As organisations continue to carry out digital transformation, cloud computing is on the increase, enabling those that adopt the technology to be on the frontline of innovation. The positives of utilising cloud infrastructures are well documented but a characteristic that often gets overlooked, much to the detriment of organisations, is security. 

With businesses looking to migrate away from on-premise technology, it is essential that steps are in place to protect the vital assets that transfer to the cloud. This will also avoid any serious disruption to the business overall. Nevertheless, there seem to be key areas of cloud security that continually seem to be neglected, so here are our tips on how to resolve them.

Knowing where the assets are

Even though the flexibility that cloud offers is seen as a positive, it can also add an element of anarchy for security teams. If the number of departments with access to a particular cloud infrastructure is high, it can become a mind field for security professionals to keep track of who is accessing what.

In addition, when companies transfer offerings to the cloud, visibility of assets can be obscured, especially when departments are given more freedom to deploy and use Software-as-a-Service (SaaS) and Infrastructure-as-a-Service (IaaS) solutions. To avoid a situation like this occurring, it should be advised that organisations implement security solutions that include auto-discovery functionality. With this efficient technology, businesses can conduct inventory checks within a timely fashion across networks, servers and workloads without shadow IT risks. As a result, security teams are given a comprehensive view of all deployments in the cloud, thus providing an accurate picture of the correlated risks between on-premise and cloud assets.

Lacking in cloud security skills

The cyber skills gap hindering the industry is very visible to this day. There are too few security professionals around and those that are qualified have limited time to take on more training. This is adding to the stresses and pressures of the job. In fact, in a recent study it was revealed 16 per cent of IT security professionals have admitted to ignoring critical security vulnerabilities due to lacking the necessary skills to rectify them. In addition, over a quarter (26 percent) confessed they have overlooked a critical security flaw due to having an insufficient amount of time to fix it. Furthermore, two thirds (64 percent) of senior executives claim their organisations are losing out on revenue because their teams lack the expertise to carry out what is required regarding cloud services.

Matters are made worse due to the number of security teams who must understand the many services that an individual cloud provider offers. For example, Amazon Web Services has 142 services. If the organisation fails to have the necessary knowledge on the cloud provider, how can security best practises be applied?

An alternative to address this scenario would be to outsource to a Managed Security Service Provider (MSSP) or software company that has the desired levels of cloud competency and that can guide the organisation. This can take place at the initial implementation stage of the cloud service and can be removed once the internal security team has reached a credible level of experience. Another tip would be to empower individuals who use the cloud to become awareness ambassadors within the company. Through security initiatives and further training, the ambassadors can push fellow colleagues to follow better security practices, which will raise the overall security posture of the company.

Securing the API

2018 has been a tough year for organisations that had poorly implemented Application Programming Interface (API) security. Salesforce, Panera Bread and Vemno were among the brands to suffer highly publicised data breaches and this is a continuation from incidences that took place in 2017, when sensitive data on millions of users became exposed from T-Mobile, Instagram and McDonalds.

The API is an integral part of the cloud infrastructure as it is the gateway or interface that provides direct and indirect cloud infrastructure and software services to users. Because of this, developers have relied on them to support the delivery and integration of products and services.

Yet, there is are risks associated with this as cloud services authorise third-party access which fundamentally exposes the APIs. This is an area of concern and a reason why security cannot be overlooked by the DevOps team.

Ensuring that security by design is the approach carried out throughout the development process falls on the shoulders of the DevOps teams. By following this method, organisations will gain a clearer understanding of what is required from an overall security standpoint. This will ensure the infrastructure is built with adequate authentication, authorisation and encryption as well as mitigate any known vulnerabilities.

With digital transformation fuelling much of today’s cloud adoption, companies mustn’t rush into deploying or migrating until security measures are addressed. Whether that security is conducted in-house or outsourced, there are measures that can be put in place to reduce most risks and help begin to build confidence in this growing infrastructure.

Previous articleUS tech firms set benchmark for data privacy
Next articleDigital transformation is transforming business
Sergio Loureiro is a Director of Product Management at Outpost24. Prior to this he was the former CEO and Co-Founder of SecludIT (which is now part of Outpost24), a pioneer in cloud security and a founding member of the Cloud Security Alliance since 2009. Sergio has worked in cyber security for more than 20 years. He has occupied senior management positions in 3 security startups where he was responsible for email security products and security gateways, as the lead architect of security products such as SSL VPNs, log management, web security and SSL crypto accelerators. His career started at research labs in France and Portugal. Sergio holds a Ph.D. in computer science from the ENST Paris and MSc and BSc degrees from the University of Porto. He is also the holder of 4 patents.