Following the fundamentals of cloud security can protect your business.
While companies increasingly look to cloud computing as a means to expand, modernize and stay competitive, so too do those companies expose themselves to new risks. In fact, Ermetic and IDC report that 80% of CISOs claim their company has had a cloud data breach in the past 18 months. Nearly half of those (43%) had experienced 10 or more breaches.
The benefits of cloud computing are numerous, but organizations cannot make the switch to this modern platform without understanding the risks involved and, more importantly, how to protect themselves, their staff and their customers.
So what is cloud security, and why is it so important? We’ve already started to answer this question, but let’s look at the details.
What are the risks of cloud computing?
1. Misconfiguration
Setting up a secure cloud environment is complicated, and there are many possible ways that it can go wrong without anyone realizing – indeed, the top cloud security issue reported by Ermetic/IDC was misconfiguration (followed by a lack of visibility into access settings, then identity permission errors).
Due to the inherently accessible nature of cloud storage, it doesn’t always take a high level of technical knowledge to breach a misconfigured system. For example, in 2018, a US-based not-for-profit accidentally exposed 3.5 million records (including personally identifying information, or PII) due to a misconfigured Amazon S3 storage bucket, which was inadvertently programmed to be public and anonymously accessible.
It’s no doubt that criminals are a problem (see below), but human error is a far more common concern. Poorly configured access controls or poor training can encourage staff to be careless with secure information. Therefore it is up to security staff to ensure that the system is as protected as possible from their efforts, intentional or otherwise.
To quote Gartner: It isn’t so much about whether the cloud is secure … it’s mostly about how securely you are using it.
2. Criminal activity
While most issues may be down to human error, companies that store large amounts of PII or other sensitive information run the risk of being targets for cyber criminals. As such, IT must establish a cloud system with more than just the basic settings, default credentials and access controls.
Phishing and malware are common practices for getting into secure systems; in a sense, they are a criminal effort that causes human error – and which can be mitigated with best practices, such as ZeroTrust (which we talk about later in this article). More than half of the cyber attacks in 2018 in Germany were malware attacks.
Criminals also study the world’s most popular cloud storage systems, giving them intimate knowledge of how they operate and how to get around default security controls. They understand the technology, so you must do so as well.
What is cloud security?
Cloud security is a series of principles, methodologies and technologies that are designed to control and secure the cloud environment. Through the use of strict access controls, system audits, adherence to global security frameworks and other measures, cloud security can reduce the risks associated with moving to a cloud environment.
For those of you who intend to use one of the world’s leading cloud providers (Google Cloud, Microsoft Azure, Amazon Web Services), cloud security is, as we touched on, less about setting up a secure cloud and more about using it securely. After all, these companies have already invested large amounts of capital into securing their systems. Although, anyone setting up their own cloud has more to consider – that’s where security architecture, protecting physical infrastructure, disaster recovery, maintenance and connection stability come in.
Cloud security also helps organizations remain in line with international regulatory standards such as the GDPR, and can prepare those businesses from future restrictions – which are always being considered. For example, to adhere to the GDPR, companies must ensure their cloud has been built with a proper architecture and that security/privacy were considered throughout design, otherwise regulators may apply hefty fines in the event of a breach.
Cloud security frameworks
To help guide the world’s IT professionals on good cloud security, there are three international frameworks to consider:
- International Organization for Standardization (ISO): International standards that provide exhaustive checklists to consider when establishing a new system. ISOs 27017 and 27018 in particular deal with cloud security.
- National Institute of Standards and Technology (NIST): A US-based body of international standards. Provides both framework checklists for establishing a new system as well as numerous articles on specific problems.
- Cloud Security Alliance (CSA): A more operational set of standards. Provides very detailed questionnaires and self-assessment forms to help audit third-party vendors and your own systems, to the technical level.
dig8ital’s Cloud Security Process
At dig8ital, we believe that to get the best results we have to follow not just one framework, but take the best ideas from all of them. That’s why we developed our own cloud security process, which takes into account best practices from around the globe.
The business benefits of switching to a secure cloud
- Enhance organizational flexibility: Popular cloud providers operate on a highly scalable licensing system, enabling companies to add or remove licenses as required to expand and contract. These can also be added almost instantly in many occasions, allowing for fast scaling (which is simply not possible with on-premise technology). As an added benefit, this provisioning of resources can typically be done programmatically, and therefore human involvement is not always required.
- Improve data security: By removing physical systems from your office, you remove the risk that they can be tampered with – no one in your business has direct access to the machines. Additionally, cloud providers will generally always keep their technology up to date, patched and backed up, as they do not possess the infrastructure limitations of a typical company. This alone is a critical aspect of maintaining good security.
- Improve disaster recovery: Through a secure cloud, you can easily back up important data and recover it in the event of a disaster at your office locations. Remote workers can also do the same, as there’s no need to physically connect to a network. Additionally, this mitigates some of the risks involved with a lost or stolen device – administrators can quickly revoke the device’s access and prevent unwanted data loss.
To summarize: Why is cloud security so important?
Cloud computing gives companies access to the next level – next-level customer service through enhanced data gathering and storage, next-level flexibility through remote working and fast scalability, next-level convenience through interconnected systems with fast file and data sharing … the list goes on.
However, due to the risks of misconfiguration and the ever-present danger of cyber criminals, any company’s cloud environment must be secure to remain effective. And that’s where cloud security comes in. With cloud security, you can enhance the protection of your digital assets and mitigate the risks associated with human error, reducing the likelihood that your organization will suffer a damaging loss thanks to an avoidable breach.
What to learn next
If you’re ready to take the next step on your journey to the secure cloud, you’re ready to talk to the experts at dig8ital for a free consultation (see below).
That said, if you’d like to learn more before investigating providers and security experts, the next place to look is the technology and methodologies that underpin cloud security. So what are some examples?
- ZeroTrust: You might have built a team of highly trained, trustworthy professionals, but everyone makes mistakes. ZeroTrust eliminates the old security methodology of building a secure perimeter around the business and instead assumes that everyone – even internal staff – aren’t trustworthy. This lets you create access controls that give everyone the access they need and nothing more, helping secure your data from a potentially costly error.
- Runtime Application Self-Protection (RASP): This is the name given to a number of actions that can be used by an app to protect itself. Methods similar to a firewall are a key component here, as are automated code checksums, automated shared library checksums, self shutdown, triggering alerts to system admins, and blocking communication with other resources (e.g. interrupting communication channels with a database).
- DevSecOps: The world has moved on from DevOps. Now is the era of DevSecOps, a framework that brings security into the same equation as development and operations – making everyone accountable for security and quality.
Need help? That’s where we come in
As you can see, there’s a lot to learn when it comes to setting up (and using correctly) a secure cloud environment. While you can start to implement changes straight away based on what you’ve learned, in conjunction with the advice from authorities such as the CSA, it often pays to have a professional in this area work with you to ensure you get the best results for your risk appetite.
And that’s where dig8ital comes in. To speak with one of our experts about your unique needs and how our cloud security services could help you, book your free consultation today.