Some Essential Steps to Securing The Cloud
By Andy Wilkinson, Security Consultant at i-confidential
The value of the global public cloud service market is projected to reach $266 billion in 2020, based on research by Gartner. RightScale’s annual ‘State of the Cloud’ report found that 91% of businesses in 2019 were using a public cloud service, and 72% were using private cloud. LogicMonitor’s ‘Cloud Vision 2020’ study predicts 83% of enterprise workloads will be in the cloud by the end of 2020.
Whatever statistics you look at, it is clear that cloud computing is a big deal.
Cloud Computing – referred to simply as ‘cloud’ – is the delivery of on-demand services and computing resources over the internet. Cloud computing allows an individual or organisation to use resources online without the pain of being responsible for maintaining the underlying infrastructure.
Cloud services are generally ‘pay-for-use’, so users only have to purchase the precise amount of resources or services they require. This scalability, coupled with minimal accountability, are two main reasons why the value of the public cloud market, again according to Gartner, grew almost 40% between 2017 and 2019.
So, a flexible, easily scalable, easily maintained, and low-risk service. A no-brainer, right? The answer in general is yes, but moving to the cloud is not a risk-free proposition. Many of the potential challenges are nothing new and have been associated with legacy on-premises solutions for years. Some, however, are unique to the cloud.
Below are three common cloud security issues to anticipate, and some ways they can be mitigated:
Account Hijacking and Weak Credentials
It seems like a story as old as time, but the majority of intrusions and data breaches are still caused by unauthorised parties using legitimate user accounts to gain access to a network, and the cloud is no exception. This is mostly done by either exploiting weak and insecure password policies or using phishing techniques.
A good way to help prevent this problem is to ensure all passwords adhere to a known standard (such as NCSC) and implement a form of two-factor authentication for all accounts.
A survey, undertaken by RedLock, analysed more than five million resources in customer environments, as well as vulnerabilities in public cloud computing environments. They found that 37% of databases accepted inbound connections directly from the internet. 7% of these databases were already being accessed from suspicious IP addresses. Configuration errors are a large source of data breaches within cloud environments. Due to the accelerated nature of cloud service adoption, these errors are usually caused by a lack of knowledge on the part of employees who don’t know how to properly configure and monitor cloud instances.
Configuration errors on the cloud don’t generally happen on purpose or with malicious intent. Organisations often overlook the need for upskilling and bringing in cloud expertise, or decide it is too costly. By training existing employees to fully understand cloud services and the policies involved, the risk of introducing configuration errors can be greatly reduced. Alongside this, there are many automation tools available to constantly monitor instances on the cloud for configuration errors and vulnerabilities.
Rogue Cloud: Change and Access Management
According to recent research by Symantec, 83% of large enterprises acknowledge problems with unauthorised cloud deployments. Also known as ‘rogue clouds’, unauthorised deployments occur when employees create instances (for example a storage area), or set up accounts with a cloud provider without the approval or knowledge of an organisation’s IT security teams. The motives for rogue clouds vary, but it is commonly due to needing a ‘quick fix’, and seen as being easier than following the official process. Adding to the problem is the fact that these ad hoc deployments often fail to adhere to security best practice.
The uncontrolled nature and lax security of rogue cloud deployments can introduce a severe risk to your organisation. They can be prevented by implementing a strict change and access management policy, as well setting up monitoring for unauthorised changes. Again, embracing automation can play a key role. In the case of automated implementation, if the task itself is quick and easy, employees are less likely to try and circumvent procedures. In addition, by using automated monitoring tools, the creation of any rogue cloud instances can be detected and remediated before problems arise.
With reduced costs, on-demand availability, and near endless capacity, cloud services are having a massive impact on the cyber security landscape. Ensuring your organisation has a basic understanding of cloud security concepts is a great way to begin your cloud journey.
The biggest cloud providers on the market, namely AWS, Azure, and Google Cloud Platform, all have security information available for free. AWS, one of i-confidential’s technology partners, has a vast library of reference materials, ranging from free training, community forums, in-depth papers on the AWS Well Architected Framework, and more.
Cloud computing is an increasingly normal part of day-to-day business operations, and therefore the need to be ready for the adoption of cloud services has never been greater.