Cybersecurity Essentials For Cloud Environments

Uploaded on 2022-08-05 in TECHNOLOGY--Resilience, FREE TO VIEW

As of 2022, over 60% of all corporate data is stored in the cloud. This is up from just 30% in 2015, according to Statista. While cloud migration is being embraced by organizations the world over, many companies are struggling when it comes to cloud security, both during transition time and throughout their entire cloud journey.

In this article, we’ll delve into some of the common challenges and look at what makes a robust cloud security strategy.  

What Do We Mean By Cloud Security?

The natural starting point here is to evaluate how cloud security differs from that of a traditional, on-premise system. This largely comes down to what we call the shared responsibility model. If all of your business assets are on-premise, you are accountable for the physical security of the building they are in, maintaining the health of the servers as well as the performance and security of the infrastructure.

However, with the cloud it’s broken down into two parts - the security of the cloud and the security in the cloud.

The cloud service provider, like AWS or Azure, is responsible for the former, so all you need to worry about is the security of your resources within the cloud. There are cloud provider tools and utilities to help you manage that.

Common Cloud Security Challenges

One of the most important things to watch out for in cloud security is misconfiguration. Companies have had decades of experience managing infrastructure on-premise, so they have had time to really understand all of the ins and outs. However, the cloud is still relatively new, so people are still grappling with the complexities and sheer number of configuration options.  

Identity and access management (IAM) is an example of an area that is commonly misconfigured. This is mainly because of simple things not being accounted for, like not having multi-factor authentication enabled, misapplication of permissions, or being overly permissive.

This comes down to the key cloud principle of least privilege. There aren’t many companies where one individual requires access to the whole network, but businesses still frequently give individuals network-wide permissions. In the event of a compromise, you would want the attacker to have the lowest possible level of access.

It’s important to ensure that authorised employees/users only have access to what is required to perform their roles. 

There are also smaller misconfigurations that happen often, such as having unsecured S3 buckets (a type of file server). On their own, these may not be critical, but small issues like this can still evolve into bigger ones. For example, a lack of encryption on the S3 bucket can lead to sensitive data being made available in a publicly accessible realm.

Key Considerations When Moving To The Cloud 

Migration is key - it’s make or break: Migration periods are still one of the highest risk points in time for an organization, especially when the migration is so big that companies spend a significant amount of time in a hybrid setup (both on-premise and cloud). It’s a misconception with hybrid environments that if everything is well segregated, there’s no route between on-premise and the cloud. In a lot of cases they are in fact closely intertwined and attackers can find their way between the two. It’s therefore important to treat them as one environment. 

Secure configuration: It’s essential to exercise due diligence when placing anything in the cloud. Frequently, companies will test and deploy quickly without taking the time to ensure that the content is secure. Before long, they will find that it has been compromised. 

Governance structures: You need to understand the right governance structure for your organization in order to manage things effectively. Fortunately, whether it’s ISO 27001 or CSF, these are baked into the cloud service providers themselves. 

Good architecture: This is just as important as in an on-premise environment. If you are considering moving to the cloud, sit down with a cloud architect or engineer and get your architecture right from the start. Otherwise, it can be really difficult to unpick and rebuild later on when there are interdependencies between software and services. 

The Importance Of Team Buy-In

Let’s say you are part-way through moving to the cloud and you have three teams that have each started to use a different cloud provider. You want to define a company-wide strategy, but how do you bring those pieces of the jigsaw together? First of all, make sure you get buy-in from your teams. Consult with them on what they’re trying to achieve and why they’re using the providers they are.

It’s no good just coming along and enforcing a policy if it makes their jobs more difficult - quite frankly, they just won’t comply with it. 

Often, businesses assume that everything is secure because monitoring tool like Cloudtrail or Cloudwatch are enabled. While that will tell you what’s happening to resources (i.e. who is modifying or changing them), it won’t give insights into what’s happening within those resources. For that you will need a separate solution that will increase visibility and keep your cloud services secure. 

Hugh Raynor is Senior Cybersecurity Consultant at SureCloud 

You Might Also Read: 

Cloud Computing & Security: What Enterprises Should Know:

 

« Github Supply Chain Attack
AI Driven Anomaly Detection In The Oil & Gas Industry »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Bayshore Networks

Bayshore Networks

Bayshore Networks was founded to safely and securely protect Industrial IoT (IIoT) networks, applications, machines and workers from cyber threats.

Casaba Security

Casaba Security

Casaba are specialists in software security providing managed Software Development Lifecycle services as well as products for security testing.

Exida

Exida

Exida is a leading product certification and knowledge company specializing in industrial automation system safety, security, and availability.

BlueID

BlueID

BlueID is an IDaaS technology product which enables your objects to securely connect and interact with your users’ smart phones and smart watches.

Galvanize

Galvanize

Galvanize is a leading provider of award-winning, cloud-based security, risk management, compliance, and audit software for some of the world’s largest organizations.

Trapmine

Trapmine

TRAPMINE is an innovative cybersecurity products company mainly focusing on protecting organizations from Advanced Persistent Threat & Zero-Day attacks.

Digital Law

Digital Law

Digital Law is the only UK law firm to specialise solely in online, data and cyber law.

National Centre for Cyber Security (NCCS) - Pakistan

National Centre for Cyber Security (NCCS) - Pakistan

National Centre for Cyber Security (NCCS) undertakes cyber security research and plays a leading role in securing Pakistan’s Cyberspace.

Crypto Valley Association

Crypto Valley Association

Crypto Valley Association is an independent, government-supported association established to build the world’s leading blockchain and cryptographic technologies ecosystem.

Findcourses.com

Findcourses.com

Findcourses is a dedicated education search engine designed to make it easy for our learners to search and find exactly what they need from our community of trusted training providers.

OffSec

OffSec

OffSec have defined the standard of excellence in penetration testing training. Elite security instructors teach our intense training scenarios and exceptional course material.

Cyber Range Solutions (CRS)

Cyber Range Solutions (CRS)

CRS provides cyber security training and improve security team performance by providing a hyper realistic, virtual training environment.

Cyberi

Cyberi

Cyberi provide specialist technical consultancy and cyber advisory services, from penetration testing and assurance to incident management and response, and technical security research.

AMSYS Innovative Solutions

AMSYS Innovative Solutions

AMSYS is a full-service, 24/7/365 IT solutions, Cybersecurity & Managed Service Provider.

Abissi

Abissi

Abissi offer cyber intelligence, IoT security, automotive security, red teaming, application security and artificial intelligence security services, with a focus on security by design.

runZero

runZero

runZero delivers the most complete security visibility possible, providing you the ultimate foundation for successfully managing exposures and compliance.