According to Gartner estimates, misconfigurations and mismanagement by the customer could be the key driver for 95 percent of cloud security failures by 2022. With cyber-attacks on a historic high since the pandemic, this does not bode well for cloud security. While it is routine for CIOs and businesses to suffer from dread about the security of their data on the cloud vis-à-vis on-premise servers; the efficacy of cloud security relies much more on the user actually applying existing security tools in securing their own data.
While media has managed to convince everyone of the stereotypical scenario of businesses being compromised when infiltrated with malware, real-life analysis of IaaS breaches reveals a different scenario. In many cases, the hackers were simply opportunistic enough to take advantage of existing errors and misconfigurations that left the data wide open. Let’s take a deeper look at exactly what is causing and exacerbating the rampant misconfiguration problem.
Multi-cloud environments are now increasingly common among enterprises. Adding to the complexities of multi-cloud architecture is the prevalent lack of complete knowledge/ awareness about all the cloud services actually in use at an enterprise. It’s hardly surprising that misconfigurations are becoming more and more common. Also, the maddening pace at which IaaS vendors like Amazon, Microsoft, and Google are adding new features to remain lucrative in the market further complicates this. This leaves security personnel in a quandary to just keep pace with new features despite best intentions, leading to misconfigurations.
What is cloud security?
Cloud security refers to the measures and policies that govern the security of data and digital assets stored on the cloud that protect them from theft, leakage, and deletion. Common tools for implementing cloud security include firewalls, penetration testing (pen testing), obfuscation, tokenization, virtual private networks (VPN), and more. Get in touch with Cloud Direct Connects if you wish to know more about cloud security tools.
Comparatively speaking, data on the cloud should ideally be much more secure thanks to a host of features and functions with superior security made available by cloud service providers. On-premise data is more prone to breaches through social engineering and malware and is typically not protected by personnel who specialize in threat detection and mitigation. Unfortunately, the potential for security on the cloud is often not realized at all as confused users simply forget to implement the available features to protect their data, applications, and networks or, end up misconfiguring.
While the cloud itself is secure, users must do their part in actually implementing the extensive suite of features and functions available to protect their assets. They also need to take care of endpoint vulnerabilities, such as data accessed through mobile devices or weak credentials. Clouds hosted in countries different from that of the user further complicate the issue of data integrity. This can result in incompatible data regulation and privacy regimes.
7 Cloud Security Controls you should be using:
- Control Access on the cloud – Most cloud service providers provide identity & access control solutions and you must make use of them to improve your security posture on the cloud. Using IAM or the like also ensures that you always know who has access to your data and when. IAM policies must be crafted with least-privilege access and need-to-know for access. Cloud Management Solutions can help you build and manage efficient access privilege.
- Centralized Visibility in the Cloud – Centralized visibility must be built into your configuration settings, security policies, and user activity for your data to remain safe, secure, and compliant. This can help you both assess and manage vulnerabilities in the cloud. Expert developers make use of cloud workload protection (CWP) tools, which can help users monitor the configuration status of their cloud-based software.
- Data-at-Rest Encryption – Encrypting data at rest in cloud storage can keep your most sensitive information secure from unauthorized access. This reduces the risk of data theft to protect against ransomware attacks against your company and/ or customers. In the worst-case scenario, encryption can buy you valuable time to warn your users to protect them.
- Secure the credentials – Your AWS access keys ought to be stored in Swiss vaults and you should make it a point of reminding your developers of the same. Try to have unique keys (with specific permissions) for each external service and restrict access with the least privilege. To assign specific privileges, you can always create IAM roles. Practice key hygiene with the periodic rotation of keys so hackers don’t have the time to capitalize on compromised keys and get access to your cloud. Keep tabs on user accounts to delete inactive ones as otherwise they only serve as potential routes for an attack.
- Security Hygiene – Your security features should always take care that if one of your controls fails, the others can pick up the slack to secure your mission-critical applications, network, and data. Use multi-factor authentication to add more security to credentials and minimize access to management consoles, dashboards, and privileged accounts. Cloud Migration Solutions can help you get acclimatized with the latest security hygiene tips and tricks.
- Improve visibility – Always turn on the security logging and monitoring features provided by the cloud vendor to keep a tab on unauthorized access attempts and more.
Effective workload protection comes from efficient measures that include:
- Traffic analysis
- Periodic data storage analysis to detect sensitive or malicious content
- Proper configuration monitoring and assessments
- Alerts for configuration issues
- Successfully pinpointing compliance issues arising from misconfiguration
- Tier IV Data Centers with Strong Physical Security – Some risk vectors come from the physical location of your cloud environment. Although it’s a last-ditch attempt, hackers and spies can still try to physically infiltrate your data centers to obtain high-value information. With direct access to hardware, hackers can have a field day exploiting your data or uploading malware directly to your systems.
Tier IV data centers can help protect your high-value cloud environments by restricting access to hardware and physical systems hosting your cloud environment. Security measures can include:
- Armed security patrols
- Controlled access checkpoints
- Biometric security controls
- Least-privilege access
- 24/7 CCTV monitoring
About the Author
Vice President at Shamrock Consulting Group
Ben Ferguson is the Vice President and Senior Network Architect for Shamrock Consulting Group, an industry leader in digital transformation solutions. Since his departure from Biochemical research in 2004, Ben has built core competencies around cloud direct connections and cloud cost reduction, SD-WAN providers, enterprise-wide area network architecture, high-density data center deployments, cybersecurity, and VOIP telephony. Ben has designed hundreds of complex networks for some of the largest companies in the world and he’s helped Shamrock become a top partner of the 3 largest public cloud platforms for AWS, Azure and GCP consulting. Stay connected at LinkedIn.