Security Experts:

Connect with us

Hi, what are you looking for?


Cloud Security

Cloud(y) with a Chance of a Data Breach

Understanding the Threats, Risks, and Vulnerabilities Associated With Cloud Environments is Critical to Securing Data

Understanding the Threats, Risks, and Vulnerabilities Associated With Cloud Environments is Critical to Securing Data

Almost ten years ago, I worked as a cybersecurity evangelist for one of the world’s first Software-as-a-Service (SaaS) vendors. At the time, the term SaaS didn’t even exist yet and our sales personnel and resellers were struggling to describe what we were offering, so we engaged Gartner and IDC to coin the terminology. Meanwhile, many companies and government agencies were skeptical of using the cloud to host their business or security operations. This objection was a major barrier for cloud adoption in its early days. 

Fast forward to 2019: According to the IDC Worldwide Semiannual Public Cloud Services Spending Guide, spending will grow from $229 billion in 2019 to nearly $500 billion in 2023. Moving workloads into the cloud (or even multi-cloud environments) has become the new business standard and is seen by analyst firms like Gartner as a key enabler for cost optimization and competitiveness, which can directly impact a business’ valuation. This shift to the cloud has not gone unnoticed by threat actors. In fact, many of the recent data breaches exploited vulnerabilities in cloud environments. These incidents raise the question, are organizations are fully prepared to secure cloud environments against their cyber adversaries or are knowledge gaps giving hackers an edge.

The Myths that Impede Secure Cloud Migration

Securing Cloud Environments The cloud’s availability, accessibility, scalability, and speed of delivery make it an attractive option to deliver IT services more efficiently and affordably. However, securing multi-cloud and hybrid environments creates an unfamiliar situation for many organizations, in which they’re unsure of who is responsible for controlling access to and securing the underlying infrastructure. As a result, many organizations secure cloud and hybrid environments differently than they do on-premises, when a common security model is a recognized best practice.

According to the recent IDC Cloud Computing Survey, 34 percent of enterprises view ‘security’ as the leading challenge when it comes to cloud migration projects. More importantly, three main myths seem to impede the path towards secure cloud migration:

Myth #1: Cloud Providers are Solely Responsible for Security

There is still a widespread misinterpretation of who is responsible for what when it comes to securing public cloud environments. According to a recent survey by Techvangelism, 60 percent of respondents misunderstand the shared responsibility model for cloud security and incorrectly believe that cloud providers are solely responsible for securing Infrastructure-as-a-Service (IaaS) environments. Just last week during a speaking engagement at a cybersecurity conference in Florida, I met several IT security practitioners who believed this was the case and did not understand that cloud security is a shared responsibility between the cloud provider and the customer. Typically, the cloud provider is responsible for securing the core infrastructure and services, while the customer must secure operating systems, platforms, and data.

Myth #2: The Cloud Requires Different Security Controls

Unfamiliarity with the cloud often leads organizations to treat these environments differently than their on-premises counterparts. For example, they will apply different policies and security controls to their cloud environments. The Techvangelism survey found that 51 percent of the 700 respondents are taking different approaches to controlling access to cloud workloads than they do with their traditional on-premises environments. While some of the privileged access management (PAM) “basics” like multi-factor authentication (MFA) are being widely used in datacenter environments, 68 percent of respondents are not implementing PAM best practices in the cloud, such as using root accounts only for “break glass” purposes, eliminating local privileged accounts, or federating access controls. Ultimately, organizations should invoke a common security model across cloud, on-premises, and in hybrid environments.

Myth #3: Each Cloud Requires its Own Identity

Organizations that have moved their workloads to the cloud are frequently using more than one identity repository. This can lead to complications for creating, managing, and securing each instance. In fact, according to the Centrify research report 76 percent of organizations use more than one identity repository. Additional repositories can lead to identity sprawl, which can make the cloud a huge potential attack surface especially when organizations move to multi-cloud environments. Managing multiple directories can also generate additional costs and management complexity. Therefore, standardizing on a single identity repository and brokering access across the hybrid ecosystem can save money and reduce risk of outdated or unnecessary privilege.


Understanding the threats, risks, and vulnerabilities associated with cloud environments is critical to preventing data breaches. Contrary to the myths outlined above, organizations need to understand that securing access to cloud environments is their responsibility. This begins with implementing a common security model across on-premises, cloud, and hybrid environments, while avoiding identity sprawl by repurposing existing identity repositories to broker authentication and access to cloud environments.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Cloud Disaster Recovery - Ingredients for a Recipe that Saves Money and Offers a Safe, More Secure Situation with Greater Accessibility

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...