Cloud computing saved many organizations during the pandemic as they rapidly recalibrated to support mass home working and reach more customers online. It continues to appeal as we approach 2023 with macro-economic headwinds gathering, thanks to the promise of greater business agility, and IT and cost efficiencies. Gartner predicts the global market for public cloud services will grow as a result by nearly 21% year-on-year in 2023, to reach $592bn.
Yet as workloads and data migrate in greater numbers to cloud systems, expanding the corporate attack surface as they do, managing cyber risk becomes more challenging. Data security must therefore be a central pillar of any successful cloud security strategy.
Challenges in the cloud
The mistake many organizations make when considering their cloud migration projects is to assume that security can be treated in a similar way to on-premises environments. In fact, there are a number of cloud-specific challenges to be aware of before even considering such initiatives. These include the following:
Human error can be a significant threat. In fact, the US government claims cloud misconfiguration is the most commonplace vulnerability in environments. It’s worsened by a decline in cloud security skills inside organizations. Cloud misconfigurations now account for 15% of breaches, according to IBM.
Complexity is the enemy of good security, but unfortunately in the cloud it is a fact of life. According to one estimate, 92% of enterprises have a multi-cloud strategy, and 80% are investing in hybrid clouds. These create multiple computing environments to manage, potentially each with different security and policy requirements.
DevOps teams and processes accelerate the development of cloud applications, which help modern businesses create value both internally and externally. But the third-party open source components most teams use often contain vulnerabilities. The average application development project contains 49 vulnerabilities, according to one estimate. Many cyber-criminals are primed to take advantage.
Access control failings such as weak passwords or a lack of multi-factor authentication (MFA) can allow ransomware actors and data thieves to gain unauthorized access to cloud data and networks.
Insecure APIs can provide a direct line to sensitive business data. But misconfiguration and/or inadequate authentication can expose this data to anyone with an internet connection.
Building a successful security strategy
Fortunately, there’s plenty that organizations can do to get back on the front foot against cloud-based cyber risk. Most important is to first take ownership. Many organizations aren’t aware that according to the shared responsibility model cloud providers will only protect a small part of the total environment. Data, applications and much more are the responsibility of the customer. The Cloud Security Alliance has a useful guide explaining all.
Next, consider adopting or enforcing the following:
Cloud security posture management (CSPM): These tools help to reduce exposure to misconfigurations by continually checking for and remediating any policy compliance gaps.
Monitoring and protection of cloud assets: Solutions to provide real-time and automated insight into malicious and suspicious behavior, and the ability to rapidly respond to and contain threats. Automated monitoring is essential in the cloud, where assets like VMs and containers are in constant flux.
Enforce Zero Trust: Advocated by the US government, Zero Trust approaches are based on the mantra: “never trust, always verify.” Typical elements include network segmentation, tight access controls according to the principle of least privilege, and internal monitoring tools.
Audit suppliers rigorously: In highly distributed IT environments like the cloud, risk extends far beyond the traditional network perimeter. Organizations must therefore do due diligence on prospective cloud providers, but also continually assess and audit any partners or suppliers with access to their cloud data.
Protect the data: Perhaps the most important point to make is that organizations should not expect the security controls they put in place to be effective 100% of the time. Their adversaries are simply too numerous and the attack surface too expansive. That’s why it makes sense to complement the above steps with a data-centric security approach focused on protecting what matters most: the data itself. After all, this is what most threat actors are looking for when they attempt to breach cloud systems.
The right data-centric security
What does data-centric security entail? It’s built around the application of strong encryption or tokenization to ensure that even if data is accessed, read or exfiltrated, it becomes useless to the attacker.
Beyond these basics, organizations should look for trusted partners in this space that offer:
- Support for all major cloud platforms, including AWS, Azure and Google Cloud
- Continuous discovery, classification and protection across the entire cloud environment
- Scalability to support large data volumes as the business grows
- Format-preserving encryption, which protects data but ensures it can still be used for cloud-based analytics and other business growth opportunities