For years, many business and IT executives have been leery of the public cloud — and even avoided these services outright — because of concerns about security threats.
Those worries have largely abated as the cloud services market matured and the leading cloud providers built highly secure infrastructures. But that doesn’t mean the threats have gone away or that cloud customers should assume they’re no longer responsible for making sure their data is protected.
“The upswing in global cloud adoption has given rise to new cloud security threats, where hackers can study a company’s weakness and gain unauthorized access to steal confidential information,” notes the Cloud Security Alliance (CSA), an organization that defines standards, certifications and best practices to help ensure a secure cloud computing environment.
“We need smarter and more agile controls to deal with such threats, and this is where the traditional security measures of cloud service providers [CSPs] fail,” CSA said.
The organization has identified the top threats to cloud computing, based on surveys and questionnaires of its members by the CSA Top Threats Working Group. These include data breaches; lack of cloud security architecture and strategy; insufficient identity, credential, access and key management; account hijacking; insider threats; insecure interfaces and application programming interfaces (APIs); and limited visibility of cloud usage.
Organizations that now rely on multiple or hybrid cloud environments to support their business processes need to be vigilant in ensuring that their data and applications are safe — just as they were when these resources resided on premises.
Research firm Gartner has made a number of predictions about cloud security that should cause concern among CISOs and other security executives.
One is that through 2025, 90 percent of the organizations that fail to control public cloud use will inappropriately share sensitive data. Another is that through 2024, a majority of organizations will continue to struggle with appropriately measuring cloud security risks. And a third is that through 2025, 99 percent of cloud security failures will be the customer’s fault, not the fault of the cloud provider.
Here are some suggested best practices for strong security in the cloud environment.
Managing who has access to what data and services in the cloud should be the foundation of a cloud cybersecurity program, said Steve Riley, senior director and analyst, cloud security at Gartner.
In the public cloud, “logical access controls at the individual resource and data object level become paramount,” Riley said. “Identity is perhaps the most important form of virtual perimeter that can effectively reduce the attack surface area of potential breaches.”
Cloud administrative consoles and cloud-residing applications are likely accessible to anyone with an internet connection, Riley said. As a result, the foundation of any strategy for maintaining control of an organization’s portion of the cloud is an effective identity and access management (IAM) strategy.
“As an organization designs an IAM strategy that both enables and protects the business, remember that the principle of least privilege remains a useful anchor,” Riley said. “Favor stinginess, but implement a process for quick and easy requesting and granting of additional privileges with minimal disruption to an individual’s workflow.”
When privilege assignments are too narrow, the system “fails safely” and errors tend not to create security problems, Riley said. “When assignments are too broad — often because of entitlement creep — the converse is true: errors tend to create real security problems,” he said.
Most public cloud services now offer role-based administration, built-in multi-factor authentication (MFA), and extensive logging capabilities, Riley said. “Some can be integrated with privileged access management tools. Most services also offer some form of ‘effective permissions’ evaluator, which helps remove the guesswork from determining whether the permissions of a user or service account are overly scoped.”
Too-broad permissions on accounts and too-broad access control lists on objects represent the most common and most dangerous cloud security problems, Riley said.
The greatest threat to cloud environments is misconfigurations, said Frank Dickson, program vice president, security and trust at research firm IDC.
For example, open Amazon Web Services’ (AWS) Simple Storage Service (S3) buckets has been a source of high-profile breaches, and yet some organizations choose to leave the public cloud storage resources open, Dickson said.
“S3 buckets though are not open by default; they are closed,” Dickson said. “The client had to make a decision to open the buckets and leave them exposed. The old adage said that an ounce of prevention is worth a pound of cure. Well, an ounce of investment in proper cloud configurations is worth 20 pounds of cloud security tools.”
Cloud misconfiguration is the first thing attackers check for, according to CSA, and a small security oversight such as failing to remove an old account can cause problems in a matter of seconds. Among the common ways a cloud can be misconfigured are a lack of access restrictions; and a lack of data protection, particularly for personal information that is uploaded in plain-text form in the cloud.
Another reason for misconfigurations, CSA said, is failing to audit and validate cloud resources. A lack of regular audits of resources and configurations can lead to a security flaw ready to be pounced on by malicious exploiters, the group reports.
Companies can also neglect logging and monitoring. The timely checking of data and access logs is vital to identify and flag security-related events.
Finally, organizations can provide “over entitlement” of access to users. User access should be restricted to only the applications and data that an individual is permitted to use, CSA said.
Providing sufficient security for even a single cloud service can be a big challenge for organizations. Add more cloud services and more cloud providers to the mix and the challenge of protecting data becomes even greater.
And for a growing number of organizations, a migration to the cloud ultimately means having a multi-cloud or hybrid cloud environment. This can result in a highly complex infrastructure, encompassing a variety of public cloud service providers and types of cloud services, and it can introduce a number of security risks.
One of the early steps in addressing cybersecurity in a cloud-dominated environment should be to reduce complexity, Dickson said. IDC estimates that 80 percent of companies have more than one Infrastructure-as-a-Service (IaaS) provider, he said.
Many organizations are using multiple software-as-a-service (SaaS) and platform-as-a-service (PaaS) offerings from different providers as well, as they look to reduce operating expenditures and gain greater agility in providing services to users and customers.
Having multiple clouds, each with its own peculiarities, can be hard to protect. “Minimize the number of cloud providers if possible,” Dickson said. “Fewer cloud providers often means fewer security providers. Vendor consolidation further reduces complexity.”
As a consequence of ceding some control with the cloud, organizations should expect to perform more monitoring of cloud activity, Riley said, in order to demonstrate that governance procedures are in place and are being followed.
“Most CSPs provide the necessary tools to instrument resources, workloads and applications to gather raw log data, but might place limits on where log data can be stored,” Riley said. “Converting this data into useful information presents challenges and might require a CSP-provided or third-party product or service, especially if log data needs to be moved from one geographic region to another.”
Some Gartner clients prefer to rely on existing security information and event management (SIEM) tools, and many cloud services support the more popular ones, Riley said. Other clients report that SIEM tools are unwieldy and noisy, and instead prefer more cloud-native services.
“Before investing in yet another product, however, organizations should first investigate the cloud service’s built-in logging, reporting and analysis capabilities,” Riley said.
SaaS applications tend to offer collections of various reports that aggregate, correlate and analyze behavior. “These could be sufficient for organizations [that] use only one or a few SaaS applications,” Riley said. For organizations that subscribe to many SaaS applications, a cloud access security broker (CASB) or SaaS management platform (SMP) would likely be a better choice for assessing SaaS security posture and standardizing control and governance.
“IaaS and PaaS providers offer the primitives necessary for instrumentation and expect their customers to gather the outputs into a service that can make sense of the data,” Riley said. “Increasingly, IaaS and PaaS CSPs offer native incident analysis and investigation capabilities.”
In addition, cloud security posture management (CSPM) tools offer highly effective mechanisms for assessing the configurations of workloads and for detecting and remediating out-of-compliance settings.
Data encryption is one of the stronger security tools organizations can use to protect data if it somehow falls into the wrong hands.
“The protection of data becomes important in the cloud as data, by default, leaves the premises,” Dickson said. “Encryption of data in motion and data at rest is a must.
Encryption offers an extra layer of logical isolation, Riley said. “For many security teams, debate swirls around the question of whether to encrypt everything by default,” he said. “For IaaS and for bulk storage in PaaS, a reasonable approach could be to do exactly that. It simplifies configuration procedures, avoids situations in which sensitive data is inadvertently exposed, and is useful for destroying data by just deleting the keys.”
Encryption also serves as a double-check for access control strategies, Riley said. “To read an encrypted object, an account must be present on two access control lists: that of the object itself and that of the key which encrypted the object,” he said. “Mechanisms that must agree when granting access represent a useful form of defense in depth.”
For SaaS and application layer data in PaaS, the decision is more complicated, Riley said. “Encrypting data outside the context of the PaaS/SaaS application reduces application functionality,” he said. “Organizations must weigh the trade-offs between functionality and isolation.”
Encryption is no substitute for trust, Riley said. “Doing anything useful with encrypted data requires decrypting it first and reading it into memory — leaving it exposed to memory-based attacks,” he said.
Finally, as with any other cybersecurity initiative, educating users about security risks is vital. Migrating to the cloud is still a relatively new concept for many organizations and employees, so training and written guides for procedures needs to be a priority.
“Start educating yourself and your staff on cloud security,” said John Yeoh, global vice president of research at CSA. “There are a number of educational documents and courses available to learn about security fundamentals in the cloud.”
The CSA has a foundational document called Security Guidance for Critical Areas of Focus in Cloud Computing, and a training course called Certificate of Cloud Security Knowledge.
“For those using specific cloud services and tools, it’s important to have the knowledge of those tools,” Yeoh said. “Providers constantly add and change features in their services. Keeping up with the proper use of the features and understanding standard configurations is vital to the secure use of those services.”
Establishing a culture for security with basic cloud knowledge “is a great step to improving a company’s security posture by reducing the human error element and creating awareness of best practices in the cloud,” Yeoh said.
Education should also extend to knowing exactly what cloud providers offer in the way of security.
CSA’s Cloud Controls Matrix allows you to view and compare how cloud service providers meet or exceed baseline security requirements, Yeoh said.
“Having a framework of common cloud security controls that are being implemented in the industry creates trust and assurance for that cloud service provider and their services,” Yeoh said. “Identify security requirements that are critical to your organizational use of that service, and ensure that those requirements are met through controls provided in the framework. This practice can expedite the procurement process and improve your security posture.”