Cloud is an important mechanism for digital transformation. However, many companies still operate with an outdated mindset, which can cause them to make many mistakes.
When businesses increase cloud capability and cloud velocity, they often produce new risk areas outside of their scope. For example, over the last few years, application developers have been known to quickly adopt cloud computing due to the demand for faster coding capabilities. Yet, digital infrastructures unable to support this need also fail in the process of migrating from development to testing to production. Nonetheless, as Agile and DevOps methodologies become increasingly utilised, businesses must accept cloud as critical infrastructure to their operations.
However, many businesses are still operating in legacy on-premise environments. While the issues, challenges, and risks involved when using cloud computing differ according to the context, companies need to evolve and adapt with the times, as on-premise tasks are not always easily mapped to cloud operating environments.
Relying on a single provider also comes with its risks when outages occur. For example, customers of Amazon Web Services, including Slack, Okta, and Jobvite, were left trapped and vulnerable when an outage incident occurred in December 2021. Even though cloud providers secure servers and infrastructures, many breaches still happen due to defaults, poor architecture and complexity in hybrid and multi-cloud settings. Therefore, it causes the client – not the cloud service provider – to ensure these are secure. This is the genesis of the share security operating model.
How to mitigate cyber risks
The Cloud Security Alliance outlined the top 11 challenges CISOs have found around cloud consumption to help raise awareness of the lying threats, risks, and vulnerabilities. They are famously known as the Egregious 11:
- Data breach
A data breach is when an unauthorised individual views, steals or uses sensitive or confidential information. To help data breach victims, the CSA advises organisations to develop a well-tested incident response plan, which also considers the content security policy and data privacy laws.
- Misconfiguration and inadequate change control
Misconfiguration happens when computing assets are built incorrectly, which leaves them open to malicious activity. To combat these issues, companies should embrace automation and employ technologies that scan for misconfigured resources continuously and remediate problems in real time.
- Lack of cloud security architecture and strategy
On a global scale, organisations are moving portions of their IT infrastructure to public clouds. One of the most significant issues relating to this is the application of the necessary security architectures needed to withstand cyberattacks.
- Insufficient identity, access, and key management
Cloud computing can impact an organisation’s identity, credentials and access management. Avoid security incidents by implementing two-factor authentication, rotating keys and removing unused credentials or access privileges. Establish guard rails to minimise access drift.
- Account hijacking
Account hijacking is when malicious attackers gain access to highly privileged information. According to the CSA, a way to manage account hijacking is through “defence-in-depth” and Identity and Access Management (IAM) controls. A defence-in-depth strategy is one that enforces multiple layers of security controls.
- Insider threat
This is when a person – who has, or previously had, authorised access to an organisation’s networks, computer systems and sensitive company data – uses their privileged access to behave in a way that could negatively impact the organisation. Avoid this by taking precautions to help minimise insider negligence, such as security employee training.
- Insecure interfaces and APIs
Cloud computing providers allow customers to manage and interact with cloud services by exposing a set of software user interfaces (UIs) and Application Programming Interfaces (APIs). Best practices recommend correctly protecting API keys and not reusing them.
- Weak control plane
A weak control plane means users cannot protect their cloud-based business data, which can cause data loss, either by theft or corruption.
- Metastructure and applistructure failures
Metastructure and applistructure are two crucial elements of a cloud service, as there can be critical consequences by failing to involve these components. The metastructure, also referred to as the “waterline”, serves as a boundary between Cloud Service Providers (CSPs) and their customers. Above the waterline, cloud applications must be reinforced accurately to reap the benefits of the cloud platform fully.
- Limited cloud usage visibility
Limited cloud usage visibility leaves an organisation unable to have the ability to see and analyse whether cloud service usage is safe or malicious. Complete cloud visibility needs to be developed from the top down to manage these risks.
- Abuse and nefarious use of cloud services
Malicious actors can use cloud computing resources to exploit users, organisations, or other cloud providers. To mitigate the misuse of resources, CSPs need to have an incident response framework.
The ‘Egregious 11’ list highlights that businesses struggle to establish a clear cloud security architecture or identity strategy. The solution is to efficiently and safely ensure that all relevant identities can access resources and that there are clear instructions for proceeding when a bad actor takes over. Cloud systems can be infiltrated by targeting the gaps in identification. Moreover, application developers frequently work to meet deadlines. Consequently, they struggle to embed security into their operations and culture. This is paramount in order to maintain a resilient cloud environment.
Companies finding it difficult to manage cloud configuration and monitoring effectively should adopt a “shift left” approach by integrating security into the application development lifecycle earlier.
How to develop cloud visibility
Although cloud migration improves operational capabilities, increases speed, and helps to reduce costs, if executed poorly, it can have financial, reputational, and material repercussions from vulnerable cyber risks, which can affect business leaders. Furthermore, it is essential to oversee identity governance and access when operating in a fragmented cloud environment, as a lack of foresight can cause irreparable damage to an organisation.
Intra-cloud resilience is only attainable once there is full visibility and transparency in the cloud. Once made possible, organisations can establish a clear understanding of how to access data and who will be granted access. Essentially, a company must weave cybersecurity into its cloud roadmap. All while focusing on mitigating and minimising lateral movement.
Security teams need graphical visualisations that easily show how data and identities are connected to ensure maturity levels can be baselined and reinforced. This can help with prioritising the enforcement of identity, data classification and entitlement (access) as the standard controls for their multi-cloud security strategy.
All customers, whether SMEs or large enterprises, are expected to use more than one cloud. This means they must have a clear understanding of what ‘multi-cloud’ looks like and need to ensure access to the correct architecture and strategy is properly secured to gain the maximum benefits of the cloud. The challenge is ensuring this is done without compromising operational and cyber resilience.
Cloud security that is below average will inevitably lead to a cyber breach. The ‘Egregious 11’ explains well how businesses today can ensure a plan of action is in place for when bad actors attempt to corrupt their resources. Reports like those from Cloud Security Alliance help raise awareness of the risks involved with poor cloud security and provide guidance to organisations, helping them to reduce security breaches and data theft. Such attacks can cause reputational and financial harm to businesses.
Moreover, cybercriminals are counting on corporate leaders to move quickly and forget about making sure the basic precautions are in place. Businesses must remember to ‘shift left’ and design security upfront into the process instead of suffering the consequences after the damage is already done.
JD is a client partner at ISTARI. For nearly three decades, JD Sherry has established himself as a trusted senior advisor for the protection of Payment Card Industry (PCI), Health Information Privacy Act (HIPAA) and Personally Identifiable Information (PII) data, offering strategic consulting at the c-level and board level.