Cloud computing is the driving force behind digital transformation. During the pandemic it empowered organizations to rapidly support home working and find new ways to reach their customers. Today the drivers have shifted slightly, but it’s no less important. Cloud-based platforms, infrastructure, and applications are now more likely to be deployed to drive cost efficiencies, streamline business processes, and improve resilience against stiffening economic headwinds. Yet as more business-critical information is transferred to cloud data stores, the risk of theft and extortion grows.
This is where it makes sense to cut through the complexity of cloud security and focus on what’s most important—by protecting the data itself.
The top five cloud security threats
According to one estimate, 45% of data breaches last year occurred in the cloud, at a cost of over $5m each in the public cloud, versus an average of $4.4m per company across all environments. The same study calculates that cloud migration can add $284,000 to an organization’s average breach costs. These are figures which should concern any boardroom. So where are cloud security threats most pronounced?
Misconfiguration is reckoned by the US government to be the most prevalent cloud vulnerability. Exacerbated by ever-evolving cloud service provider (CSP) functionality and a lack of in-house skills in customer organizations, it can leave data stores completely exposed to threat actors or accidental leaks. Cloud misconfigurations now account for 15% of breaches, according to IBM.
IT complexity is a fact of life in the cloud. Research tells us that 92% of enterprises have a multi-cloud strategy, and 80% favor a hybrid cloud approach. That creates multiple discrete computing environments, with different security and policy requirements. This kind of complexity is the enemy of effective risk control, and can be a major driver of misconfiguration.
Software supply chains are critical to the DevOps teams building the cloud applications that power modern businesses. Yet most of these teams use third-party open source components which are often riddled with malware and vulnerabilities. The average application development project contains 49 vulnerabilities, according to one estimate. Another report claims to have recorded a 650% increase in bad actors injecting vulnerabilities into upstream code in order to exploit them before they are discovered.
Poor access controls such as weak passwords or non-existent multi-factor authentication can allow hackers to gain unauthorized access to cloud data and networks. Attackers might use previously breached or phished credentials, or simply brute force them using automated tools.
Insecure APIs can provide a direct line to sensitive business data. They may be the CSP’s APIs or business APIs deployed in the cloud. But misconfiguration and inadequate authentication/authorization are usually to blame. The result: anyone with an internet connection could hijack these communication links to reach critical data.
Supporting the cloud journey
Cloud security is tough. Cloud environments host a large, distributed, and growing attack surface which cybersecurity teams often don’t have the skills, tools. or visibility to protect. Some organizations are confused about their role in the shared responsibility model for cloud security, while others might try and apply ineffective legacy controls.
A surer way to mitigate cyber risk in the cloud would be to focus on what really matters: the data itself. This is what threat actors are after when they breach the cloud network, so this is where protective efforts should concentrate. It’s what we call “data-centric security”: the application of strong encryption or tokenization to ensure that even if data is accessed, read, or exfiltrated, it is useless to the attacker.
Beyond these basic tenets, organizations should look for data-centric security providers that offer:
- Support for all major cloud platforms
- Continuous discovery, classification, and protection across the entire cloud environment
- The scalability to support larger data volumes as the business grows
- Format-preserving encryption, so data is protected but can still be used for things like cloud-based analytics
The best data-centric security solutions maximize protection and minimize cyber risk across the cloud without impacting data utility.