Many organizations lack a clear understanding of their role and responsibilities when it comes to securing the cloud.
The COVID-19 pandemic has magnified the value of cloud computing in business operations. The cloud supports work-from-home strategies by enabling remote access to applications and data, while also providing a cost-effective path to scalable IT infrastructure and innovative services.
As organizations step up cloud adoption, however, they may be putting their operations at risk. Many organizations make the mistake of assuming that when applications and services move to the cloud, all security responsibilities move with them. That’s simply not the case.
In the cloud, security is a shared responsibility. While cloud service providers are responsible for securing their physical infrastructure, customers are responsible for protecting their data, endpoint devices, user accounts, and identity infrastructure. Depending on the cloud service model, customers may also be required to secure their applications, operating systems and network controls.
That can be a huge undertaking as organizations adopt a multi-cloud model. Access policies and permissions must be continually monitored and updated, and cloud environments properly configured. Few organizations have the skills sets and operational procedures to manage growing numbers of cloud services effectively.
In a recent study of U.S. chief information security officers (CISOs) conducted by IDC, 79 percent of respondents said their organization had experienced at least one cloud data breach in the past 18 months. Almost half (43 percent) said they had experienced 10 or more. Security misconfigurations are the No. 1 risk according to 67 percent of respondents.
Cloud service providers typically offer security tools to help customers protect their workloads, but it’s the customer’s job to implement those tools correctly. The risk of human error is high, and security breaches caused by poorly configured cloud systems are common. In the 2020 Verizon Data Breach Investigations Report, only hacking ranked higher than misconfiguration errors as a source of data breaches.
A recent study conducted by Propeller Insights found that 28 percent of organizations are known to have suffered a critical data breach due to cloud misconfiguration. The actual numbers are likely higher. Because cloud misconfiguration exploits can be difficult to detect using traditional security tools, 84 percent of survey respondents said they’re concerned they’ve been hacked but don’t know it.
After misconfigurations, access controls and user permissions represent the greatest cloud threats. In the IDC study, CISOs said that lack of adequate visibility into access settings and activities (64 percent) and identity and access management (IAM) permission errors (61 percent) were their top concerns.
Organizations often grant excessive or inappropriate access by default when new services and resources are added to the cloud environment. Driven by the dynamic and on-demand nature of public cloud infrastructure deployments, users and applications often accumulate access permissions beyond what is necessary for their legitimate needs.
Excessive permissions are a primary target for attackers as they can be used for malicious activities such as stealing sensitive data, delivering malware or disrupting critical processes and business operations. In the 2019 Capital One breach, for example, more than 100 million credit card applications were exposed because a web application firewall had been given excessive permissions. The attacker leveraged this vulnerability to access resources connected to the server.
To reduce these risks, organizations should implement least-privilege access policies, in which users are only given access to the systems and data necessary to do their jobs. That’s easier said than done, however. The problem is particularly acute with growing numbers of machine identities due to the concern that overly restrictive access controls will cause downtime.
There are certain steps organizations can take to improve the security of their data, applications and virtual machines in the cloud. The first priority is to understand their security responsibilities for each cloud service. Organizations should also find out what security controls are available and make sure they are implemented and configured properly. For example, some cloud providers offer tools for managing user and machine identities and assigning access privileges.
However, controlling access to cloud resources requires more than just tools. Organizations should develop comprehensive cloud governance policies that establish the level of access each user should have to specific cloud services. They also should establish procedures for managing and securing the certificates and encryption keys that managing access by machine identities. Security logging and monitoring tools should be used to track unauthorized access attempts and other issues.
Many organizations have learned the hard way that the cloud does not absolve them of all security responsibilities. However, as cloud adoption increases to support work-from-home strategies, it’s virtually inevitable that more data will be exposed. Organizations need to understand the risks and take steps to properly secure their data and manage user permissions and access.