeles-based writer and editor who has covered technology, networking, and security for more than 20 years. He was part of the team that started Dark Reading and has been a contributor to The Washington Post, Crain’s New York Business, Red Herring, … View Full Bio

Article source: https://www.darkreading.com/edge/theedge/why-clouds-keep-leaking-data/b/d-id/1335921?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple