What Does Great Cloud Security Look Like?

4 April 2019 | Posted by Cass Information Systems, Inc.

Verizon, Marriot, Equifax, Under Armour, FedEx – just a few of the most high-profile names to be hit by security breaches in the last two years. At times it has felt as though the news cycle is one long cloud security snafu.

The seemingly endless torrent of businesses who’ve gotten security wrong, alongside hardening legal attitudes towards the protection of data (see GDPR in the EU and California Consumer Privacy Act 2018 stateside) and ever-more sophisticated hacking techniques, has moved cloud security right to the top of many organizations' agenda.

But when it comes to cloud security, confusion reigns. Recent research from Crowd Research Partners found that 84% of organizations say traditional security solutions are ineffective in cloud environments – leaving many unsure of what cloud security should look like. 

So, what does great cloud security look like?

Considering migrating to the cloud? Download our comprehensive guide to public  cloud computing today.

Understanding Your Responsibilities

Perhaps the greatest source of confusion for businesses switching to the cloud is over who’s responsible for security. In a private data center, the enterprise is solely responsible for the security of its data but with the move to public clouds, things have become a little more complex.

While the responsibility is ultimately your own, your cloud provider will assume responsibility for some aspects of security. The level of responsibility largely depends on what kind of cloud service you’ve opted for. For instance, leading infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) vendors, such as AWS and Microsoft Azure will assume responsibility for physical security but differ on the level of protection they’re prepared to offer for network and host infrastructure security.

Many organizations get this wrong on two levels. Firstly, in assuming that cloud providers are one and the same when it comes to security responsibility. Secondly, as a result of the first, neglecting to properly configure their security, thinking their provider will handle it. This might sound unlikely, but research from cloud security company, Threat Stack analyzed 200 companies using AWS and found that 73% had at least one critical security misconfiguration, demonstrating it’s actually endemic.

It could be something as simple as setting up proper encryption and password protection, but if left unchecked, the consequences can be disastrous. To be on the safe side, always review the vendor's policy on shared security responsibility to be sure you’re clear on who is tackling the various aspects of security.

Controlling Access Closely

Like the first point, this sounds simple, but so many enterprises get it drastically wrong. Redlock CSI’s 2018 cloud security trends report, revealed that a startling number of public cloud databases are open to the internet, in fact, 80% of resources do not restrict outbound traffic at all.

It’s exactly this sort of oversight that has led to some of the most high-profile breaches, including Verizon. The Verizon breach happened because an AWS S3 bucket (a public cloud storage resource) was set to allow external access – effectively giving anyone with an internet connection access to over 6 million customer records.

This is an all too uncommon fault: Threat Stack’s report found that 37% of organizations in its research had unsecured S3 buckets. Likewise, leaving secure shell (SSH) open is incredibly common – a mistake made by 73% of the enterprises in Threat Stack’s analysis. Like Verizon’s S3 bucket gaffe, allowing SSH connections from the internet means anyone with the ability to figure out the server location can bypass your firewall and directly access data.

How can you counter this?

It’s actually relatively simple: strict access controls. Firstly, many cloud providers offer access control and identity authentication tools, take advantage of that. Additionally, do as much as possible to restrict how many users have access and the permissions they have. When creating access policies, always grant the minimum set of privileges needed and temporarily grant additional privileges as and when they’re needed.

Harnessing All the Technology at Your Disposal

We’ve already mentioned that you should make use of the security offered by cloud providers, such as identity authentication and access control tools, but the technology available for tightening your cloud security doesn’t end there. Automated Self-healing cloud security is becoming more widely available all the time.

Self-healing automation identifies and programmatically fixes security vulnerabilities where it finds them or, for more complex issues, notifies a human that something is amiss. This technology is a perfect counterpoint to some of the common issues cited earlier, as they were, by and large, human oversights or errors. Provided it’s configured properly and not treated as a catch-all, automation at least partially removes the human element from your cloud security, making oversights less likely.

Using Encryption, Everywhere

Encryption is one of the key pillars of any cloud security strategy. Your data should be encrypted at every stage of its life cycle, whether in transit or in cloud storage. Unfortunately, many enterprises overlook the latter, mistakenly assuming that once the data is in the public cloud environment, it will be protected by their provider. So much so, that research conducted by RedLock CSI in 2017 revealed that 82% of public cloud databases were unencrypted.

While it’s likely that subsequent high-profile data breaches have served a short, sharp shock to many organizations, the amount of unencrypted data is still far too high. Put bluntly, if you’re not encrypting your data in transit and at rest, you’re asking for a security breach.

Where possible, you should maintain control of encryption keys. Even if you give your cloud provider the details, the reality is that the responsibility rests with you. In addition, if your cloud provider offers its own encryption service why not take them up on it? Encryption is perhaps the only true failsafe in data security and organizations ignore it at their peril.

Training Staff

This is one that you’ve probably heard before, but it’s no less relevant because of that. In order to protect what’s stored in your cloud, employees need to be aware of how to spot dangerous emails or activity, how to keep passwords and keys safe and secure, and how to avoid putting the enterprise at risk.

What’s more, it’s worthwhile explaining to staff the dangers of shadow IT and instilling a rigid policy on it. In too many workplaces, anyone with access to a company credit card can purchase a cloud instance or start using a service like Dropbox, without IT ever knowing until the bills turn-up or something goes wrong. Your employees need to understand not only why this is bad practice, but also the potential consequences for the company and their career.

Regular Checks

Finally, cloud security shouldn’t be something that you do periodically, it should be a continuous process. For this, you need to conduct regular checks of your cloud architecture for vulnerabilities and new threats.

This doesn’t have to be your IT team literally performing checks – although, that is a good idea  instead, you could harness a managed service partner to handle this side of things. Using a managed service partner has a few distinct advantages over doing it yourself.

Firstly, proactively monitoring your cloud security is a full-time job, and, as such, often requires a dedicated resource, a managed service provider can remove this extra cost. Secondly, a team of experts who dedicate their entire day to cloud security are far more likely to be aware of and prepared for new and developing threats than your internal IT department, keeping you that much safer.

Additionally, a third-party specialist will not only monitor your cloud security and keep you abreast of the latest developments, but they'll also address and resolve security breaches on your behalf.  Finally, speaking to an expert can also help you develop security best practices, going far beyond what you would ordinarily get from proprietary tools alone. This is particularly important in the arena of cloud security, where the risks are ever-evolving. 

For a comprehensive guide to all things cloud, download our e-book today

New call-to-action

Topics: Security, Cloud Management Services

Get weekly Cloud roundups direct to your inbox.