Cloud technology has been embraced as a major player in daily business operations. It has become the dominant, enabling computing paradigm that organizations of all sizes and industries are employing for its rapid deployment, ease of use, and expansive access to software, infrastructure, and platform resources. Alongside its increased utilization has come, for many, a feeling of comfort with both the technology and its assumed levels of security.
But how secure is the cloud, and what are the realities you may be missing?
Below, we outline four of the common myths surrounding cloud security and address the real concerns your organization should be ready to address before cloud security risk becomes a cloud security problem.
Myth #1: Cloud Security Risks Are on the Decline
Many people assume that cloud security is an old problem that is well addressed in new cloud provider offerings.
But data indicates otherwise.
According to year-over-year data from 2018 to 2019, the number of records exposed by cloud misconfigurations rose by 80%, as did the total cost to companies associated with those lost records.
In our 2020 Incident Response and Data Breach Report, we reveal that the majority of the inadvertent disclosure incidents we investigated in 2019 were cloud exposures.
Why is this misconception so prevalent?
It’s simple: There is still a gap in understanding around which elements of security are managed by the cloud service provider (CSP), and which responsibilities fall on the shoulders of an organization (more on that in Myth #2). Moreover, the sheer complexity of cloud-based security is enough to make anyone’s head spin.
Cloud security includes significant complexities that enterprises must address to protect their cloud data assets. For each CSP, there is an almost dizzying array of tools, services, capabilities, and user-driven security settings designed to secure them. Each cloud provider’s toolsets and security best practices differ. Given this complexity, it’s no wonder cloud security has become a vexing issue.
The end result is that the high degree of complexity in cloud security leaves many opportunities for error. Fortunately, security services and technologies are advancing rapidly, but there are still gaps in our collective understanding of how to best use the services. What is your business doing to prepare for it?
Myth #2: Businesses Are Not Responsible for Cloud Security (“The ‘Cloud’ Does That”)
There is a common misconception that the cloud manages all aspects of security and protection. Let’s unpack exactly how the responsibility of “cloud security” is actually managed.
The “Shared Responsibility Model” means a CSP is responsible for securing the infrastructure of the cloud, and the customer is responsible for security in the cloud. Thus, businesses are responsible for managing the security of the data stored in the cloud and the controls and settings that protect that data.
Don’t be fooled by semantics. CSPs are responsible for protecting the infrastructure of the cloud, not what actually lives in the cloud.
Data protection and management of cloud security configurations and processes still require businesses to apply similar principles as are applied to computer systems on their own premises.
Businesses are responsible for attending to different security functions based on the types of cloud services they consume:
- Under a Software-as-a-Service (SaaS) contract, businesses are responsible for data protection, identity and access management, and endpoint security.
- When an organization uses Platform-as-a-Service (PaaS), it assumes the same responsibilities as SaaS, but businesses are also responsible for secure application development and network virtualization security.
- Lastly, Infrastructure-as-a-Service (IaaS) is where the provider manages the security of the infrastructure, while customers are responsible for managing the guest operating system, any applications installed in that system, firewalls, as well as data security and identity and access management.
As CSPs add more features and functionality to available platforms, more security complexities follow suit. It is critical to ensure that your organization understands its role in cloud security and has the appropriate infrastructure and processes in place to protect valuable data.
Myth #3: Managing Cloud Security Is Easy
Ensuring your organization is secure requires a thorough understanding of the breadth of the challenges you may face, a well-considered strategy, the right tools and solutions, and comprehensive skills across all cloud platforms in the IT environment. The cloud is designed to ease much of the burden of managing complex, on-premises IT assets; but it isn’t safe to assume that securing a vast cloud estate is necessarily easy.
Securing the cloud begins with assessing your organizational skills and technology gaps and then devising a security strategy that encompasses the people, processes, and technology you currently have in place. While it may sound simple, asset discovery and inventorying is also a critical measure. Next, you must identify what may be needed to shore up your defense strategy. That strategy can include on-site staff, managed security services, or a combination of the two.
Here is a general outline of how to get started:
- Determine if your in-house expertise can manage cloud security, specific to each platform. If you determine you do not have the in-house expertise or very complex multi-cloud environments, you may want to consider managed security services. Cloud controls must be monitored on an ongoing basis, and managed security services can help ensure configurations and settings are not altered to enable data exposures.
- Restrict access to cloud controls, including CSP consoles, application programming interfaces (APIs), and command-line interfaces only to those who need it. Role-based access control (RBAC) is critical to minimizing cloud security risks and other potential security errors.
- Use Multi-Factor Authentication (MFA) for authorized users.
- Audit your cloud data regularly to ensure you know what is out there and where it is located.
- Encrypt your sensitive information and data and provide access using RBAC. Using this methodology, you can rotate keys regularly to improve security.
- Log access to and file-level operations of data. Maintaining a record of all historical access and creation/deletion events of data can help protect your organization.
- Keep a limited public presence—If content does not need to face the internet, do not allow it to.
Companies diving in the cloud should be aware that the task on the customer end is complex. Consider the benefits of working with an experienced cybersecurity firm to assess your cloud strategy and vulnerabilities so you can appropriately manage cloud security.
Myth #4: It's Hard to Properly Understand Security Risk in Cloud Environments
With the complexity of today’s cloud services offerings and an unclear understanding of what security functions to undertake in house, organizations often struggle to properly evaluate risk.
The key to understanding risk is employing the right techniques to test vulnerabilities. Beyond the straightforward precautions listed above, it may be worthwhile for your organization to consider cloud security risk assessments.
Cyber risk and resilience management (CRRM) services are designed to proactively identify and assess the cyber threats and vulnerabilities that put your business at risk. With a CRRM program in place, your organization can more easily determine:
- Critical data and information assets and associated threats and vulnerabilities.
- The likelihood of the occurrence of a threat and its impacts.
- The gaps in policies, procedures, and controls related to specific vulnerabilities.
- Actionable recommendations to mitigate cyber risks and the establishment of an appropriate remediation priority.
With an understanding of where cyber risk lies, your organization can prepare an appropriate defense strategy to mitigate risk.
Cloud security myths can be busted with the right knowledge and support guiding your organization in the appropriate management of cloud security responsibilities, risks, and vulnerabilities.
Looking for more information? Contact us and we’d be happy to help you.