HHS OIG Report Underscores Challenges of Securing the Cloud

On July 22, 2024, HHS (Health and Human Services) OIG published a report identifying a need for the Department of Health and Human Services, Office of the Secretary (HHS OS) to improve key security controls to better protect cloud information systems. The report, while focused on HHS OS, underscores the challenges that many organizations face in managing cloud security and risk, comprehensive visibility, and control.

According to the report, while "HHS requires all HHS entities to identify, register, and maintain a current and accurate inventory of cloud systems" and components, HHS lacked documented procedures for verifying that the cloud systems inventories are accurate. This resulted in HHS OIG identifying 13 undocumented cloud systems in use at HHS OS. Relying on documentation of systems alone leaves organizations prone to human error and visibility gaps. Organizations need to be able to automate visibility across their multi-cloud environments, as well as the discovery of their external attack surface and partner-run cloud environments.

Additionally, HHS OIG found that System Security Officers do not always possess the skill sets required to effectively govern and assess cloud security controls. This resulted in HHS OIG identifying 12 key security controls that had either not been implemented or were not configured in accordance with Federal requirements, such as NIST (National Institute of Standards and Technology) SP 800-53 rev 4. In their audit, they identified privileged accounts without multifactor authentication enabled and cloud storage without access controls enabled to limit the potential exposure of sensitive data. Securing the cloud introduces many new challenges to organizations, and the learning curve for ISSOs to adapt to non-traditional IT systems can be challenging. This demands improved integration with tools that can automate the assessment of cloud services against approved compliance benchmarks, like NIST SP 800-53 rev 4, during the initial provisioning and continuously throughout the life of the cloud system.

The HHS OIG report identified 4 Recommendations for HHS because of their audit. These recommendations represent several of the best practices for any organization to manage cloud security and risk.

The HHS OIG Recommendations summarized:

• Developing a procedure to ensure all cloud system inventories are complete and accurate
• Remediate control findings in accordance with NIST 800-53
• Implement a strategy for assessing cloud security configurations and remediating weak controls promptly.
• Ensuring qualified staff are assigned as SSOs

In addition to HHS OIG Recommendations, Qualys also recommends:

• Complete inventory of all assets in all clouds
• API, Agent, Network, and snapshot vulnerability discovery
• Cloud Detection and Response powered by AI to identify file-based, fileless, and network attacks
• Infrastructure as Code analysis to identify configuration issues before they are published to the cloud
• Cloud Infrastructure and Entitlement Management to validate user and asset privileges.

The only effective way for an organization to progress towards these recommendations and gain visibility and control over its cloud services is through a CNAPP (Cloud Native Application Protection Platform) solution. CNAPP solutions integrate cloud asset discovery, continuous compliance monitoring, and remediation with vulnerability discovery and threat protection into a single platform to provide multi-cloud protection.

How CNAPPs Solve Cloud Security Challenges:

• Cloud Asset Visibility with Cloud Security Posture Management

HHS OIG used documented cloud inventory and interviews with IT personnel to identify the 13 undocumented cloud systems referenced in their report. The inferred methodology used is a manual process for documenting systems and using manual correlations to cross reference for accuracy. Cloud services are complex, comprised of servers and serverless architectures, automation scripts, and micro-services; manual documentation of cloud services and settings can be a laborious effort. A CNAPP solution simplifies asset identification and correlation through automated analysis with cloud security posture management (CSPM). By integrating directly with multiple cloud providers in a single platform, a CNAPP solution can identify all cloud services and resources in use within Agency cloud environments and provide automated correlation of services to applications. This ensures the visibility necessary to monitor and protect cloud services and eliminates the need for manual inventory management efforts.

• Cloud Vulnerability Discovery with Cloud Workload Protection

HHS OIG used vulnerability discovery and cloud security assessment tools to analyze the configuration settings of cloud services and performed penetration testing. During the penetration testing phase, HHS OIG's penetration testing partner was able to gain entry by exploiting vulnerabilities and elevating privileges, resulting in the ability to access sensitive data and gain control of cloud components. A CNAPP solution with comprehensive vulnerability detection, cloud security posture management, and advanced threat protection capabilities, combined with risk prioritization and mitigation, could have helped prevent successful penetration testing results.

The cloud's complex nature requires multiple methods for identifying and quantifying vulnerabilities; relying on single vulnerability detection methods will result in blind spots and fail to identify risk. Effective vulnerability discovery and remediation should make it difficult for a penetration test or adversary to gain entry.

• Automated Compliance Audits Against Known Standards With CSPM

Successful implementation of cloud security posture management (CSPM) automates the analysis of cloud configurations across all cloud service providers before they are published and provides continuous analysis throughout the life of the cloud system. This automation ensures continued compliance and would have prioritized high-risk findings such as exposed data repositories, improperly configured authentication settings, and missing encryption. Automating configuration analysis would have limited the ability of the penetration test to elevate privileges and access sensitive data. Because effective CSPMs also map cloud configuration settings to standards such as NIST SP 800-53 rev 4, they can also provide benefits to System Security Officers who may otherwise lack the skills required to effectively assess cloud services for compliance.

• Threat Detection and Prevention with Cloud Detection and Response

Managing risk effectively will help limit the ability of the adversary to gain access; however, Qualys research shows that adversaries are weaponizing vulnerabilities more than 11 days faster than organizations can remediate them. Effectively securing the cloud means being able to identify and defend against adversaries attempting to gain entry. Comprehensive cloud detection and response (CDR) uses advanced zero-day detection techniques to help organizations identify known and unknown threats, including files, fileless, and network attacks. A CDR solution could have identified the tactics, techniques, and procedures being used to successfully exploit cloud vulnerabilities and misconfigurations and prevented them.

Qualys TotalCloud 2.0 with TruRisk ™ Insights

Qualys TotalCloud offers the only CNAPP solution to provide the breadth of capabilities required to effectively identify cloud risk and secure cloud information systems. Qualys TotalCloud has a FedRAMP Authorized (Moderate) set of capabilities that offers several unique advantages:

• Comprehensive Asset discovery and Automated Compliance with CSPM

Security starts with visibility. The cloud has created a significant "Shadow IT" challenge for enterprise and cyber security. This challenge is made more difficult by the usage of multiple cloud service providers. Qualys TotaCloud simplifies cloud asset discovery with CSPM by providing cloud connectors for Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), and Oracle Cloud Infrastructure (OCI). This provides centralized visibility across all Cloud providers in a single platform.

Additionally, Qualys enables automated compliance through the assessment of cloud infrastructure against common security baselines and frameworks, including NIST SP 800-53, NIST Cybersecurity Framework, CIS, and FedRAMP.

Qualys CSPM also provides automation for cloud remediation. This enables organizations to automate or manually execute remediation workflows for cloud findings, thus ensuring that necessary changes are communicated or implemented quickly and effectively to reduce risk.

• Comprehensive vulnerability discovery with FlexScan™

While many solutions focus on agent- or snapshot-only scanning, Qualys offers the only solution that provides multiple and flexible options for vulnerability discovery - using APIs, Agents, Network scanning, and snapshot scanning. This flexibility is critical, as it eliminates potential blind spots as some critical vulnerabilities are only detectable with an agent, allows for continuous vulnerability discovery in dynamically changing cloud environments, and helps keep cloud hosting costs down.

• Advanced Cloud Detection and Response powered by Deep Learning AI

Threat actors continue to find new ways to target and exploit cloud resources using files, fileless, and network service attacks. To be effective against a well-organized adversary, organizations need protections capable of learning and evolving to zero-day threats, and not simply reliant on known threats. Qualys provides the only CDR that uses Deep Learning AI to identify and defend against advanced threats targeting enterprise cloud environments.

• Prioritize Risk and Accelerate Response with TruRisk™ Insights

Risk prioritization is critical to ensure remediation activities are targeted and impactful. Understanding the impact of risk and the necessary steps required to successfully eliminate risk is the best way to ensure that an organization is not just compliant but reducing threat impact while getting compliant. Qualys TruRisk ™ Insights goes beyond Attack Path simulation to prioritize risk through a contextual understanding of the potential impact and identifying a complete understanding of how to remediate risk. By leveraging TruRisk™ Insights, organizations can reduce Mean-Time-To-Remediation while reducing risk.

Containers are the building blocks of cloud service architectures. Containers are software packages that contain all the necessary components and services necessary to run within the cloud. Containers, like any other software package, are susceptible to malware and vulnerabilities. Qualys TotalCloud Container Security enables organizations to continuously monitor containers for vulnerabilities and malicious code either in the container registry or at runtime. By securing containers in the registry, Qualys is reducing the risk associated with dormant containers by applying new intelligence about vulnerabilities and threats. This will ensure that when the service is called from the registry, it is patched and free of malware. Additionally, as the container is running, Qualys applies the same level of inspection and protection to secure the container service at run time.

To learn more about cloud security challenges, download the 2023 TotalCloud Security Insights report from the Qualys Threat Research Unit. To learn more about Qualys TotalCloud and see it in action, schedule a demo.

Related

Public link

Please use the above public link if you want to share this noodl on another website.