Here’s What Security Teams Need To Know As Workloads Shift To The Cloud
A Look At Risk, Readiness & Compliance
The shape of the enterprise is changing – typically in sync with capabilities of the cloud. Workloads are steadily migrating there, via public, private, multi (combined) or hybrid (combination of internal and external) cloud setups.
The cloud uses a remote-server network to store, manage and process data, opposing the previous practice of local-server and/or personal computer (PC) storage. Each aforementioned form may offer enterprise cost benefits, as well as other efficiencies (e.g., steadier output, more storage (external), economies of scale, default security settings, etc.). Yet, as with any technological advance, cloud computing becomes another entry point for threat actors. In fact, cloud computing, in an unsecure state, drastically widens the attack surface.
But where does cloud security stand at the moment? Is it possible to streamline these ongoing migrations? How about the security controls behind them? Many security practitioners and their respective organizations are facing these tough questions head on. Cloud security also comes down to an understanding of risk, configuration and compiling the right security team.
In a recent article for the Cyber Security Hub, Enterprise Strategy Group (ESG) Senior Analyst, Doug Cahill, said that the “notable level of industry activity is indicative of an acceleration of market maturity driven by a cloud security readiness gap.”
He said “most IT and cyber security teams are catching up to secure the cloud services, applications and infrastructure their organization is already using, and to do so, they are retooling their processes, policies, skills and technologies.”
What’s more, Cahill said that “we are way past security concerns gating cloud adoption. Those that cite concerns about the security of public cloud services as the reason for not using them are either required to operate in an air-gapped environment, or, quite frankly, are oblivious to the fact that their business units have done an end-run around them to the cloud.”
Nevertheless, Cahill said that hybrid clouds “are becoming more complicated by virtue of being multidimensional.”
To secure these platforms, Cahill said organizations are increasing their spending on cloud security. ESG research highlights 43% of organizations which indicate they intend to increase their spending on cloud application and/or cloud infrastructure security.
Many of the challenges surrounding the cloud involve compliance. This has dual meanings: security teams assuming cloud providers offer sound oversight and protection of stored data, and assumption of risk.
Recent data privacy measures such as the General Data Protection Regulation (GDPR) out of the European Union (EU) require organizations to be exceedingly more careful with citizen data. For example, it mandates data “erasure” and “rectification,” along with transparency and identification – between data subjects, controllers and processors.
But CISOs and the like must now have a firm grasp of the data they store, and where it resides. Those with internal databases and archives, and other forms of storage, may be in an ideal position for data identification. But when that data is stored on external servers, classification becomes an additional hurdle.
Knowing the location and purpose of aggregated data is an issue plaguing some security teams (or affecting them unconsciously). To remedy this, CISOs and the like could be strict with provider selection (robust security controls and geolocation), employ their own encryption and emphasize scrutiny of the provider’s security posture, among other options.
Adapting To Threats
In combating even newer threats such as “crypto-jacking” (hackers using cloud services as compute channels for cryptocurrency mining), security teams have to embrace the aforementioned security controls.
The possible readiness gap, as discussed earlier, comes into play and oftentimes allows for outbound traffic from cloud resources (freeing them up to potentially excessive coin mining). That is, some settings by default allow for this maneuver, sometimes unbeknownst to ill-prepared security teams. Outside of the crippling issue of account takeover (root logins and the like), also adjusting the default security settings remains key – including restricting that outbound traffic.
Additional tips that become largely universal with regard to (optimal) cloud security include: Comprehensive risk management and business continuity plans, infrastructures that allow for red-team activities (to translate findings to protocols), enforcing strict identity and access management (IAM) controls (across the board and for users, privileges, etc.) and leaning on benchmark programs for best practices. Essentially, cyber security must be a top priority in the enterprise.
Getting the right pieces in place will also prove quite instrumental. In a recent article for Tech Republic, Daria Kirilenko, Director for Information Risk Research at Gartner, said: “When it comes to building a cloud security team, it’s typically not feasible for companies to seek out a ‘unicorn’ candidate who is an expert in a certain cloud provider, understands cloud architecture and has software development skills.” She said CISOs should consider their team as a “portfolio of skills.”
Other key areas in the progression of cloud security may include embracing automation. These tools should allow for in-depth analysis of scores of data sets, limit alerts to actionable items and work in such a way as to allow for human intervention in complex scenarios. That interplay, it seems, will be crucial – even in the cloud.
Be Sure To Check Out: Cloud-Based Security Extends Protection To The Edge