How to Mitigate Cloud Security Risks
While some cloud users may be under the impression that most cloud security risks are due to the actions of external bad actors, that´s not usually the case. Although cybercriminals are most often the beneficiaries of cloud security lapses, the majority of lapses are attributable to misunderstandings how the cloud works, and – more importantly – how cloud security works.
One of the basic misunderstandings about cloud security concerns the difference between on-premises environments and cloud environments inasmuch as on-premises environments are protected by perimeter defenses, and cloud environments are not. Therefore, for example, there are no barriers to prevent cybercriminals exploiting vulnerabilities in misconfigured servers in the cloud.
Similarly, operating in an Internet-connected environment (which strictly speaking the cloud is) creates more cloud security risks when users interact with cloud-based resources and services from unsecured personal devices. This is becoming a bigger problem as the scale of remote working increases, which can also increase the scale of cloud security risks attributable to “Shadow IT”.
Cloud Security Risks Attributable to Shadow IT
Shadow IT is a term used to describe the use of cloud services and the deployment of cloud resources that have not been sanctioned by an IT department. Typically Shadow IT environments evolve as users take advantage of the self-provisioning nature of cloud computing to “get the job done”; and while this can be beneficial in terms of productivity, Shadow IT introduces numerous cloud security risks.
One of the main reasons for cloud security risks attributable to Shadow IT is that non IT-users do not have the same level of security expertise as IT professionals. Consequently, there is a higher likelihood of misconfigured resources being deployed, cloud services being used over unsecured networks, and repositories of unencrypted data being exposed to the public Internet.
Few organizations are aware of the scale of Shadow IT within their cloud environments; yet without knowing what cloud services are being used and what resources are being deployed, it is impossible to control Shadow IT and mitigate cloud security risks. Furthermore, uncontrolled Shadow IT environments also lead to uncontrolled cloud costs and performance inefficiencies.
It´s Not Only Non-IT Users Responsible for Risks
In 2019, the Oracle/KPMG Cloud Threat Report reported that 82% of organizations had experienced a cloud security event due to confusion over the Shared Responsibility Model – the model under which Cloud Service Providers are responsible for the security of the cloud, and users are responsible for security in the cloud. Apparently – according to the report – only 10% of Chief Information Security Officers (CISOs) fully understand how the model works.
One of the reasons for this confusion is that the point at which users take responsibility for security in the cloud varies according to the nature of service being used and the level of abstraction. For example, when an organization deploys a VM, it is responsible for the security of the VM´s operating system and network configuration. When an organization deploys a container, responsibility for the security of the underlying operating system and network configuration remains with the Cloud Service Provider.
When so much confusion apparently exists over how the Shared Responsibility Model works, it is hardly surprising cloud security risks manifest in other areas due to a lack of understanding by IT professionals. The failure to fully understand how cloud computing works can be responsible for risks manifesting in areas such as Identity and Access Management and data encryption (or the lack thereof), and when post-deployment changes to VMs expose security vulnerabilities.
You Can´t Identify Cloud Security Risks in the Dark
Because most tools for monitoring cloud activity only report activity above the level of abstraction, organizations often lack total visibility of their cloud environments. This not only makes it difficult to identify where cloud security risks exist, but also how to fix them. If, for example, a VM is found to have an unauthorized open port, closing the port – without being able to identify how the VM interacts with other resources – may create more issues than it resolves. A lack of total visibility can also mask:
- Shadow IT activity
- Misuse of privileged accounts
- Unauthorized access to data
- Unencrypted data storage volumes
- Traffic between the cloud and on-premises
- The true cause of a performance issue
- Laterally moving malware
- Other indicators of account compromise
Returning to the Oracle/KPMG report referenced above, the inability of network security controls to provide visibility into public cloud workloads was considered to be the top cloud security challenge. The challenge not only applied to detecting and responding to risks on cloud-based services and resources, but across the entire attack surface – inclusive of networks and endpoints. Fortunately, solutions exist that can improve visibility and help organizations mitigate cloud security risks.
Mitigation Requires the Right Balance of People, Processes, and Technology
Because of varying compliance requirements, organizational structures, and risk propensities, there is no one-size-fits-all solution to cloud security. However, one thing all cloud security solutions have in common is the requirement to balance people, processes, and technology. Organizations that rely solely on technology to mitigate cloud security risks will find users circumnavigating the technology to “get the job done”, and a new wave of Shadow IT evolving along with a new wave of cloud security risks.
Therefore, the first step towards mitigating cloud security risks is to develop a Cloud Center of Excellence team. The team should be comprised of representatives from all Lines of Business and initially tasked with determining which cloud services and resources are being used, who is using them, what are they being used for, and how are they being used. Unsecured services and resources need to be replaced with secure alternatives, and users need to be trained on how to use them securely.
Having effectively eliminated Shadow IT and brought the organization´s cloud usage under centralized control, the next task for the Cloud Center of Excellence team is to develop cloud security governance policies and monitor compliance with them. The best way to monitor compliance is via agent-based monitoring tools that can report on cloud activity beneath the level of abstraction, as these also give security teams insights into how fixing cloud security risks might impact other resources.
One of the consequences of implementing an agent-based monitoring tool is that security teams will receive more security alerts than previously – potentially overwhelming the team and leaving some cloud security risks unaddressed. The solution for overcoming this scenario is to implement a cloud management solution with policy-driven automation capabilities that can be configured to automatically remediate low-priority alerts – thus leaving the security team free to attend to high-priority alerts.
A secondary advantage of implementing a solution with policy-driven automation capabilities is that the Cloud Center of Excellence team can use the solution to apply guardrails on cloud usage. The guardrails prevent users violating the team´s governance policies and improve cloud data security by preventing unauthorized access and enforcing encryption by default, while also mitigating cloud security risks such as misconfigurations by continuously verifying resources during development and post-deployment.