Cloud security is a growing concern for organizations everywhere.
That’s according to Bitglass’ 2020 Cloud Security Report, which found almost all (93%) respondents were “moderately” or “extremely” concerned about cloud security. Two-thirds said data leakage was their biggest concern.
Exaggerated fears are a concern, though, warns Jay Heiser, a VP analyst at Gartner.
“CIOs need to ensure that their security teams are not holding back cloud initiatives with unsubstantiated cloud security worries,” he says. “Exaggerated fears can result in lost opportunity and inappropriate spending.”
Rather than asking whether the cloud is secure, CIOs should be asking themselves whether they’re using the cloud securely. Here is what executives should know about cloud security, how to manage it and how organizations can balance robust security with the user experience.
The Cloud Is Inherently Secure
Built-in firewalls, redundancy plans, third-party testing, and the use of AI and other advanced technology all help make the cloud one of the most secure computing environments anywhere.
Not only does the security of the cloud exceed that offered by traditional data centers in multiple ways, the team at Touchstone Security writes, but the biggest cloud providers offer additional security features like analytics and cross-enterprise visibility. They’ll even handle some security practices like automatic system updates.
Some types of cloud computing are more secure than others, however. “Public clouds are appropriately secure for many types of workloads, but aren’t right for everything, largely because they lack the isolation of private clouds,” writes the team at Red Hat.
Public clouds mean leasing storage space alongside other organizations. You can’t choose your neighbors, though, and that means there’s nothing you can do if they let something harmful into the shared space.
That said, it’s important to emphasize that there are always going to be at least two organizations — your company and the cloud provider — that are responsible for your cloud environment’s security. AWS calls this the shared responsibility model of security. Within that model, the cloud provider is responsible for the security of the cloud, AWS writes. Your company is responsible for the security inside of the cloud. That includes things like the safe handling of customer data, application access management and client-side encryption.
From that foundation, you can begin to mold security practices and protocols to the specific needs of your organization.
What Else Threatens Cloud Security?
The threats facing cloud environments aren’t all that different to those facing traditional data centers, Sam Bocetta at InfoQ writes. Both rely on software, which always comes with the risk of vulnerabilities. And there will always be malicious actors looking for vulnerabilities to exploit.
“The major difference between a traditional data center and a cloud computing platform lies in which party, cloud service provider (CSP) or consumer, is responsible for mitigating which risk and which responsibility falls to the consumer.”
There are also problems specific to cloud solutions. Misconfiguration is one of the biggest issues and one likely to only get worse, Fahmida Y. Rashid and James A. Martin write at CSO. A misconfigured cloud environment can happen for multiple reasons, but it’s usually down to operator error. One example is an administrator failing to implement the security measures offered by the cloud provider.
In other words, cloud security vulnerabilities are sometimes a matter of user error. “In some situations, an enterprise may lack adequate operationalization and enforcement of policies, procedures, a formal operating model, or even a properly constituted organizational function to effectively manage security in the cloud,” Michael Addo-Yobo at cloud security company Coalfire writes.
“In other situations, the enterprise may also not sufficiently exercise its responsibility to protect data in the cloud or may lack the means for senior management visibility into cloud security performance and risks.”
4 Tips for Improving Cloud Security
There are multiple steps organizations can take to protect themselves against security vulnerabilities in the cloud.
Encrypt Cloud Data
Just because your data is in the cloud doesn’t mean it's thoroughly protected, Solutions Review’s Daniel Hein writes. “That data can be accessed by anybody who can enter your cloud deployment, which means your business needs to keep your data secure at all times.”
Encryption is the best way to do this. “Encrypting cloud data helps protect your data by restricting access to the data to anyone without proper authorization,” he explains. “Cloud providers usually include native data encryption tools or features in the cloud environment itself, but you may have to consult third-party vendors.”
Automate Security Processes
Cloud services providers will typically offer tools that automatically detect any intrusions into your cloud environment. To use AWS as an example again, there are a couple of key tools that protect its cloud environments:
- Amazon GuardDuty is a threat-detection tool that uses machine learning to continuously monitor for intrusions or unauthorized activity.
- Amazon Detective analyzes and visualizes security data to help reveal the root cause of any intrusion or suspicious event.
Here’s where the idea of shared responsibility comes into play again. Your job, as the customer to such a service provider, is to collect as much raw data as possible to power those threat-assessment tools. The more data those tools have to understand your specific cloud environment, the more effective they will be.
Vet Vendors Thoroughly
It’s important for organizations to carry out due diligence before agreeing to terms with vendors, writes Aaron Sawitsky, senior manager of cloud partnerships at Rapid7.
“Make sure that any cloud vendors you consider have the required security certifications at a minimum, documented areas of security coverage and users’ security obligations, and are willing to answer questions about their cloud security practices, including whether they have experienced data breaches and, if so, how they have responded to them."
Build a Process for Offboarding Users
One of the major benefits of having cloud applications is employees can log into them from anywhere in the world. Unfortunately, that benefit becomes a security risk when employees leave. That’s why having employee offboarding processes is essential, writes the team at Safewhere.
You can keep a log of which applications which employees have access to, but using an identity and access management solution is a safer option. “An (identity and access management) solution consolidates user IDs and passwords into a single identity which can be turned on and off for all cloud (and other) applications at once,” they write.
“This means that your IT administrators don’t need to run through a checklist of applications when HR notifies them that an individual is no longer employed by the organization.”
Balancing Cloud Security With User Experience
There are diminishing returns to making cloud environments as secure as possible. At some point, security measures will begin to impact the user experience, and this can end up undercutting some of the benefits that cloud environments offer.
Security experts are well aware of the importance of usability when designing system security. The team at Condatis recommends using customer identity and access management technology to strike the right balance between security and user experience. Cloud-based software like passwordless authentication is particularly effective because it can be used by every system, thereby reducing development time.
“Authentication needs to be consistent across all your channels, so plan your system using single sign-on (SSO) and unified customer profiles,” they write. “Unified customer profiles collate your customer’s authentication data into a single repository so that it can be used seamlessly across your systems.”
Having the right team is also important, says Don Norman, cofounder of the Nielsen Norman Group and founding director of the University of California, San Diego's DesignLab. Developers, usability experts and security specialists are all required to create a secure and usable cloud-based product.
Moving applications and legacy systems to the cloud is a great way to increase security while optimizing usability and performance. But creating a robust cloud environment in which security and usability harmonize isn’t always straightforward. Organizations must understand exactly what makes cloud environments vulnerable and seek expert advice where appropriate to protect their data.
Images by: Antonio Guillem/©123rf.com, kasto/©123rf.com, nd3000/©123rf.com