Reports of cloud security breaches are becoming more prevalent among mainstream media channels, however they are often framed with vague explanations. The often sensationalised descriptions of the perpetrators and the ambiguity of the underlying concepts and technologies may lead organizations to believe that adopting the cloud is an overwhelming task, and doing it in a secure manner is almost impossible.
However, the challenge is not the security of the cloud itself, the real challenge is putting the policies and frameworks in place to ensure that best practice is followed, user fallibility is minimised and risks mitigated.
There are 4 important topics to consider when planning your cloud infrastructure, and/or your migration to the cloud.
The Cloud Adoption and Risk Report produced by McAfee in 2019 showed that sharing of sensitive data over the cloud had increased by 50%. A fifth of all files they scanned contained potentially sensitive data, and half of those sensitive files had been shared.
Fast forward to 2020 and data leak was ranked as the Cloud Security Alliances number one threat. A data leak not only threatens your reputation, it also could potentially result in legal costs and loss of intellectual property (IP).
Public data exposure often happens because cloud storage is so cheap, convenient, and easy to create. This convenience results in an abundance of data stores that are used once and subsequently forgotten about.
Organizations should classify their data using metrics such as sensitivity and cost impact of its loss, they should then put the necessary processes in place to protect it accordingly. They should be asking questions such as: What does the data contain? Where is the data stored? Who or what has access to the data? Is the data encrypted? Is the data backed up?
Adopting a cloud platform enables an organization to scale their resources exponentially at a tremendous pace, however the associated complexities involved makes their configuration and management difficult and may introduce vulnerabilities.
In 2019 Gartner predicted that by 2025 almost 99% of cloud security failures will be the customers fault. Fugue, a cloud security company based in Washington posted a State of Cloud Security report the following year, which showed that misconfiguration remains the top cause of data breaches in the cloud, with almost 90% of the people surveyed concerned that they’ve been compromised and don’t even know it.
According to the report, the top causes of Cloud Misconfiguration were the lack of awareness of cloud security and policies (52%), the lack of adequate controls and oversight (49%), and an overall lack of best practices.
For this reason, configuration and deployments should be automated with all infrastructure stored as code so it can be continuously refined and reviewed, and can be consistently deployed.as should
A strong continuous monitoring strategy is also crucial in case any misconfigurations make it through the development process and into production. An automated way to alert and highlight these mistakes is key to a quick remediation.
Security is generally a shared responsibility between a cloud provider and its customers. The cloud provider manages the physical security of the underlying hardware, the virtualization layer on which solutions are built. Certain cloud providers also offer managed services that handle various security concerns (DDoS, SQL protection etc), however the customer should carefully consider which services they implement as some responsibilities will still lie with them.
The 2020 State of Public Security Risks Report found that half of the respondents to their survey were running at least one outdated server. Customers should make sure guest operating systems are hardened, regularly patched and segregated according to business needs and the principle of least privilege. They need to apply the principle of least privilege, secure access to their accounts, ideally using multi factor authentication, they need to remove access when it’s no longer needed, and they need to audit access requirements frequently.
It’s important that APIs are intuitive. A poorly documented or difficult to use API is less likely to be adopted by customers, and less likely to be maintained by developers. However, a well written public API can provide a potential attacker with a blueprint of your solution, enabling them to plan more sophisticated attack scenarios. With this in mind, it’s important to incorporate security into every phase of the development cycle. Follow secure coding principles, carry out code reviews, implement comprehensive automated testing and integrate logging to ensure you have oversight of your running system.
The Open Web Application Security Project (OWASP) is a non-profit foundation dedicated to improving the security of software. They collaborate with security experts around the world and provide a ranking of and remediation guidance for the top 10 most critical web application security risks. This report is free to access and provides developers and security teams insight into the most prevalent security risks so that they may incorporate the report’s findings and recommendations into their security practices.
Internal audits, and external penetration testing is an important part of any organizations security plan as it can help detect outlier vulnerabilities, and the separation of concerns can detect and prevent insider threats.