listen to this article:

Securing Cloud Services

Cloud services enable customers to host servers, data, and run business and productivity applications. Going with the cloud fast tracks time to market, reduces the maintenance burden on overworked IT professionals, and provides access to software stacks that were only viable for very large organizations in the on-premises era of ITAs cloud services are developed by people (usually teams of people), they suffer from vulnerabilities just like other applications developed by people do.  

Given the importance of cloud services to many organizations around the world, security researchers probe for weaknesses and vulnerabilities in cloud services, notifying the vendor in question of new discoveries that can hopefully be resolved before customer data is compromised and before cybercriminals are able to identify the same vulnerabilities and steal data. Security, therefore, is very important in selecting and deploying cloud services; it should never be treated as an afterthought. 

Download Unbound’s whitepaper to learn more on the Security Challenges of Hybrid IT Environments 

Why Invest in Cloud Security?

Why invest in cloud security? Very simple: because your data is there—strategy documents, financial reports, business projections, new product development ideas and plans, customer lists, sensitive customer data, employee records, health records, and so on. 

There are additional reasons too, but all flow from the fundamental principle that your data is there:

Threat actors see organizations moving to the cloud as converging data on hyperscale platforms that they too can access. Anyone can sign up for an account on a multi-tenant cloud platform to learn what does and doesn’t work from an attack perspective. These data and platforms aren’t hidden within bespoke corporate data centers anymore. Cloud vendors are actively enhancing native security capabilities to root out misuse and abuse. 

Phishing attacks have proven adept at stealing account credentials that can be used for breaching data. Once a threat actor has your cloud email credentials, the next step is to log in and see what’s around—look through your email, see what shared files you own and have access to, what threaded conversation groups you’re in (the more confidential the better), and so on.   

What is the Cost of Inadequate Cloud Security?

Current price for a data breach is a bit over $4.2 million, according to the latest study by the Ponemon Institute and IBM. This is 10% higher than last year, the highest average cost ever seen.  

Capital One’s data breach in 2019 of more than 100 million sensitive records stored in a cloud storage account was even more costly, with regulators in the United States handing down an $80 million fine. The regulators found that Capital One had not established effective risk assessment processes prior to moving to the cloud and had not addressed weaknesses in a timely manner. That’s a hard line—albeit the reality—given the breach was executed by a security engineer who previously worked at the cloud provider and used their skills to develop a tool to automatically scan cloud instances for misconfigurations to exploit.  

Other costs are harder to quantify, falling within domain of intangible or opportunity costs. Loss of customer trust is an example, which turns from an intangible to a tangible cost when customers switch to other providers with better data protection regimes. Wider reputational damage within the investment community, supply chain, and even in the eyes of regulators is also costly, such as when investors withhold investment money, supply chain partners enforce tighter controls to protect themselves, and regulators decide to introduce new structural demands across an industry. 

What Challenges Do CISOs Face with Cloud Infrastructure?

CISOs face a range of challenges with cloud infrastructure, with visibility into what’s happening high on the list. Key challenges include: 

  • Lack of visibility into what’s happening on each cloud instance, such as who is accessing what data, what they are doing with the data they’re accessing, where people are accessing data from (e.g., anyone accessing data from countries where your firm doesn’t work—which could indicate stolen or breached credentials), and of the current users, who is downloading abnormal volumes of data—which may indicate theft of data by someone getting ready to resign to work for a competitor. 
  • Knowing what types of data are stored in different cloud services, in order to catalogue the locations of confidential and sensitive data. If you don’t know what’s there, it’s incredibly difficult to enforce the right level of protections for access control, data security, and risk-based authentication approaches. 
  • Bearing ultimate responsibility for data breaches in cloud infrastructure, even in a shared responsibility model where the lines of responsibility are clearly divided between the organization and the cloud provider. Another way of saying that is “it’s never not your fault.” Customers who have their data stolen from your cloud provider will still blame your organization for the breach, and regulators will still hold your organization accountable for failing to protect the data customers have entrusted to you. It’s never not your fault. 

What Can Your Organization Do?

Your organization can do lots of things in relation to cloud security, and hopefully it is doing at least something. If you haven’t started yet, or you want to check you’re on the right path, start with requesting an assessment of which cloud services are being used across your organization—both sanctioned and unsanctioned. A modern Cloud Access Security Broker (CASB) will be able to provide this information, and if you don’t have one of those, add it to your shopping list. Based on this visibility, seek to understand what data is where, who is using it, and where the greatest risks lie. A modern CASB can help with identifying where sensitive data is unprotected in cloud services, check for misconfigurations, and provide a risk assessment of each cloud service using a weighted security analysis. 

With a plan and a CASB, strong encryption doth play. It has always interested me that encryption is one of the only two technologies named in the GDPR—pseudonymization being the other. Protecting the actual data through strong encryption—wherever it is stored—is the only guaranteed way to prevent the breach of usable data. If every newly identified vulnerability in a cloud service comes with the assertion of “assume compromise“, then you must do something else beyond what the cloud service natively offers to protect your data. Access controls correctly set can keep bad actors out, until access credentials are compromised. Security aware services can reduce the likelihood of breach, until an application vulnerability gives back door access. How about … strong encryption of your data where you manage the encryption keys across all your cloud services?