Cloud Security: The Next Big Thing to Know
by Douglas Bernardini
Cloud security is a collection of procedures and technology designed to address external and internal threats to business security. Organizations need cloud security as they move toward their digital transformation strategy and incorporate cloud-based tools and services as part of their infrastructure.
The terms digital transformation and cloud migration have been used regularly in enterprise settings over recent years. While both phrases can mean different things to different organizations, each is driven by a common denominator: the need for change.
As enterprises embrace these concepts and move toward optimizing their operational approach, new challenges arise when balancing productivity levels and security. While more modern technologies help organizations advance capabilities outside the confines of on-premise infrastructure, transitioning primarily to cloud-based environments can have several implications if not done securely.
Striking the right balance requires an understanding of how modern-day enterprises can benefit from the use of interconnected cloud technologies while deploying the best cloud security practices.
Why is cloud security important?
In modern-day enterprises, there has been a growing transition to cloud-based environments and IaaS, Paas, or SaaS computing models. The dynamic nature of infrastructure management, especially in scaling applications and services, can bring a number of challenges to enterprises when adequately resourcing their departments. These as-a-service models give organizations the ability to offload many of the time-consuming, IT-related tasks.
As companies continue to migrate to the cloud, understanding the security requirements for keeping data safe has become critical. While third-party cloud computing providers may take on the management of this infrastructure, the responsibility of data asset security and accountability doesn’t necessarily shift along with it.
By default, most cloud providers follow best security practices and take active steps to protect the integrity of their servers. However, organizations need to make their own considerations when protecting data, applications, and workloads running on the cloud.
Security threats have become more advanced as the digital landscape continues to evolve. These threats explicitly target cloud computing providers due to an organization’s overall lack of visibility in data access and movement. Without taking active steps to improve their cloud security, organizations can face significant governance and compliance risks when managing client information, regardless of where it is stored.
Cloud security should be an important topic of discussion regardless of the size of your enterprise. Cloud infrastructure supports nearly all aspects of modern computing in all industries and across multiple verticals.
However, successful cloud adoption is dependent on putting in place adequate countermeasures to defend against modern-day cyberattacks. Regardless of whether your organization operates in a public, private, or hybrid cloud environment, cloud security solutions and best practices are a necessity when ensuring business continuity.
What are some cloud security challenges?
- Lack of visibility: It’s easy to lose track of how your data is being accessed and by whom, since many cloud services are accessed outside of corporate networks and through third parties.
- Multitenancy: Public cloud environments house multiple client infrastructures under the same umbrella, so it’s possible your hosted services can get compromised by malicious attackers as collateral damage when targeting other businesses.
- Access management and shadow IT: While enterprises may be able to successfully manage and restrict access points across on-premises systems, administering these same levels of restrictions can be challenging in cloud environments. This can be dangerous for organizations that don’t deploy bring-your-own device (BYOD) policies and allow unfiltered access to cloud services from any device or geolocation.
- Compliance: Regulatory compliance management is oftentimes a source of confusion for enterprises using public or hybrid cloud deployments. Overall accountability for data privacy and security still rests with the enterprise, and heavy reliance on third-party solutions to manage this component can lead to costly compliance issues.
The nightmare: Cloud Misconfigurations
Misconfigured assets accounted for 86% of breached records in 2019, making the inadvertent insider a key issue for cloud computing environments. Misconfigurations can include leaving default administrative passwords in place, or not creating appropriate privacy settings.
Cloud security misconfigurations are expected to be a major problem for years to come. According to Gartner, 99% of cloud security failures through 2025 will be the customer’s fault, and these are oftendue to security misconfigurations. The ability to rapidly prevent, detect and correct security misconfigurations is essential to an enterprise cloud security strategy.
Some of the common causes of these security misconfigurations that place companies at risk include:
- Multi-Cloud Complexity: Most organizations have multi-cloud deployments spanning platforms from several different cloud providers. Since each of these platforms has its own array of security settings, it can be difficult to properly configure and monitor these settings across environments. Additionally, any lack of consistency between the various security settings will increase the risk to the organization.
- Unchanged Defaults: When deploying new applications or expanding to new cloud environments, an organization’s new cloud infrastructure comes with default values for its security configuration settings. If these settings are not secure by default, a failure to reconfigure these settings can leave the organization vulnerable.
- Unsecure DevOps: Agility is one of the main selling points of cloud infrastructure. In an attempt to rapidly deploy new functionality, administrators may set up “temporary” security configurations during testing. If these configurations are not changed after release, they place the organization at risk.
- Skills Gaps: Many organizations have only recently transitioned to the cloud and have adopted complex, multi-cloud environments. Securing these environments requires in-depth experience with the security settings of each platform, which can be difficult to acquire due to the existing cybersecurity skills gap.
- Shadow IT: Cloud platforms are designed to be user-friendly, and it is easy to spin up applications, data storage, and other cloud services. As a result, employees may deploy cloud assets without appropriate authorization and properly-configured security controls.
Examples of Cloud Security Misconfigurations
Various security misconfigurations can exist in corporate cloud environments. Some of the most common examples of cloud security misconfigurations include:
- Default Accounts and Passwords: The default accounts and passwords used by various applications and services are publicly known. Failing to disable default accounts or change their passwords can leave cloud infrastructure vulnerable to credential stuffing attacks.
- Publicly-Accessible Assets: Many cloud platforms allow files, folders, etc. to be shared using publicly accessible links. This link sharing allows anyone who knows or guesses the link to access potentially sensitive corporate data.
- Excessive Access: Users and applications are often granted unnecessary access and permissions in cloud environments. This excessive access increases the probability and impact of a security incident caused by compromised credentials, misused permissions, or employee negligence.
- Unnecessary Features: Cloud services, cloud-based applications and cloud environments may come with unnecessary features. Failing to disable features that the organization does not use expands the digital attack surface.
- Unencrypted Storage: Cloud data storage is increasing, meaning that large volumes of data are stored on third-party platforms that are often shared with other cloud customers. If this data is stored unencrypted, it may be accessible to unauthorized users.
- Missing Updates and Patches: While the cloud provider maintains the underlying infrastructure, the cloud customer is responsible for applying updates to their applications and the underlying software components. Failure to do so could leave applications exposed to the exploitation of unpatched vulnerabilities.
How should you approach cloud security?
The way to approach cloud security is different for every organization and can be dependent on several variables. However, the National Institute of Standards and Technology (NIST) has made a list of best practices that can be followed to establish a secure and sustainable cloud computing framework.
The NIST has created necessary steps for every organization to self-assess their security preparedness and apply adequate preventative and recovery security measures to their systems. These principles are built on the NIST’s five pillars of a cybersecurity framework: Identify, Protect, Detect, Respond, and Recover.
Another emerging technology in cloud security that supports the execution of NIST’s cybersecurity framework is cloud security posture management (CSPM). CSPM solutions are designed to address a common flaw in many cloud environments – misconfigurations.
Cloud infrastructures that remain misconfigured by enterprises or even cloud providers can lead to several vulnerabilities that significantly increase an organization’s attack surface. CSPM addresses these issues by helping to organize and deploy the core components of cloud security. These include identity and access management (IAM), regulatory compliance management, traffic monitoring, threat response, risk mitigation, and digital asset management.