Introduction

Cloud security is a collection of procedures and technologies designed to address threats to business data (including staff, customer, supply chain, and competitive data) maintained in the cloud as well as any integrated systems and infrastructure.

Ultimately, procedures and tools are utilised to provide regulatory compliance (GDPR, SOX, HIPAA), protect cloud data, and protect customer privacy. It does this with methods and practices including data security and governance, identity and access management, and acute understanding of the environment.

This POV will help organisations understand what Cloud Security is, its importance, and how to mitigate the associated vulnerabilities and risks.

Like other cybersecurity practices, cloud security is a broad topic to understand in theory, and a large task to implement effectively in practice. Cyber-attacks are continuously growing in sophistication “for initial access, lateral movement, privilege escalation, defence evasion and data collection.” With the best will in the world, breaches are still likely to occur and spread beyond the initial attack vector. However, understanding your cloud infrastructure, creating a cloud security strategy, and being aware of potential vulnerabilities that require attention will vastly reduce the operational risks of an attack.

Delivering cloud security will differ depending on the cloud provider, products, and the cloud strategy that has been developed. Regardless, the implementation of cloud security should be a joint effort between the business and cloud service provider (CSP) to ensure successful adoption and configuration, training and education, and user access.

PDF

Why is Cloud Security Important

IBM found that 11% of data breaches in 2023 (from those surveyed) had an initial attack vector of cloud misconfiguration, costing an average of $4million per attack. With this initial attack vector, these breaches took on average 258 days to identify and contain.

mean time to identify and contain a data breach in days

Figure 1; Cost and frequency of a data breach by initial attack vector (in USD millions)

Cloud migration is becoming more popular with the advent of cloud-first initiatives; this comes with added risk of cybersecurity vulnerabilities. Drawn to the wealth of sensitive data stored in the cloud, cyber attackers are developing malware that targets cloud services. Advanced threats see attackers targeting cloud computing providers due to a lack of visibility of the movement and access to data.  As a result, cloud providers and their customers must work together to ensure that policies and practices are in place to keep data safe.

Without active steps to improve security, organisations can be hit with significant compliance and governance risks when managing confidential information.  When businesses fail to enforce or update their cloud governance policies in accordance with regulation, they run the risk of non-compliance, leaving them susceptible to legal, financial, and reputational penalties.

A cloud security strategy is a critical requirement when developing a cloud migration strategy because:

  • Threats continue to evolve and increase
  • It mitigates data breaches and data loss
  • It helps to avoid non-compliance and regulatory fines

Benefits of Cloud Security

Cloud security is an essential business strategy and serves as a framework for an organisation’s security posture. It allows organisations to take advantage of the flexibility and scalability of the infrastructure, whilst also reducing operating costs without putting confidential data at risk. To minimise the inherent risks of cyber-attack, a robust cloud security system is necessary.

Benefits of cloud security include:

    • Discovering vulnerabilities in cloud-based infrastructure
    • Ensuring software is tested at all stages of development
    • Monitor incidents within applications on cloud platforms
    • Cloud security centralises protection as it is all in one place

Security Risks in Cloud Computing

Cloud environments come with vulnerabilities, but so does any IT environment that has not been properly safeguarded, configured, or maintained. This does not make cloud computing particularly unsecure.

Cloud security starts with the environment configuration during migration and set-up, followed closely by instating strategic cloud security measures. Weak cloud security can expose users, customers, supply chains partners, and cloud service providers (CSPs) to all types of cyber threats.

Common vulnerabilities for cloud computing include, but are not limited to:

Lack of Visibility

With a lack of oversight into applications and data access, organisations lose visibility and control of their assets, users, and attack surfaces.

This is common with decentralised IT procurement where departments use applications that are not vetted by central IT and security teams, in multi-cloud and hybrid environments, and in cases where identity and access management (IAM) is not maintained throughout the movers, joiners, leavers process.

Without the correct IAM and procurement processes in place, it is easy to lose insight into who is using the cloud services, what is being uploaded and downloaded, and what data is being accessed. Where organisations have multi-cloud and hybrid environments (which is very likely) the risks associated with lack of oversight is increased due to the different environments, configurations, and security measures on each platform.

A lack of visibility may create challenges in monitoring, securing and managing cloud assets effectively. Similarly, this lack of insight creates blind spots in your IT and data infrastructure, meaning when a breach does occur, it is unlikely to be identified and contained in a timely manner.

When vulnerabilities are left unidentified for remediation, data and systems are served on a platter to the attacker.

Misconfigurations

With the increased range of services that cloud provides, misconfiguration of cloud services can leave data exposed to manipulation or loss. The inappropriate set up or misconfiguration of cloud services can unknowingly create vulnerabilities such as unintended access paths for attackers, confidential data left without authentication measures and unsecured backups.

Cloud misconfigurations are vulnerabilities that can become a doorway for attackers who want access to exploitable personal data. Causes of misconfiguration include:

  • Failure to change default settings
  • Unsecured backups
  • Excessive access permissions
  • Mistakes during implementation.

If misconfigurations are left without mitigation, data can be left vulnerable to attacks.

Compliance Risk

Cybersecurity and data governance regulations and policies include GDPR, HIPAA, and Sarbanes-Oxley (SOX). Both regulations are audited to ensure compliance; where this is not found, hefty fines can be imposed on the organisation until they become compliant.

At their core, these policies require organisations to understand their data:

  • Who has access?
  • Where is it?
  • How is it protected?
  • How is it processed?

If data is transferred or moved to the wrong provider, it can introduce risk for organisation to non-compliance and substantial fines. Therefore, it is essential that organisations understand the compliance and operational risks associated with outsourcing to cloud providers.

Mitigation Methods

Research found these factors to impact the total cost of a data breach. Migration to cloud was found to increase the cost by $218,362. When paired with non-compliance ($218,915), the addition cost of breach is around $500,000.

mean time to identify and contain a data breach in days

Figure 2; Impact of key factors on total cost of a data breach (in USD)

However, when looking at the factors that reduce the cost of data breach, organisations can be advised on opportunities to improve their overall IT security strategy.

Achieving Robust Cloud Security

Cloud security is a complex collection of technologies, processes and controls. When migrating to cloud and selecting a provider, one of the top requirements to look for is security.

There are a wide range of tools and strategies that organisations can use to implement robust cloud security, including:

Identity and Access Management

A system and policies that controls access to information and data. These controls may combine multifactor authentication with user access rules, or set the process for granting users access to systems and data based on varying criteria, including role, seniority, the data content, time and context, etc.

Governance

Cloud governance focuses on policies for threat prevention, mitigation, and detection.  By putting guiding principles in place, security and compliance risks are addressed and allows organisations to navigate towards a cloud native future with confidence in their strategy and security.

Regulatory Compliance

By ensuring compliance with cloud and data related regulations, businesses can protect sensitive data, maintain customer trust and confidence and avoid costly penalties. Following best practices such as choosing a compliant cloud provider, conducting risk assessments, using strong access controls and monitoring security will ensure organisations maintain compliance.

Physical Security

Measures to prevent disruption and access to hardware. This is in the form of humans, security cameras and alarm systems, and secure facilities such as caged data centres. These mitigate the risks of physical attacks such as tampering with hardware.

Encryption

An added layer of security by encoding data whilst in transit and at rest to ensure it is impossible to decipher without a decryption key. IBM MQ is the only messaging middleware that encrypts the channel and the message for increased security.

Threat Monitoring and Prevention

Using intrusion detection and prevention systems allow organisations to mitigate attacks and alert for threats. This is by understanding the vulnerabilities across the IT environment to locate areas to prioritise when setting up cloud security.

One of the main costs associated with data breaches is the effort and time taken to identify and contain the breach. This time is increased by the lack of awareness to the breach even existing, where and how it exists, and creating the plan of action for containing the breach. These costs can all be reduced with the aid of software tools.

See below for information about threat monitoring and prevention tools.

Penetration (Pen) Testing

Identifying vulnerabilities by attacking the infrastructure as an attacker would as a way to understand and patch vulnerabilities.

Pen testing can be done manually by humans (ethical hackers) who attempt to access the cloud and on-prem environments using various tactics including fake phishing emails to staff, evaluating the security of wireless networks, and cloud configurations.

Pen testing can also be done continuously by automated software that completes the same actions on an ongoing basis to identify vulnerabilities as they appear in the environment. Again, this uses known hacking tactics to attempt access to IT environments and data.

Firewalls

Next Generation firewalls protect workloads by using advanced features like deep packet inspection and application control to detect and prevent attacks.These advanced firewalls include features such as application and user control for visibility in network traffic, encrypted traffic inspection, advanced malware detection and threat intelligence feeds to protect enterprise networks.

Shared Responsibility Model

Organisations and their cloud provider share the responsibility to reduce cloud security risk.

The Shared Responsibility Model is used by cloud service providers and their customers to secure all aspects of a cloud environment, including infrastructure, hardware, data, configuration, network controls, and access rights.

Put simply, the cloud provider monitors and responds to security threats relating to the cloud and its underlying infrastructure, whilst the organisation is responsible for protecting the data stored in the cloud environment. It is important to note that the user and vendor do not share responsibility for the same asset.

Depending on the type of cloud service (SaaS, IaaS, PaaS), the responsibilities of the two parties are likely to differ.

SaaS cloud services provide clients with access to applications hosted on the provider’s server, where they manage applications.

IaaS cloud services offer operating system (OS), hardware, and remote connectivity frameworks, where providers only manage the core services and customers secure all that is stacked on top of the OS.

PaaS cloud services provide a platform for customers to host their own applications, where providers manage the OS, runtime, and middleware, and customers manage user access, data, and applications.

The table below breaks down who has shared responsibility depending on the cloud service type.

Service Type User Responsibility Vendor Responsibiltiy
SaaS User and network security, endpoints Application security
IaaS User and network security, workloads and data, security of applications installed on the infrastructure All infrastructure components
PaaS Applications developed on platform, end points, workloads and user and network security Platform security (hardware and software)

As noted, some IaaS and PaaS services may have differing security responsibility, depending on the agreement of the cloud provider. For example, if a customer uses a public cloud data storage service, the cloud provider is responsible for the cloud data centre. This includes the monitoring, security and maintenance, with the customer entirely responsible for securing the data within the environment and access management.

Different providers may choose different shared responsibility models, so it is important for organisations to understand what security model is being used.

Protecting Cloud Databases Using IBM Guardium and IBM Randori

Utilising tools like IBM Guardium and IBM Randori will improve the protection of data environments and the larger IT landscape. Monitor internal data and user access against policies (including regulatory controls and audit reports), common cyberattack trends, and custom alerts, whilst also patrolling the broader IT landscape for external threats and vulnerabilities from the perspective of an attacker.

IBM Guardium is a comprehensive data protection software that guards cloud data stores. It is built on architecture that is scalable and provides full visibility on all data and associated activity. If threats do occur, Guardium can block access, open tickets/alerts, share insights with other security tools, and simplify compliance and audit reporting.

With the expansion of IT environments and landscapes, attack surfaces are growing. As mentioned above, the decentralisation of IT procurement is increasing this issue in large enterprises. IBM Randori is an attack management SaaS that monitors external attack surfaces for misconfigurations, blind spots, and unexpected changes. It allows organisations to discover assets exposed to attackers so they can action a secure response measure.

Read more about Cybersecurity with IBM Guardium and IBM Randori

Cloud Provider Security

When evaluating cloud service providers, there are several factors to consider including shared responsibility and security standards. These should be included in the business case for adopting a specific cloud provider, and weighed up against competitive cloud options to find the best fit for your organisation, stakeholders, and the teams tasked with managing the cloud migration projects and ongoing support.

Visibility and Control

Providers should offer active monitoring and visibility of data to ensure that customers can discover changes across the cloud platform.

Protection of Data

Data should be secure at rest and in transit. Find a provider that helps customers to easily encrypt data to ensure there is a consistent level of protection.

User Management

Providers should offer tools that enable secure management of users to help prevent unauthorised access. This includes having the ability to set custom controls in line with company policies and industry regulations.

Authentication and Identity Management

Providers should ensure access to any service interface is only available to authorised employees. Similarly, ensure that the provider has features such as two factor authentication, identity federation and secure channels.

Asset Protection

Know where the physical location of your data is. Many large cloud providers are located globally and spread their datacentres for efficiency and cost-effectiveness, meaning your data may not be stored in your locale. Organisations may dictate that their data is stored in the same country as them for regulatory compliance and to prevent unauthorised access.

Conclusion

As organisations move data, business processes, applications, systems, and more to the cloud, security, policies, and secure configurations become increasingly important.

Ensuring cloud security is achieved is a critical requirement for organisations to protect themselves, their customers, and their supply chains from evolving threats. Cloud providers must follow best practices, and organisations take steps to protect data and applications running in the cloud.

Being aware of vulnerabilities internally and externally is the first step to mitigating the associated risks. Data breaches cost money, time, effort, and reputation to identify, contain, and amend; taking precautions before this becomes an issue is cost-effective in the long-term.

Responsiv x Cloud Security

Responsiv has a vast set of cybersecurity skills including IBM Guardium, IBM Randori, and other identity and access management tools.

Responsiv provide the Responsiv Cloud Security Service with all Responsiv Cloud Platforms or for use with Microsoft Azure and IBM Cloud. The Responsiv Cloud Security Service allows organisations to set up cloud security and user access in line with policies and regulations.

This can be used to simplify and control the movers, joiners, leavers process and maintain audit record and permissions for users across the organisation.

Read more about the Responsiv Cloud Security Service

Contact Responsiv for more information about cloud security!

Get in touch today to find out how Responsiv can help secure your Cloud environments!

    Last Name*

    First Name

    E Mail*

    Company*

    Lead Status*


    *By pressing submit you agree to receiving communication from Responsiv. You may unsubscribe from communications at any time.
    jadams

    jadams