The Five Pillars of Cloud Security
As more employees move to remote work, more of today’s business environment is shifting towards the cloud. Indeed, approximately 90% of companies use at least one cloud-based service.
While it brings great benefits, the cloud also brings challenges, including properly securing cloud-based assets. Cybercriminals are well-versed in corporate cloud usage and are successfully exploiting that knowledge. In the past year and a half, nearly 80% of companies suffered a cloud-based data breach. And attacks have hit everyone from the smallest companies to the biggest names, like Accenture, Yahoo, Facebook, and more.
Many companies are failing to adequately protect themselves in this shift to the cloud, as cloud security is more complex than simply applying existing on-premise security policies and protocols in a cloud environment. Moreover, companies cannot simply rely on their cloud providers to deal with security. Organizations need to understand their responsibilities for cloud security, the unique security strategies that come with the cloud, and the steps they should take to ensure they have the most secure environment possible.
Five Steps Every Organization Should Take to Strengthen Its Cloud-Based Systems
1) Know Your Responsibilities
It’s tempting to believe that because you obtain cloud services from an outside vendor the vendor has full responsibility for the security of those services. Unfortunately, nothing could be further from the truth.
Most cloud service providers employ a shared responsibility security paradigm. Your degree of responsibility depends on the type of services you employ and the degree to which you have transitioned services and data to the cloud. Responsibilities vary significantly from companies that solely use software-as-a-service (SaaS) and those that move to the cloud more fully, using infrastructure-as-a-service (IaaS).
While the levels of shared responsibility may differ from provider to provider, Microsoft Azure’s shared security chart offers one clear example of how responsibilities can be delineated.
In this example, cloud customers always maintain responsibility for their data, devices, and users. But depending on the services, customers may also have responsibility for applications, network services, operating systems, and more.
Knowing what you must secure is the first step in creating effective cloud cybersecurity policies and programs.
2) Implement and Enforce Security Policies
Organizations must be diligent about adopting effective security policies, and they must be more than boilerplate examples that an organization copies off the internet. While policy templates can be an excellent starting point, companies must tailor their policies to their individual situations.
Crafting security policies requires consideration of how to build security into every facet of business workflows. Understanding principles like security-by-design and privacy-by-design, and ensuring corporate policies apply these principles, goes a long way towards creating a solid framework for company security programs.
Of course, policies can’t be effective if companies do not practice them on a regular basis or enforce them. Automation is one key component of enforcement, and companies should turn their written policies into self-executing practices. Policy-as-code is an important tool for companies looking to automate their security protocols.
With the proper policies and tools in place, companies can protect their systems, their data, their clients, and —as a result — their reputations.
3) Be Rigorous About Configurations
Cloud service misconfigurations are a primary source of attacks on corporate cloud systems. Studies indicate that between 65 and 70% of all cloud breaches arise from misconfigurations.
There are a range of common cloud service misconfigurations companies should be vigilant in remediating. Among these are:
- Unrestricted inbound and outbound ports: When companies allow more open ports than necessary, hackers have easily exploitable opportunities for both infiltration and exfiltration.
- Failing to manage ICMP properly: There is some debate about whether companies should always block the Internet Control Message Protocol (ICMP). But failure to manage and monitor ICMP creates a critical attack vector that hackers can exploit for malware insertion and DDoS attacks.
- Poor secrets management, identity management, and access controls: This issue is so crucial and so often a problem that it warranted a separate section below.
- Improper API management and documentation: Failure to properly distribute, manage, document, and control APIs in a cloud environment can create security blind spots in your system — vulnerabilities you can’t remediate because you don’t even know they exist.
In addition to generic cloud configuration issues, each cloud service has its own set of unique configuration issues. Just see the graph below of common misconfiguration of Amazon Web Services .