Sep 29, 2019
We live in a cloud-first world. The global cloud computing market is expected to grow to more than $600 billion by 2023, exceeding the GDP of the twentieth largest economy in the world, Switzerland. And yet, 66% of IT pros say that security in the cloud remains their number one concern.
But it seems that the cloud itself is not to blame. An overwhelming majority, namely 95% of cloud security failures, result from mistakes, misconfigurations and errors made by the users, not the inherent insecurity of the cloud itself.
These numbers make sense, since the advantages of the cloud over on-prem architectures (e.g. agility, scalability, flexibility, and accessibility) have a flipside. When not properly managed, these very traits make critical errors more likely, more severe, and more frequent.
So, the question that IT executives need to ask themselves is not, “Is the cloud secure,” but rather, “Am I using the cloud securely?” Here are the most important steps that CISOs and their cyber security teams should be following to optimize security in the cloud.
Muddied visibility is the number one contributor to subpar security in the cloud environment. It’s the assets that you don’t see, and thereby able to manage, which are the ones likely to be responsible for your next breach.
To protect cloud environments, CISOs must achieve crystal clear visibility into all assets, penetrating through all layers starting at the cloud control plane, continuing through the operating system and basic infrastructure levels, and all the way through to the application and data layers. Yet, often security teams rely on technologies for security assessment that haven’t changed in the last 20 years and were simply not built to address the complexity of cloud architectures. In the cloud, we can no longer rely on agents and network scanning tools to gain meaningful insight into security posture.
It no longer makes sense to settle for limited visibility and high TCO, especially when cloud-native tools for full-stack visibility are available and at a fraction of the cost.
Relying on credentials to keep enterprise environments safe is not a good idea. Despite the best efforts to educate, users still overwhelmingly use weak and insecure passwords.
The password reuse is also a serious issue that damages security posture. Though 91% of the respondents profess to understand the risks of using the same passwords across multiple accounts, 59% admit they do so anyway. This threat is exacerbated by the increased use of “account checker” and “credential stuffing” tools that are used to bulk test credentials, typically obtained from data breaches or leaks, against a variety of cloud services.
That is why multi-factor authentication is no longer optional. According to Google research, adding a multi-factor capability to an account blocked 100% of automated attacks, 99% of bulk phishing attacks, and 66% of targeted attacks during the period they investigated.
Cloud means global availability, and you must not put yourself in a situation where credential theft equals the possibility of a breach.
Phishing and other forms of social engineering attacks rely on the weakest link in security: the users. Those attacks can bypass even the strongest security measures, such as otherwise strong email security gateways, network firewalls, and endpoint security solutions.
Even the best defenses on the planet won’t protect you when your authenticated users willingly give away the keys to the front door. This is why ongoing cyber security awareness training is a very effective tool in optimizing the level of cloud security. Awareness training has proven to be a very effective measure (maybe the only measure) against social engineering attacks.
Strengthen the training with realistic phishing simulations and engaging, topical content to significantly raise the security IQ of your users, reducing the likelihood of user error, and improving the overall security posture of your enterprise.
When everyone’s responsible for security, no one is. Between DevOps, Sys Admins, and outsourced staff, the lack of clarity as to who is ultimately in charge of security can leave your organization exposed.
While the implementation usually falls under the domain of the developers and DevOps teams, security teams must have a clearly defined role in auditing and ensuring that the environment is secure both before it goes into production, and post deployment. Security audits must be incorporated into all processes as a necessary step that cannot be skipped for convenience.
When it comes to IAM policies, it is important to achieve a balance between speed and agility while maintaining security.
As stated above, human error is by far the leading cause of security breaches in the cloud. In the cloud world, even critical changes generally happen on a single console, which gives ample opportunity for human error. The solution is to adapt an approval process whereby changes require approval by at least two parties.
“Always be prepared.” The old scout motto still rings true. Business continuity must be maintained, no matter the cause for disruption; data breach, natural disaster, critical hardware failure, misconfiguration, human error, or anything else.
Resilience and business continuity planning must be well documented, refreshed often and include a robust data recovery plan that can contend with the loss of access to a network, whether intended or accidental.
To ensure optimal security in the cloud, CISOs and their teams need to set up clear procedures and policies when it comes to deploying cloud assets. Crucially, they need to clearly define and enforce responsibilities between Development, DevOps and Security teams, and make sure that business users are trained to recognize sophisticated phishing and social engineering attacks.
But the first order of business when it comes to optimizing cloud security is to gain full-stack visibility into your cloud environments and there is very little choice in how this is achieved.