Charlotte Davis at Insight describes why organisations need to invest in security-by-design for the cloud as we exit the pandemic.
If 2020 was about business survival, 2021 is about thriving as the shutters are lifted and organisations plan for the future. Cloud computing will be at the centre of these plans. The promise of greater IT agility, cost efficiencies and on-demand scalability made cloud migration projects popular even before the crisis. Now they’re a crucial part of the post-pandemic recovery. But this brings its own security challenges.
Organisations must prioritise building a “secure-by-design” cloud architecture that permits greater experimentation. It’s the only way to ensure they are comprehensively protected from the ground-up, rather than attempting to bandage new vulnerabilities as they appear.
Cloud equals complexity
Despite a predicted decline in overall IT spending of 8%, investment in public cloud services was expected to grow by 19% in 2020, according to Gartner. Now the mood in boardrooms is turning to how they can exit the pandemic with momentum. That will encourage more experimentation and spending on containers, serverless architectures, hybrid and multi-clouds, and much more. The goal is innovation-fuelled growth, but at what price?
Already, 92% of enterprises have a multi-cloud strategy and 82% a hybrid cloud plan. This all adds complexity at a time when finding the right skills in-house to manage such infrastructure has become extremely challenging. We’re not just talking about the global shortage of cybersecurity talent, which now exceeds three million professionals, but also cloud IT experts. A study last February revealed that most (86%) IT decision makers believe a shortage of qualified engineers will slow down cloud projects. Crucially, it could also lead to misconfiguration of infrastructure, exposing data and systems to threat actors.
When it comes to building out a multi-cloud strategy, one of the most common security challenges we see is the ability to drive centralised visibility of the entire infrastructure. Not all cloud services store and manage data the same way, and there’s often poor integration between cloud provisioning and monitoring services. This has a knock-on effect on threat intelligence, making it more challenging to identify anomalies in network traffic indicative of malicious behaviour.
Another is a misunderstanding of the shared responsibility model — in other words, exactly which parts of the infrastructure stack the customer is required to secure. Organisations need a clear vision for integrating their policies and procedures with the tools and technologies they have to hand, and be prepared to continually monitor and reassess posture after any changes. Too often businesses invest in expensive products without the resources to manage them effectively, exposing themselves to escalating cyber-risk.
Security threats are everywhere
This risk is everywhere. According to one poll of 300 CISOs last year, nearly 80% said they had experienced at least one cloud data breach in the previous 18 months, and nearly half (43%) reported 10 or more. Cloud misconfiguration (67%), lack of visibility into access settings and activities (64%), and identity and access management (IAM) permission errors (61%) topped the list of concerns.
The truth is, where there’s data and mission-critical applications and services, there will always be attractive opportunities for cyber-criminals to steal information and/or extort companies through ransomware. Some may even look to tap the power of cloud infrastructure for covert cryptocurrency mining or DDoS.
We see various threat vectors impacting cloud customers. Malware injection attacks like cross-site scripting and SQL injection are increasingly prevalent in the cloud. When successful, they’ll redirect cloud users’ requests to a hacker-controlled machine to execute malicious code, enabling eavesdropping or data theft. Cross-cloud attacks can also cause problems for traditional security tools: if attackers breach one environment, they can use a VPN tunnel to move laterally to another, without setting off any alarms.
Let’s not forget insider threats, which of course have a cloud dimension if that’s where sensitive data is stored. According to Verizon, 30% of breaches are now caused by insiders. In a cloud context, it could be accidental misconfiguration or something more malign. Malicious insider incidents are said to comprise around a quarter of all insider threats and take an average of 77 days to contain.
How security-by-design works
The challenge is to manage these risks in a way that doesn’t diminish all those reasons for investing in cloud computing in the first place. The answer is to take a best practice security-by-design approach, embedding protections from the very start.
Key areas to consider are role-based access controls for any cloud applications, leveraging multi-factor authentication to remove the well-documented security risks associated with credential loss, theft and stuffing. Users should only be granted the access rights required to perform their job-role and no more, other than by approved exception (a principle known as “least privilege”). Other considerations should include encryption of all data in transit and at rest, and prompt patching and updates for all operating software, firewall rules, policies, credentials and configurations.
Inevitably some risks can’t be fully mitigated, such as the malicious or negligent insider. However, regular backups in line with best practice “3-2-1” rules can take some of the sting out of ransomware. And following the GDPR principle of data minimisation will further reduce risk exposure by removing opportunities for cyber-criminals. There are also key architectural requirements for deleting sensitive customer data permanently, in line with GDPR “right to be forgotten” rules. This is especially important given that cloud systems often replicate and store data in case of accidental loss. Finally, consider a security incident and event monitoring (SIEM) solution and/or managed detection and response (MDR) to accelerate threat detection and response across your multiple cloud environments.
With so much at stake and skills in high demand, one of the best ways to mitigate cloud security risk and build protections in from the very start is to engage a third-party expert. Their highly knowledgeable staff can map out and deploy internal control mechanisms and security posture requirements, as well as offer ongoing support and managed security services.
According to BT, nearly two-thirds (64%) of consumers would recommend a large company which makes a big effort to keep their data secure. Aside from mitigating financial and reputational risk, the right strategic cloud security approach could help businesses to differentiate on customer protection. That’s a compelling reason to invest in security-by-design for the cloud as we exit the pandemic.
Charlotte Davis is Cyber Security Practice Lead for UK & EMEA at Insight
Main image courtesy of iStockPhoto.com