Insight

The challenge of modern application security and controls

Protecting your data in a multi-cloud environment is a shared responsibility between providers and teams. But, how can you prevent data theft?

Laeeq Ahmed

Laeeq Ahmed

Managing Director, GRC Technology, KPMG US

+1 818-227-6032

Fraud events and data breaches were once rare occurrences. When one did happen, it was usually headline news. Today such headlines are still rare, but sadly it’s not because the thefts and breaches are rare but because they’ve become all too common. Today it’s not some big elaborate fraud or cyber event that’s likely to get you. More often than not, it’s death by a thousand paper cuts.

One reason for the change is the recent emphasis on digital transformation and the rapid adoption of cloud computing. Ten plus years ago, enterprise applications and all of your data were on-premise, protected by the fortress walls of the enterprise. All very safe, all very simple. But, no more.

Today, complexity is the rule. Digital transformation efforts have exploded both the number of enerprise applications supporting key business processes and the amount of data that they produce. Hybrid or multi-cloud implementations have become the new normal – a combination of public cloud and private cloud, as well as on-prem third-party applications and proprietary software. For the DevOps team, an important goal is to create a seamless experience for employees as they move from one application to another. But it’s not just people that make the move – the data must also move seamlessly between multiple applications, locations and companies. Often – it’s just to complete a single end-to-end business process, such as record-to-report or order-to-cash.

Now, consider the data security implications of this model. Your sensitive data are now moving all over the place and being stored by multiple entities that are completely outside of your control. The opportunities for a theft or data breach to occur have mushroomed.

88%
Nearly 9 in 10 organizations (88%) reported public cloud data loss in the past year, and the increasing frequency of high-profile attacks has elevated cybersecurity to a board-level conversation

Part four of the most recent Oracle and KPMG cloud threat report series, The Business Impacts of the Modern Data Breach, reveals that 88% of organizations reported public cloud data loss in the past year. If we had to bet, we’d say that the remaining 12% had a similar loss but just don’t know about it yet. If you haven’t read the complete report series yet, we’d highly recommend it – it’s quite eye opening.

Sharing is caring

Protecting your data in this new hybrid and a multi-cloud environment is a shared responsibility between you and your cloud application providers.

The providers take full responsibility for many aspects of your data security, from access controls to the physical security of their servers. While it might be tempting to point fingers at them for the growing number of breaches, but they do a remarkably good job. It’s rare that a breach can be attributed to a failure on their part.

So, who’s more likely the culprit? It’s probably you. After all, the provider’s share of the responsibility is just a fraction of the larger challenge. They’re responsible for their cloud application, but not the many others you might use, or the integrations you need between them. While their apps contain multiple security configuration settings, you’re responsible for configuring these. And they not responsible for the people who use the application - your IT administrators and employees. They can be the weakest link.

The threat from within

Frankly speaking, your employees will rarely put the good of the organization above their own interests. It’s not necessarily malicious – it’s human nature – people naturally want to make their lives easier. That might mean taking a shortcut here or there like reusing a simple, easy-to-remember (and guess) password. It might be a simple mistake, like improperly classifying sensitive data, then skipping any sort of disciplined process to ensure the classification is correct because it requires extra time and effort.

Sometimes it’s naiveté or gullibility. We’re all familiar with phishing emails that lure unsuspecting employees into revealing login credentials, but a thief doesn’t need to hack into a system to succeed. For example, it doesn’t take much effort for a fraudster to use LinkedIn to learn that Gabe handles your Accounts Payable function and that Tracy is his boss. The fraudster calls Gabe posing as a legitimate vendor and tells Gabe he just got off the phone with Tracy. The fraudster says he needs to change the bank account number where payments to the vendor are sent – and claims that Tracy told him to call Gabe because Gabe can help – and Gabe happily does. Subsequent payments are then redirected to the fraudster’s account for the next several weeks until the real vendor calls asking where his payments are.

Sometimes it is malicious. A salesperson wants to close a deal, but she can see that there’s a hold on that customer’s account for an unpaid balance associated with a prior sale. So, she goes into the finance application and writes off the balance for the invoice, which releases the lock and allows the new sale to go through. With two sales now attributed to her, she gets two commissions and looks like a hero on the sales reports, while the organization get stiffed for half the revenue.

Consider things like these are happening across your entire organization every single day. It really is more “death by a thousand paper cuts” than a one-time massive attack. The Business Impacts of the Modern Data Breach report notes, “rather than being caused by nation-state actors or sophisticated adversaries, many incidents of data loss are the result of ineffective management and insufficient controls - specifically, not directly addressing the fundamental nature of cloud, which is different from on-premises infrastructure.”

How do you prevent and get it under control?

There are two types of controls – preventative and detective. Preventative controls are designed to prevent harmful activities from happening. The challenge with preventative controls is that any given action might be perfectly harmless in one context yet catastrophic in another. Using a front door analogy, certain people should be able to enter the door freely, some should always be kept out, and others should be allowed to enter, but only in certain circumstances.

Detective controls are designed to identify, record and alert people to unusual, or potentially harmful activities. Continuing our front door analogy, your video doorbell is a detective control. Its motion sensor will detect someone approaching your door, trigger the camera to start recording and fire off an alert to you where you can see who’s at the door, evaluate the circumstance and decide to let them in or not. Around these two types of controls, we need clear segregation of duties and well defined rules and business process workflows – who can always come in the door, who can’t ever and who can sometimes – plus who gets to approve who comes in and what steps are required to make and document the approval.

A complex balancing act

If the controls are too tight or the workflow limitations too onerous, either legitimate, productive or profitable business activities will be hindered, or people will find a way to defeat or circumvent the controls. Back at our front door, if a contractor needs to go in and out repeatedly but has to wait several minutes for you to open the door each time, he’s either going to waste a lot of time or he’ll be tempted to prop the door open or tape over the latch to defeat the control.

Consider the hundreds, if not thousands of front doors that are your business processes, which are now scattered across multiple discrete vendors and applications – thousands of different “locks,” each with its own unique key, each leading to a different set of valuables, each with a different set of people seeking access, each with its own access controls.

Unfortunately, there’s no one set of leading practices when it comes to properly defining security and configuring controls. Every organization’s risk profile and associated security requirements are different. The combination of cloud and on-prem solutions is unique. Regulatory or compliance requirements, organizational structure, defined business processes and what sensitive information you handle – all will affect what settings and controls are right for you.

Application security doesn’t end with the software’s configurations. It extends into the office, the training programs and into your business processes. It’s a complete ecosystem in which all the parts must work in concert to be effective.

Adding to the complexity, the situation is highly dynamic. Cloud-based applications are updated automatically at a remarkable pace – at least once a quarter if not more frequently. Every change made by the provider may affect one or more of your controls. Your business never stops moving either. Business processes change over time, organizational structures and business units evolve, and the number of users accessing the system typically expands over time. And you can be sure that malicious actors, the tools they use and the threats they pose aren’t sitting still, either.

Getting from here to there

Thankfully, there is a solution, but it does take vision, experience, and continuous effort and discipline to implement. It starts with a TRUSTED target operating model (TOM), a blueprint designed to align your strategic objectives with the capabilities and processes required to achieve them.

From there, of course, it’s all about execution – implementing, enforcing and auditing the proper controls, monitoring for ongoing risks, and responding to threats or incidents. This is what KPMG does every day. We help organizations with everything from preconfigured cloud technologies, processes and organization designs, which can help accelerate your efforts, to complete managed services. Our goal is to ensure you’re neither hit with a single massive attack nor suffer death through a thousand paper cuts.