For years, many business and IT executives have been leery of the public cloud — and even avoided these services outright — because of concerns about security threats.
Those worries have largely abated as the cloud services market matured and the leading cloud providers built highly secure infrastructures. But that doesn’t mean the threats have gone away or that cloud customers should assume they’re no longer responsible for making sure their data is protected.
“The upswing in global cloud adoption has given rise to new cloud security threats, where hackers can study a company's weakness and gain unauthorized access to steal confidential information,” notes the Cloud Security Alliance (CSA), an organization that defines standards, certifications and best practices to help ensure a secure cloud computing environment.
“We need smarter and more agile controls to deal with such threats, and this is where the traditional security measures of cloud service providers [CSPs] fail,” CSA said.
The organization has identified the top threats to cloud computing, based on surveys and questionnaires of its members by the CSA Top Threats Working Group. These include data breaches; lack of cloud security architecture and strategy; insufficient identity, credential, access and key management; account hijacking; insider threats; insecure interfaces and application programming interfaces (APIs); and limited visibility of cloud usage.
Organizations that now rely on multiple or hybrid cloud environments to support their business processes need to be vigilant in ensuring that their data and applications are safe — just as they were when these resources resided on premises.
Research firm Gartner has made a number of predictions about cloud security that should cause concern among CISOs and other security executives.
One is that through 2025, 90 percent of the organizations that fail to control public cloud use will inappropriately share sensitive data. Another is that through 2024, a majority of organizations will continue to struggle with appropriately measuring cloud security risks. And a third is that through 2025, 99 percent of cloud security failures will be the customer’s fault, not the fault of the cloud provider.
Here are some suggested best practices for strong security in the cloud environment.
1. Deploy identity and access management tools
Managing who has access to what data and services in the cloud should be the foundation of a cloud cybersecurity program, said Steve Riley, senior director and analyst, cloud security at Gartner.
In the public cloud, “logical access controls at the individual resource and data object level become paramount,” Riley said. “Identity is perhaps the most important form of virtual perimeter that can effectively reduce the attack surface area of potential breaches.”
Cloud administrative consoles and cloud-residing applications are likely accessible to anyone with an internet connection, Riley said. As a result, the foundation of any strategy for maintaining control of an organization’s portion of the cloud is an effective identity and access management (IAM) strategy.
“As an organization designs an IAM strategy that both enables and protects the business, remember that the principle of least privilege remains a useful anchor,” Riley said. “Favor stinginess, but implement a process for quick and easy requesting and granting of additional privileges with minimal disruption to an individual’s workflow.”
When privilege assignments are too narrow, the system “fails safely” and errors tend not to create security problems, Riley said. “When assignments are too broad — often because of entitlement creep — the converse is true: errors tend to create real security problems,” he said.
Most public cloud services now offer role-based administration, built-in multi-factor authentication (MFA), and extensive logging capabilities, Riley said. “Some can be integrated with privileged access management tools. Most services also offer some form of ‘effective permissions’ evaluator, which helps remove the guesswork from determining whether the permissions of a user or service account are overly scoped.”
Too-broad permissions on accounts and too-broad access control lists on objects represent the most common and most dangerous cloud security problems, Riley said.
2. Prevent security misconfigurations
The greatest threat to cloud environments is misconfigurations, said Frank Dickson, program vice president, security and trust at research firm IDC.
For example, open Amazon Web 58彩票网' (AWS) Simple Storage Service (S3) buckets has been a source of high-profile breaches, and yet some organizations choose to leave the public cloud storage resources open, Dickson said.
“S3 buckets though are not open by default; they are closed,” Dickson said. “The client had to make a decision to open the buckets and leave them exposed. The old adage said that an ounce of prevention is worth a pound of cure. Well, an ounce of investment in proper cloud configurations is worth 20 pounds of cloud security tools.”
Cloud misconfiguration is the first thing attackers check for, according to CSA, and a small security oversight such as failing to remove an old account can cause problems in a matter of seconds. Among the common ways a cloud can be misconfigured are a lack of access restrictions; and a lack of data protection, particularly for personal information that is uploaded in plain-text form in the cloud.
Another reason for misconfigurations, CSA said, is failing to audit and validate cloud resources. A lack of regular audits of resources and configurations can lead to a security flaw ready to be pounced on by malicious exploiters, the group reports.
Companies can also neglect logging and monitoring. The timely checking of data and access logs is vital to identify and flag security-related events.
Finally, organizations can provide “over entitlement” of access to users. User access should be restricted to only the applications and data that an individual is permitted to use, CSA said.
3. Reduce the complexity of cloud management
Providing sufficient security for even a single cloud service can be a big challenge for organizations. Add more cloud services and more cloud providers to the mix and the challenge of protecting data becomes even greater.
[ Related: , and a training course called .
“For those using specific cloud services and tools, it’s important to have the knowledge of those tools,” Yeoh said. “Providers constantly add and change features in their services. Keeping up with the proper use of the features and understanding standard configurations is vital to the secure use of those services.”
Establishing a culture for security with basic cloud knowledge “is a great step to improving a company’s security posture by reducing the human error element and creating awareness of best practices in the cloud,” Yeoh said.
Education should also extend to knowing exactly what cloud providers offer in the way of security.
CSA’s allows you to view and compare how cloud service providers meet or exceed baseline security requirements, Yeoh said.
“Having a framework of common cloud security controls that are being implemented in the industry creates trust and assurance for that cloud service provider and their services,” Yeoh said. “Identify security requirements that are critical to your organizational use of that service, and ensure that those requirements are met through controls provided in the framework. This practice can expedite the procurement process and improve your security posture.”