State of the Cloud
The cloud is dramatically changing the way current and new organizations run their business. According a report by LogicMonitor, 83% of enterprise workloads will be in the cloud by 2020.
Cloud computing provides businesses with unparalleled flexibility and agility to scale, helping to level the playing field for small businesses to compete with established market leaders. In a matter of clicks, organizations are now able to massively and temporarily scale their computing capabilities just to accommodate a big event.
But with this level of freedom that cloud users have comes a unique layer of cybersecurity risk that organizations must be concerned about.
Security In The Cloud
Because of the way that the cloud needs to be configured for self-service and user control freedom, cloud providers can only ensure the security of their physical infrastructure. As a result, cloud users play a big role in ensuring the security of the cloud.
This is known as the shared responsibility model of the cloud, which applies across all major cloud service providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform. With this model, the onus of correct and secure configurations of resources, user access controls, data management, and network traffic falls on the customer behind the cloud.
If configured incorrectly, organizations are exposing their crown jewels and confidential data to attackers who crawl the Internet for such opportunities to exploit.
Prominent Cloud Data Breaches
In 2017, Accenture mistakenly left four of its AWS S3 buckets to be publicly accessible. The result of this cloud misconfiguration was the exposure of hundreds of gigabytes of sensitive client and company data, which included over 40,000 plaintext passwords.
Another 2018 case saw Tesla expose its access credentials to its AWS environment through an open S3 bucket. Attackers then used these credentials to run crypto mining scripts on Tesla’s unsecured Kubernetes instances. In fact, this nefarious usage went unnoticed by Tesla until third party researchers eventually discovered this unprotected Kubernetes console.
Without considering the other data breaches that are a result of insecure cloud configurations, clearly they show that cloud users and organizations migrating to the cloud aren’t quite ready to handle this added security responsibility in the cloud.
According to Gartner, 99% of cloud security failures will be the customer’s fault through 2025. Whether this is primarily due to a lack of security expertise or a lack of adequate understanding of cloud risks, organizations who have business critical assets available in the cloud need to begin a security discussion.
How About Compliance?
Cloud migration has increased the compliance burden on organizations. Because the cloud is new and still not well understood, organizations are challenged and unsure of how to handle compliance for their workloads in the cloud. Already, specific cloud compliance requirements are included in regulations like the PDPA, MAS TRM, and OSPAR. Organizations that are slow to respond are at risk of facing harsh financial penalties because of non-compliance.
Starting Steps Towards Cloud Security
In principle, the security and compliance challenges in the cloud aren’t different from on-prem environments. The gap that IT and security teams need to bridge is in identifying the people, processes, and technology that understand the ins and outs of cloud computing. Considering the shortage of both cloud and security talent, it makes sense for organizations to leverage the expertise from security partners to conduct this gap analysis.
With a limited budget and resources to manage security and compliance issues, gap analyses take on a risk-based approach to help organizations get the most bang for their buck as they implement the adequate security controls to mitigate their biggest business risks.
There is no one-size-fits-all solution for cloud security. For some organizations, utilizing RegTech and dedicated cloud security software on a regular basis is sufficient. For others, engaging security experts to conduct cloud penetration tests and frequent security assessments may be required. Whatever the case may be, it pays for organizations to start the discussion early in order to stay ahead of attackers and regulations.