Cloud computing has revolutionized how businesses operate, with companies moving away from physical IT infrastructure to minimize costs and achieve greater flexibility.
The demand for cloud-based solutions is rising post-COVID
Since 2020, the demand for cloud services has grown significantly in response to the COVID-19 outbreak, with cloud spending still expected to rise 18.8% in 2022 to total $362.3 billion, up from $305 billion in 2021.
As more businesses migrate their operations to cloud infrastructure, particularly the public cloud – where sensitive data and critical applications are a concern – you mustn’t overlook cloud security. While the benefits of cloud technology typically outweigh the drawbacks, inadequate protection can have serious ramifications if not managed appropriately.
Cloud security risks, threats and vulnerabilities
According to The State of Cloud Security report from Sophos, 70% of enterprises hosting data/workloads in the cloud encountered a security incident, and 66% leave themselves vulnerable to attackers through misconfigured cloud services. Another study highlighted that breaches caused by cloud misconfigurations cost enterprises worldwide $5 trillion in 2018 and 2019.
Therefore, IT must set out some best practices for everyone to adhere to when using the cloud in order to avoid data breaches and costly mistakes.
Cloud security insights and tips
We asked 8 experts to share their insights into cloud security and how organizations can secure their cloud environments against internal and external security threats.
1. Make security a key part of working in the cloud
What professionals need to realize about cloud security is that it can’t be treated as a separate activity. The old model of moving from one stage of an IT project to another with security either checking work at various gates or at the end takes more work and leads to worse security outcomes.
Security is interwoven with building in the cloud. Teams working in the cloud need to understand the shared responsibility model and how it applies to each and every service they’re using. Sometimes the “security” work will be simply configuring the options provided by the cloud service provider in order to meet the team’s risk tolerance. Other times, it’ll mean integrating a modern security tool to cover a gap that you’re responsible for.
The biggest security risk in the cloud is the pace of change. When combined with a distant security team/function, that usually means disaster. If the security work isn’t done alongside performance optimization, cost monitoring and other core “development” work, it won’t have the necessary context to reduce risk effectively.
When done well, cloud security often means a better security posture for less effort.
Mark Nunnikhoven, VP of Cloud Research for Trend Micro
2. Focus on all the pillars of cloud security
One of the fundamentals to understand in terms of cloud security is the two prone aspects of this concept: "securing access to the cloud" and "delivering security from the cloud". Even though the lines between these two concepts can blur at times, they’re two distinct components of "cloud security". IT managers need to thoroughly consider both of these pillars when constructing their future cloud security strategies.
Jay Cahit Akin, CEO of Mushroom Networks, Inc.
3. The #1 risk to cloud security – your employees
All software has its own flaws, but the biggest vulnerability is the people using it. The reason why they pose a risk is the way these technologies are implemented. Just because an application says it's secure, doesn’t mean it is. The way you set it up and the people who use it are what make it secure.
To protect your data and reduce the likelihood of it being leaked, it's important that you set up appropriate access permissions for your employees. The most effective cybersecurity strategy is to train your company’s employees to become the first line of defense. All employees need to develop the soft skills needed on the cyber side to understand how to block the bad guys attempting to hack an organization through phishing and social engineering.
Nick Santora, CEO of Curricula
4. Consider cloud security access
Implement pipeline security “guardrails”: MFA, IP restrictions, access control
One aspect of cloud security that’s often overlooked by businesses is pipeline security. Pipeline security can be best described as securing how people access the cloud and what they can do with that access. An example of this could be a developer attempting to create servers that are open to the internet or having storage buckets open to the public.
Pipeline security isn’t just about enforcing MFA, IP restrictions and other security controls around accessing the cloud. It’s often overlooked once a user gains access - I’ve seen many times where companies assume controls are in place by default based on a user’s role, which isn’t always the case. Implementing the proper guardrails is critical to maintaining a secure posture for your cloud environment.
Encrypt data in the cloud
It should always be remembered that the cloud is just another person’s computer; you’ll never have physical control over the servers that store your data in the cloud. Therefore, deploying encryption will be critical. Not only do you want to ensure your data is encrypted, but you must also ensure that the encryption keys never touch the cloud provider and where possible aren’t using the native data encryption methods. This ensures that no one other than yourself can decrypt that data and prevents a rogue employee at the cloud provider from gaining access to your environment and stealing your data.
Implement identity and access management (IAM) protocols
Identity and access management (IAM) is the management of identities and what those identities can access. This is also true in the cloud, but we must add a layer of protection to IAM since the cloud has broad network access. This is the characteristic that enables users to access the cloud and its resources anywhere, at any time. With IAM controls it’s also critical to manage when someone can access a resource, service and data in the cloud. It’s simply not enough to manage what they can access, but you also don’t want employees accessing sensitive data when they’re on vacation in another country that may be hostile to your home country.
I see this area overlooked many times with companies where they say yes, only the people allowed to access this data can access it. The data could be PCI, HIPAA or even classified material; the users only need access to this data for a short amount of time to complete their immediate tasks, so why allow them to have access to it forever? Limiting when they can access this sensitive data with just enough time for them to complete their task. This workflow must be thought through and deployed from the beginning. This type of workflow takes time to adopt but it must be enforced to ensure a higher level of security around an environment that you have little control around.
Joseph South, Senior Cloud Security Engineer and Infosec Skills Author
5. Power your security with real-time insights
It’s important to recognize both the risks and rewards when transitioning to a cloud platform. Security threats are becoming more complex by the day, and rapidly growing data can often be highly fragmented across organizations.
Unfortunately, data breaches and hacking pose a threat to cloud users. Leading organizations realize that in order to successfully respond to developing threats and risks, real-time insights powered by AI that can be collected in the cloud provide an asset when detecting risks.
Overall, it’s vital to adopt a layered approach to cybersecurity, and that includes the cloud - even if your cloud services are outsourced. Organizations should also look for cloud services that empower security organizations with the real-time insights they require to ensure business continuity and operational efficiencies.
Alan Stoddard, President at Cognyte
6. Don’t forget your SaaS tools
As adoption of the cloud increases, enterprises will have a significant amount of SaaS subscriptions. They’ll need a clear set of rules to follow when evaluating the security of a particular SaaS provider. Otherwise, they might end up with a provider who hasn’t incorporated essential security features such as disaster recovery and change management policies.
Reuben Yonatan, Founder and CEO of GetVoIP
7. Make data protection a proactive part of your cloud strategy
When looking for the right cloud resource, many users tend to get caught up in the speed of the servers or the network or the cost of the storage. If you go to the three largest cloud providers, you’ll see these three themes at the top of their pages: new features, scalability and pricing. All three are important, but if your data gets corrupted, is encrypted or just disappears, everything else doesn’t matter.
Some customers entrust their data to us, assuming that we’ll protect it. With other cloud providers, this could be a dangerous assumption. Many of our competitors leave it up to the users to make sure their data is protected. If a data protection strategy hasn’t been proactively implemented and your data gets corrupted, you could be out of luck.
Here’s what you should be asking your cloud provider:
- If a user deletes company files without permission, what’s the provider’s standard and method for data retrieval?
- What happens if there’s a cyberattack on my data and my production storage gets corrupted or encrypted by a bad actor?
- What happens to our data if your data center gets destroyed (see OVH Cloud in Strasbourg)?
It’s important to ask technical questions, but it’s more important to understand how your provider views your data. Do they think it’s as important to them as it is to you?
Tim Mullahy, EVP and Managing Director at Liberty Center One Cloud Services
8. Elasticity, fluidity and better control
One of the main reasons you’re planning to adopt the cloud is the power of elastic resources that can grow and shrink with demand. But this can throw some wrinkles into how you use your traditional security controls. Your centralized security devices (firewalls, data loss prevention, etc.) must be able to scale up to meet the demand of the entire potential of your elastic resources. This will often involve auto-scaling virtual appliances based on some defined metric.
Fluid security perimeter
Your external firewall and DMZ can no longer be the extent of your security boundaries. Now, your applications sit in a data center organized by geographic region. Your users are likely more dispersed today than they used to be. As a result, you’ll need to think differently about network trust-based controls. You’ll also need to consider a more internet accessible authentication and authorization method for your applications.
The cloud control plane
Imagine if a hostile actor could get into your data center and change the configuration of your infrastructure. They could remove and copy hard disks, destroy databases and change firewall rules - it’d be a CISO's worst nightmare. That's the impact of someone gaining access to your cloud control plane, typically the console, APIs and command line tools used to interact with your cloud resources. This is now a key security element that must be added to any organization's cloud planning. A cloud security strategy should cover, in detail:
- The breakdown of privileges to abilities of that control plane
- The segregation of duties within it
- A detailed audit trail
Don Mills, Chief Information Security Officer at SingleStone