The Australian Signals Directorate (ASD) publishes guidance on implementing eight critical cyber mitigation strategies, which would be enough to fend off 85% of targeted cyber-attacks. The Auditor General has mandated compliance with these controls.  How will government departments incorporate this into their cloud security strategy? 

How to Manage Cyber Security Compliance in the Cloud

With the rapid move to cloud services, both public and hybrid, many Australian government departments, both at the Federal and local level, have opted to save money over dealing with the inevitable cloud security risks that cloud computing presents. Concerns about information control, data sovereignty and cyber security have emerged.

If organisations run their own security operations capability, a transition to the cloud can reduce their ability to detect and respond to security threats, since key information sources are not natively available. Furthermore, it’s impossible to show compliance with the ASD Essential Eight controls if you can’t gain access to the evidence. Let’s look at a few of the issues you’ll face with cloud computing and, especially, with your ability to demonstrate compliance.

Compliance Against the ASD Essential Eight

The definition of compliance can change depending on which governing body regulates your industry, but for Australian Government departments it’s all about meeting the requirements of the Protective Security Policy Framework (PSPF) and ASD’s myriad advisories. The Auditor General has recently decided to test agencies and departments against the Essential Eight, therefore seeking evidence they are meeting the requirements of the following:

• Application whitelisting: Demonstrate that you control which applications and executables, software libraries, scripts and installers are permitted to run in your environment and that unknown applications are blocked;
• Patching applications: Vulnerabilities caused by uninstalled patches can leave organisations at extreme levels of security risk, especially in third party applications. Organisations need to show the auditor that their applications are up-to-date and they have the processes in place to rapidly deploy a critical security patch in as short a time as possible;
• Disable untrusted Microsoft Office macros: Microsoft Office macros are incredibly useful but can also be misused by attackers to transport malware. They should be configured to execute only from trusted locations and all mobile code should be signed;
• User application hardening: Web browsers are particularly susceptible to cyber-attacks so they should be hardened using best practice published by vendors;
• Multi-factor authentication (MFA): MFA should be implemented for remote access solutions and for all administrative log ins. Further MFA solutions can be used to protect important data repositories;
• Daily backup of critical data: Monitor and check backups of new or changed data, software and configuration settings are performed daily and they are securely stored offsite;
• Restrict administrative privileges: Administrators using a privileged domain account could potentially cause harm, whether it’s malicious or accidental, so usage should be tightly controlled;
• Patch operating system: Monitor compliance with your organisation’s patching policy and ensure that patches for extreme risk security vulnerabilities in operating systems are applied and verified within 48 hours for all workstations.

Cloud Security – The Visibility Challenge

Implementing the ASD Essential Eight onsite, where you have complete control over the full infrastructure and application stack is one thing (and even then, it’s hard), but moving to the cloud means that there are entire computing subsystems that you are now blind to. Cyber security teams have built their capabilities on data collection and analytics tools, using Security Information and Event Management (SIEM) to collate and correlate threat data. Information feeds from operating systems, security systems and business applications are all important since they afford your sec ops team the entire security operating picture.

However, when you move to a cloud consumption model, especially with platform and software-as-a-service offerings, most of the useful log sources are no longer available. This loss of data means the security operations centre cannot correlate the most common security telemetry and threats which makes it impossible to detect and respond to an attack, and making it impossible to report on compliance.

Cloud Security – What Can You Do?

Most SIEM manufacturers have created a version of their platform that works in the cloud. Often this is nothing more than an installation of their platform on a cloud server, so in essence it’s no different to what you had done before, albeit from your own datacentre. This doesn’t make the security operations team’s job any easier, since the underlying network and platform logs are not available, so they are still blind to a vast number of threats.

Instead, you need to look for a native SIEM solution that fully integrates with the cloud platform, whether that’s Microsoft Azure, AWS or some other vendor’s software-as-a-service offering. Native integration means the system collects security telemetry from the underlying systems and applications that you don’t naturally get access to. This will allow the security operations team to hunt for threats across the entire infrastructure stack, but will also allow the security management team to attest to compliance with the ASD Essential Eight, where reporting can be tailored against the maturity level of each Essential Eight control.

Cloud Security Monitoring Tools

Government departments that have not adopted the cloud will soon be compelled to, due to budget constraints and ease of management. Until now, cloud security has been fraught with problems, especially relating to the loss of operational visibility. It’s necessary to evaluate any tools you look at for native integrations with your preferred cloud platform, to ensure you get back the visibility you’d otherwise lose.

Huntsman Security’s native integration with Microsoft’s Azure platform has given control back to the customer, with special reporting and compliance tools tailored to report on compliance to the ASD Essential Eight controls.