Cloud computing security (CCS) is an essential aspect for businesses when securing virtual data, however, like any other domain within IT security, it comes with its challenges. Being a shared and hybrid operation framework, business and security leaders along with cloud service providers continuously work on improving security through various technological and policy implementations and modifications.
By Vito Sardanopoli, Chief Information Security Officer at Happify Health
With more and more businesses opting for cloud-based services, its corresponding security has become a significant cause of concern. Given the capacity of the cloud to hold colossal amounts of data from different groups and organizations, it has become a prime target for threat actors that aim at gaining unauthorized access to confidential and proprietary data. Businesses and cybersecurity leaders are continually investing in cloud security strategies and techniques in a number of key areas including, for example, identity management, physical security, personnel/human resources security, and data protection, with the ultimate goal of maintaining effective security standards.
The security standards for the cloud today need to take into account different forms of cloud deployment and usage. These can include variations of hybrid cloud architecture, shared responsibilities between cloud customers and vendors, vendor consolidation, etc., that need to be considered before establishing and enforcing policies. A secure cloud assures the clients and users its competency towards securing their data and keeping it protected from external attackers. Any attack or compromise of cloud security could lead to dire consequences, where data could be modified, deleted, withheld in exchange for ransom, or simply sold online, which dramatically affects the victim psychologically and financially. It is imperative for organizations to keep investing in researching and implementing new solutions and updated security standards to ensure data security against multiple threats.
The Current Cloud Security Is Not a Lasting Solution
Cloud security is complicated, as the cloud itself is complicated due to the number of variations of deployment and use of cloud-based resources. Although people assume that cloud service providers take responsibility for the security of the infrastructure they manage, this is far from the truth in the shared security/responsibility model, which is applicable to almost all cloud platform types. The cloud users/customers are equally responsible for implementing and managing cloud security correctly and securing their applications. Any misconfiguration at the application level can lead to many security problems. External threats that utilize malware infection is one of the most effective threats to your cloud computing environment.
With the evolution of technologies, attackers have also stepped up their game! They are upgrading various types of malware and ransomware that can infiltrate with relative east the high-grade security practices and standards. Over time, attacks have evolved and are now increasingly sophisticated, a number of which have been successful in bypassing high-security measures. Some of the most common threats which target cloud services are noted as follows:
- Malware injection: The increase in malware threats shows that nearly 90% of organizations are experiencing data breaches after increasing cloud usage. Malware on cloud services service platforms, will not only allow for data manipulation but can also spread to collaborators in cloud systems. These malware are generally the scripts or codes that are rooted into cloud services that act as “valid instances” and can run as Software-as-a-Service (SaaS) to cloud servers. As a result, that harmful code can be injected into cloud services and reviewed as part of the running services inside the cloud servers. Once the injection is successful, the cloud begins to club malicious scripts, and attackers start stealing the secured information.
“Businesses use an average of 1,181 services wherein that 92.7% of them are insecure or not ready for enterprise needs.” – Netskope.
- Hijacking of accounts: Extended cloud service implementation has led to a host of issues such as account hijacking, where the attackers can utilize the employee’s login credentials to access their information stored in the cloud remotely. Hijacking techniques make use of scripting errors and reused passwords that enable attackers to steal your credentials.
- Data breaches: Cloud computing and other services are comparatively new, but data breaches in all the platforms have been occurring for many years. Research by Ponemon Institute reports that around 50% of IT and security professionals believed their organization’s security measures of cloud services are insufficient. The overall probability of data breach is higher for businesses with cloud services, and it could be said that the cloud has a unique set of features and characteristics that make them more vulnerable.
- Insecure APIs: Application Programming Interfaces (APIs) allow users to modify their cloud experience, through customized features, easier collaboration, improved innovation, etc. In some instances, use of APIs can pose a risk to cloud platforms. Often the intended use of APIs is for making improvements (e.g. service level, features, performance, user experience, etc.). However, while there multiple types of improvements may be targeted, use of APIs may increase security risks. A key area of vulnerability for APIs exists in the communication that takes place between applications.
- DOS attacks: Denial of Service (DOS) attacks are designed to make your web pages and networks inaccessible to legitimate users by flooding them with fake requests. In some scenarios, this DOS attack is sometimes used as a smokescreen for other malicious activities and for dismounting security appliances such as web application firewalls.
- Insufficient due diligence: The knowledge gap with regards to cloud-native security impacts the needed due diligence. There is a distinction between clients and CSP (cloud service providers) regarding what they need and what CSP provides. The confusion of shared responsibility has not helped to mitigate this issue. It is imperative for the CSP to obtain a clear and detailed understanding of customer requirements in order to reduce the contractual obligations later.
Migrating to the cloud can often reap important benefits for organizations. However, it is not uncommon for enterprises and organizations to blindly migrate data and assets to the cloud without planning effectively planning security implementations, corresponding environments, and protection mechanisms. Additionally, they are often uncertain and unprepared in managing disaster scenarios, backup plans, applicable threats, or regulatory & compliance aspects. This is often due, in part, to a failure to perform sufficient due diligence, which, combined with a lack of proper knowledge of the cloud threat landscape, is very risky and could even lead to more serious information security challenges and related risks.
Improving Your Cloud Security Framework
It has become imperative for organizations to keep their security standards up-to-date. It is also important to implement such standards in the earliest stages of the deployment lifecycle as possible in an effort to prevent or minimize risks. To ensure the protection of data from being accessed/viewed inappropriately, deleted, or modified without proper authorization, organizations can adopt various strategies to improve security in their cloud deployment.
In an effort to increase the security of their cloud environment, organizations can leverage security solutions including, for example, continuous activity and event monitoring; data loss prevention (DLP); and user entity behavior analytics (UEBA).
Security solutions and strategies that intend to further improve the cloud security of your data and virtual assets could be implemented by organizations. Some of the effective cloud security strategies that can be used to help protect your virtual assets are noted below:
1. Understanding cloud data vs. on-prem storage
Organizations need to understand that cloud-based storage differs significantly from their on-premises counterparts. Cloud infrastructures can be deployed with minimal oversight and are able to record extensive and detailed procedures towards ensuring correct configuration. Cloud services and resources are designed to enable the users to work with ease and efficiency. Efforts must be made to ensure application developers and infrastructure teams can effectively perform their roles in the cloud in a dynamic cloud infrastructure environment while maintaining effective security of the cloud environment. Organizations require cloud computing experts and/or services that are mindful of the conditions required for the proper functioning of the cloud data centers.
2. Role-based security blueprint creation for cloud
Depending on the types of cloud services and features to be used by the customer organization, it is essential to create an outline of what will be the key security features. Creating such an outline help to ensure that the security team is onboard with the strategies, procedures, and configurations to be utilized to ensure that effective security will be sustained in the long run.
3. Reduction and protection of attack surfaces
While incorporating security standards, it is essential for security experts to minimize the number of attack surfaces in the cloud infrastructure and provide the necessary strategies to secure the deployed attack surfaces. New platforms and/or incorporation of new software often are the gateways for such attack surfaces as they create specific vulnerabilities that allow unauthorized access and other risk factors like malware to enter.
4. Consolidating vendor security
When considering cloud security vendors, organizations must research them thoroughly. Try to obtain evidence that the vendor is trustworthy and reliable, based on recent experiences of customers. Additionally, cloud security vendors must maintain the required legal documents and certifications needed to fulfill their roles and responsibilities.
5. Conducting due diligence
Once an organization decides to choose an appropriate cloud service after considering security and resiliency aspects, steps should be taken to ensure appropriate due diligence and the auditing process are agreed to. The due diligence process should include the following: Define security benchmarks consistent with the nature of the data, applications, and other cloud-based resources; Verify that CSP security recommendations align with customer goals; Test offered security measures like encryption standards, identity management, etc.
6. Protecting the loose ends
Organizations need to deploy endpoint security protocols with multilayered security standards/protocols such as Endpoint detection and response (EDR) and User and Entity Behavior Analysis (EEBA) to detect malicious behavior of users. Weak security practices invite attacks against remote access infrastructure and/or users. CCS possess numerous endpoints that could be subject to frequent changes, and hence, require a higher level of transparency. Endpoint protection tools and practices help organizations monitor and control cloud-based workloads while ensuring effective remote access security.
7. Enforcing adequate encryption standards
The encryption process offers security while ensuring data integrity, confidentiality, and authenticity during data transport and storage processes in the cloud. Verify that encrypted data is safe and secure and can be accessed only by authenticated users with the appropriate encryption and decryption keys.
8. MFA for CCS
Social engineering is a primary method among attackers to acquire access to cloud data. A multifactor authentication tool for cloud computing services should be implemented and utilized to ensure end-user authentication.
9. Backing-up cloud on cloud
It is always essential to back up data in case of a worst-case scenario. Thus, data could always be secured and stored in the backup drive in case of any incident, allowing easy retrieval. A cloud-to-cloud backup option is most prevalent in cloud service models like Software as a Service (SaaS). For most SaaS services, the application’s data is stored virtually, and the backup is also done on a cloud platform.
10. Attacking it to secure it
Penetration testing of your security architecture is said to be the most effective way to detect vulnerabilities. Organizations need to test their application on a regular basis. They should also periodically keep track of changes to their current security standards and review and update over time. Organizations should ensure that such testing is done by certified professionals who possess the skills to test effectively and to make informed decisions based on analysis of results, in order to efficiently uphold security in the long run.
Security is a continuous operation that continues to grow with the constant developments in technology. It is essential to stay updated with the latest trends and improve the security standards of your architecture accordingly. It is crucial to understand that making cloud infrastructure entirely fool-proof is impossible. Cloud security is much more than the term itself. To have a compatible and functional cloud security architecture, it is essential to consider crucial aspects related to both technological and human interventions.
About the Author
Vito Sardanopoli is an accomplished technology leader, with a vision to distinguished record in progressive leadership roles. He is a forward-thinking technology and security executive with a strong strategic and business perspective. With more than 20 years of experience in information security, he is a renowned CISO, with experience in the functions of CTO and CIO roles. He is currently serving as an advisory board member for the Pace universities cybersecurity program and leads efforts to ensure that digital and security initiatives support business priorities and emerging opportunities. He has served as CISO for a number of leading organizations across multiple industries such as healthcare, retail, financial services, etc. with demonstrated success in delivering sustainable, cost-effective solutions, while consistently minimizing business and operational risks.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.