Security Experts:

Cloud(y) with a Chance of a Data Breach

Understanding the Threats, Risks, and Vulnerabilities Associated With Cloud Environments is Critical to Securing Data

Almost ten years ago, I worked as a cybersecurity evangelist for one of the world’s first Software-as-a-Service (SaaS) vendors. At the time, the term SaaS didn’t even exist yet and our sales personnel and resellers were struggling to describe what we were offering, so we engaged Gartner and IDC to coin the terminology. Meanwhile, many companies and government agencies were skeptical of using the cloud to host their business or security operations. This objection was a major barrier for cloud adoption in its early days. 

Fast forward to 2019: According to the IDC Worldwide Semiannual Public Cloud Services Spending Guide, spending will grow from $229 billion in 2019 to nearly $500 billion in 2023. Moving workloads into the cloud (or even multi-cloud environments) has become the new business standard and is seen by analyst firms like Gartner as a key enabler for cost optimization and competitiveness, which can directly impact a business’ valuation. This shift to the cloud has not gone unnoticed by threat actors. In fact, many of the recent data breaches exploited vulnerabilities in cloud environments. These incidents raise the question, are organizations are fully prepared to secure cloud environments against their cyber adversaries or are knowledge gaps giving hackers an edge.

The Myths that Impede Secure Cloud Migration

Securing Cloud Environments The cloud’s availability, accessibility, scalability, and speed of delivery make it an attractive option to deliver IT services more efficiently and affordably. However, securing multi-cloud and hybrid environments creates an unfamiliar situation for many organizations, in which they’re unsure of who is responsible for controlling access to and securing the underlying infrastructure. As a result, many organizations secure cloud and hybrid environments differently than they do on-premises, when a common security model is a recognized best practice.

According to the recent IDC Cloud Computing Survey, 34 percent of enterprises view ‘security’ as the leading challenge when it comes to cloud migration projects. More importantly, three main myths seem to impede the path towards secure cloud migration:

Myth #1: Cloud Providers are Solely Responsible for Security

There is still a widespread misinterpretation of who is responsible for what when it comes to securing public cloud environments. According to a recent survey by Techvangelism, 60 percent of respondents misunderstand the shared responsibility model for cloud security and incorrectly believe that cloud providers are solely responsible for securing Infrastructure-as-a-Service (IaaS) environments. Just last week during a speaking engagement at a cybersecurity conference in Florida, I met several IT security practitioners who believed this was the case and did not understand that cloud security is a shared responsibility between the cloud provider and the customer. Typically, the cloud provider is responsible for securing the core infrastructure and services, while the customer must secure operating systems, platforms, and data.

Myth #2: The Cloud Requires Different Security Controls

Unfamiliarity with the cloud often leads organizations to treat these environments differently than their on-premises counterparts. For example, they will apply different policies and security controls to their cloud environments. The Techvangelism survey found that 51 percent of the 700 respondents are taking different approaches to controlling access to cloud workloads than they do with their traditional on-premises environments. While some of the privileged access management (PAM) “basics” like multi-factor authentication (MFA) are being widely used in datacenter environments, 68 percent of respondents are not implementing PAM best practices in the cloud, such as using root accounts only for “break glass” purposes, eliminating local privileged accounts, or federating access controls. Ultimately, organizations should invoke a common security model across cloud, on-premises, and in hybrid environments.

Myth #3: Each Cloud Requires its Own Identity

Organizations that have moved their workloads to the cloud are frequently using more than one identity repository. This can lead to complications for creating, managing, and securing each instance. In fact, according to the Centrify research report 76 percent of organizations use more than one identity repository. Additional repositories can lead to identity sprawl, which can make the cloud a huge potential attack surface especially when organizations move to multi-cloud environments. Managing multiple directories can also generate additional costs and management complexity. Therefore, standardizing on a single identity repository and brokering access across the hybrid ecosystem can save money and reduce risk of outdated or unnecessary privilege.

Conclusion

Understanding the threats, risks, and vulnerabilities associated with cloud environments is critical to preventing data breaches. Contrary to the myths outlined above, organizations need to understand that securing access to cloud environments is their responsibility. This begins with implementing a common security model across on-premises, cloud, and hybrid environments, while avoiding identity sprawl by repurposing existing identity repositories to broker authentication and access to cloud environments.

view counter
Torsten George is currently a cyber security evangelist at Centrify, which helps organizations secure privileged access across hybrid and multi-cloud environments. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 25 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).