While the cloud has introduced many new ways of working it has also introduced many new security challenges. Not because the cloud is inherently less secure but because it requires a different way of thinking about security.
The public cloud model requires organizations to trust third parties, so that means transparency is a big issue. This puts a lot of faith in the cloud provider’s tenancy design and how many barriers there are between the data assets of multiple customers.
Because an organization is giving up a lot of control, due diligence should be focused on the SLA as a way of creating a transparent relationship with providers. Only with the advent of the cloud has the industry adopted an approach where an organization’s data is a system that is managed and continually modified and improved by a third party.
Multi-cloud redundancy is one way of dealing with this particular challenge but also means you are spreading the same potential threats across multiple parties.
Misconfiguration is the main problem
But as with most security threats, the most common culprit is misconfiguration and when it comes to the cloud, the type of misconfigurations we see most often are similar to those we see in a data center environment. Typically it’s not a ‘cloud’ misconfiguration as such but one or more of the services or software applications running within the environment.
The challenge is primarily a lack of experience in configuring cloud infrastructure. Because the cloud has made it easier to roll out new apps and services, we typically have lots of new users of IT services that are not as security conscious as IT specialists.
There are more varied users
In fact, a recent survey of 1,032 IT workers by technology procurement marketplace Probrand found that more than one in five (21%) don’t actually know what a ‘cyber-attack’ constitutes. Almost half (43%) of the IT workers surveyed admitted to being unaware of how to defend their company from a cyber-attack, with one in three (32%) relying on external agencies for crisis support.
In the cloud’s defense however, while the attack surface of the cloud is indeed larger than that of a private data center, the opportunities and ability to secure it are also much better. The main challenge is in understanding how to secure the cloud, especially as a user of cloud services.
If we look at misconfiguration, one of the main reasons it goes unnoticed for so long is that users of cloud services fail to turn on or properly configure logging tools. With both direct logging and API available, cloud services offer a far easier way to log an environment than a typical data center. But if you don’t have visibility of what you are trying to protect, you can’t properly protect it.
Logging is essential
Because cloud environments offer so much abstraction, organizations are spinning up virtual machines (VM) and containers more than ever. Without logging it can become easy to quickly lose track of all these assets, especially as more an more ‘non-IT’ users are able to operate such services. What if one of these users spins up a VM and gives it more privileges than it needs? What if misconfiguration makes it vulnerable? If it is compromised the attacker or malware has access to a platform with escalated privileges.
One of the benefits of APIs are that components are able to talk to each other in unprecedented ways, making it easier to cover the entire surface area of a cloud instance from a security perspective. This of course is dependent on the integrity of the APIs but the point is the much of cloud security is down to how you access the environment and not the environment itself.