I had a debate with a fellow technologist at Dell EMC World this year about whether the cloud is more secure than any given data center not used by a cloud provider. The argument put forth was that cloud service providers often have better security controls in place, they can auto-patch systems, etc. All in all, it is a valid argument. However, if I as the tenant cannot prove that security, then whatever the cloud does is not necessarily good enough. With the infrastructure of seventy-four countries impacted by the latest ransomware attack, this debate is placed in stark contrast to reality. Were it not for one researcher, the spread might have been worse. At the moment, the only solution for preventing such widespread ransomware is to upgrade and patch. This does not validate the argument that the cloud will patch for you. It does not do so for many Windows systems (depending on the cloud).
I would like to make two early shout-outs. We need more researchers into the areas of security attacks. Please read MalwareTech’s article on how this ransomware propagated; it was not phishing but something else. This malware propagated using server message block (SMB) weaknesses. I would also like to call out Microsoft for providing a patch for supposed end of life products. If you have not patched yet, do so: this is a necessity. The “or else” of not patching or even upgrading is pretty serious this time.
The requirement to use older computing systems is due to business decisions and complexity. We all know that the business does not always put security first. Personally, I think security needs to be part of such decisions. However, we need to consider mitigation of possible threats using upstream technologies. In this case, simple DNS proxies that map an unknown to a known address could mitigate the attack. Some ISPs do this to provide advertising mechanisms. However, in this case, the only solution is to patch or upgrade.
Could using the cloud have helped mitigate this attack? Only if the cloud had patched all your Windows virtual machines automatically and kept them patched and up to date. To do that, you need to also build in redundancy and business continuity. You need business continuity to handle rolling upgrades of your main infrastructure. This is really the work of a managed service provider. The results of this attack will reverberate around board rooms for at least a few days. I hope it lasts longer. I hope this brings to every IT architect the need to consider security from the beginning. This may be the time to review your architectures for security issues. Security does not need to be “in the way.” We just need to cover all possibilities.
I would like to see the following come out of this:
- A concerted effort to ensure all machines are patched appropriately, including those powered off. Bring them up within a sandbox if necessary. But patch.
- A concerted effort to educate the C-suite and IT architects about the need to include security from the beginning, to review current architectures for issues.
- A concerted effort by universities and other schools to educate security researchers (we need many more than there are).
- A concerted effort to look at the system, not the individual bits.
Is going to the cloud the answer? I am unsure. The cloud has many benefits. The real solution is to ensure the various trust zones and systems are not so interconnected—to ensure that, for example, data protection systems are not directly mounted by desktops or even servers. These systems need to use out-of-band technologies. The “air gap” needs to come back into IT architectures, but it needs to be an intelligent air gap. We need to look at the system as a whole, to find what is being shared and how. Data sharing is useful, but it should not be everywhere.
Will microsegmentation save us? Not really. Once more, we need to look at security as being as dynamic as our IT infrastructures. This includes items within the cloud. Security is not “set and forget.” Neither is data protection. Nor is data mobility. “Set and forget” is a thing of the past. We need dynamic solutions; we need to keep things patched and updated. We also need to better educate IT architects, the business, and IT workers about the realities of data breaches and attack surfaces. A business decision to keep older operating systems around is one that needs to be reconsidered, for example. A decision to move to the cloud with older systems needs to be reconsidered as well. The cloud will not mitigate those issues. It does mitigate other issues, but “How do I prove I am protected?” is always the question!