Addressing Cloud Security Risks
Cloud adoption has gone mainstream. It’s no surprise, considering that cloud computing can alleviate the burden of purchasing, expanding, and maintaining physical infrastructure such as servers, storage, and network devices. It can also lighten the ongoing economic burden of operational costs tied to that hardware, including land, physical security, and disaster planning. What’s really driving the wholesale shift, however, are the speed and agility inherent to the cloud; the cloud allows for quicker creation and launch of new businesses, faster expansion, and the ability to be more nimble with new platforms or services, as cloud instances can be built without having to purchase or requisition hardware or data center space.
Just how significant is the cloud transition? According to IDG’s 2020 Cloud Computing Survey, 92% of organizations have an IT environment at least somewhat in the cloud today, with only 8% saying their total IT environment is entirely on-prem. Further, a recent Forrester report predicts that cloud security spending will reach almost $13 billion in 2023, up from $5.6 billion in 2018. Enterprises are investing in the cloud like never before, but managing this transition effectively takes planning and a careful weighing of security risks to take full advantage of what cloud computing has to offer. To design, build, and run a secure cloud infrastructure requires a substantial investment in skills and dedication to designing processes that take both risks and business needs into account.
Cloud security risks to know about
The benefits of the cloud are often enough to outweigh the risks, especially if business teams keep security in mind while designing and using cloud infrastructure. Knowledge of the risks is the first step toward addressing them effectively and systematically.
No one-to-one mappings causing misconfigurations
At the architecture level, security misconfigurations are common risk factors. The technology stack used by an on-prem service might not resemble its cloud equivalent. Cloud providers also offer multiple services to cater to specific technology needs, leaving it to the customer to choose the right service or component. This might lead to security misconfigurations while migrating to cloud solutions since there might arise implementation gaps due to no direct mappings between the on-prem solutions and cloud solutions. Many companies don’t have the skills on staff to evaluate the pros and cons of each solution, choose the best one, implement it, and secure it, leading to unnecessary risk. The business must plan to map their end goals while migrating to cloud solutions rather than creating configuration copies from their on-prem solutions.
Data security and privacy
Moving into the cloud requires a thorough consideration of data security and privacy risks. Cloud services offer reliable and scalable options for storing massive amounts of data, but taking advantage of those services securely requires deep knowledge. Permissions and access on data storage, such as Amazon S3 buckets, must be configured with the principle of least privilege in mind. Settings for data encryption at rest and in transit require proper setup. The business must also plan for and properly configure data residency and resilience since these often determine what data privacy and security regulations apply.
Insecure management interfaces
Cloud infrastructure also introduces risk at the management interface level. Cloud providers offer their services and platforms through APIs and web interfaces, and prospective users don’t necessarily know how secure those interfaces are. In on-prem infrastructure, a company has visibility all the way down to the physical layer into what was designed, how it was implemented, and how issues have been tested and remediated. On the other hand, many of those underlying features in a cloud infrastructure are implemented as management APIs and web interfaces, and it can be difficult to verify the security of components under the vendor’s control. If security lapses in those features lead to data loss, that risk still falls back to the cloud provider’s customer. And, it is the customer’s job to know how the provider defines their shared responsibility model, what the SLAs are, and when and how a cloud provider will fix, or compensate for issues when they arise.
If a company is using public cloud, it should also consider multi-tenant risks. In public cloud environments, different customers share the same cloud infrastructure. Each tenant’s security depends on the cloud provider’s isolation implementation. A compromise can expose multiple customers’ resources and data to each other and to malicious actors. Malware attacks can also break through and affect multiple customers if proper segregation is not enforced. Furthermore, distributed denial of service attacks targeted at one client can slow access to resources allotted to other clients.
Companies must choose their cloud preferences based on the sensitivity of their business needs. For example, if the customer data falls under stringent regulatory requirements, the business should opt for a private cloud solution that could provide an isolation cushion to mitigate multi-tenant risks. The business should also plan for a long term hybrid cloud strategy to benefit from this unique challenge. With such a plan, a company has the flexibility to select the best infrastructure for different needs - for example, choosing an on-prem solution for business-critical needs and a public cloud solution for analytics.
When moving into the cloud or expanding cloud services, a company needs to think from the start about how to monitor services and traffic, how to take in that information, interpret it, and get actual security intelligence out of it. Though a security team may already know how to configure and interpret monitoring for on-prem technologies, cloud services implement logging and monitoring differently. Companies need to ensure that the necessary expertise is available -- either on its security team or through a third party -- from the outset to determine whether a cloud provider allows enough forensic data to be collected to investigate security issues that tie into the management plane, to design the services properly, and to train security and operations teams on how to gather and interpret that security data from the cloud.
Getting ahead by mitigating cloud risks from the start
Securely moving into and operating in the cloud can feel like a race against time: internal security and infrastructure teams are trying to design secure systems, identify flawed controls, and secure infrastructure before attackers can find vulnerabilities and gain valuable information. By taking a programmatic approach, a business can minimize the risks of expanding cloud operations and build a foundation for a secure future.
Configuration, design, and management
Configuration design, management, and review are central to cloud security. After all, though top cloud providers consider security and offer a broad range of options for secure architecture, moving to a cloud provider does not mean that their security is automatically conferred upon an individual customer’s environment. Designing secure cloud instances and networks requires deep knowledge of each platform’s security options. It requires thoughtful configuration of services, templates, and accounts. It requires expert threat modeling from the outset and while launching any new app from the cloud environment, in order to anticipate how attackers will interpret user interactions and trust boundaries. And, it requires ongoing review and testing to ensure that configurations continue to follow security best practices and provide the necessary security controls. A tracking dashboard can help with ongoing configuration monitoring, and configuration reviews as part of periodic security assessments will also assist in spotting any glaring holes in the security controls.
A cloud security plan should also incorporate penetration testing of newly incorporated resources and services to get some valuable risk insight that goes one step further than configuration reviews by attempting to exploit vulnerabilities in identified segments or services within the cloud infrastructure. It shows the business what vulnerabilities can be successfully attacked, and what data may be compromised if attackers hone in on that part of the environment.
Team up with an experienced partner
Mitigating cloud risk involves a range of technical, staffing, and expertise challenges. To see the risks clearly, a business needs the right people to choose the best solution in light of both risks and business goals, and ensure that the solution is implemented securely. Even the largest businesses rarely have that full expertise on staff. After all, building that expertise takes time, and hiring people who both have that knowledge and are the right fit for the business can be an insurmountable goal. In many cases, it makes sense to work with a partner who already has the knowledge, certifications, and experience working in particular cloud environments.
Security Compass has that experience. We have over 30 certified Amazon Web Services (AWS) Solutions Architects on staff and our team executed over 20,000 hours of cloud security assessments across AWS, Azure, and Google Cloud Platform in 2019. We also have years of experience in DevSecOps across multiple cloud platforms, in multiple industries, and know the top cloud providers and their capabilities. We apply deep knowledge of the full range of cloud platforms and stacks and are transparent every step of the way when discussing the risks and rewards of moving into the cloud.
To keep learning about moving securely into the cloud, read our Cloud Security Guide. To find out more about how Security Compass can accelerate your transition into the cloud, read our cloud security data sheet, or contact our cloud security team so we can discuss your specific needs.