While the cloud comes with security controls, customers need to ensure they are using it safely. Get the fundamentals of cloud security with these seven tips!
- What is Cloud Security?
- How Secure is the Cloud?
- Examples of Cloud Security Compromised by Misconfiguration
- Anticipated Cloud Security Challenges in 2021
- 7 Fundamentals of Cloud Security
More and more enterprises are adopting complex multi-cloud environments. While this approach ensures that your business always has compute resources and data storage available, it also raises many issues of security. With common challenges like misconfiguration arising when security settings are not defined, implemented or maintained, security is just as important consideration as choosing a cloud service provider.
Effectively detect threats like misconfigurations and proactively handle risks with the following tips!
What is Cloud Security?
Cloud security refers to protecting data stored online via cloud computing environments (instead of data centers) from theft, deletion, and leakage. There are many protective methods that help secure the cloud; these measures include access control, firewalls, penetration testing, obfuscation, tokenization, virtual private networks (VPN), and not using public internet connections.
How Secure is the Cloud?
When it comes to network security concerns, the cloud itself is not the issue – rather, the challenge lies within the policies and technologies for security and control of that technology. Put simply? Human error is one of the top reasons for data breaches in the cloud. In fact, Gartner estimates that by 2022, at least 95 percent of cloud security failures will be the customer’s fault due to misconfigurations and mismanagement.
Therefore, it is not an issue of whether or not the cloud is secure but if the customer is using the cloud securely.
Examples of Cloud Security Compromised by Misconfiguration
Too often, misconfigured cloud-based systems lead to data breaches. For instance, in 2019, Capital One was hacked by a malicious actor who stole the sensitive data of more than 100 million people while not following traditional hacker patterns.
The breach was the result of a misconfigured open-source web application firewall (WAF), which Capital One used in its operations hosted on Amazon Web Services. The misconfigured WAF was permitted to list all the files in any AWS data buckets and read the contents of each file. The misconfiguration allowed the intruder to trick the firewall into relaying requests to a key back-end resource on AWS.
Once the breach happened, 100 million U.S. citizens were impacted and 140,000 Social Security numbers and 80,000 bank account numbers were compromised. In total, the breach cost Capital One roughly $150 million.
Anticipated Cloud Security Challenges in 2021
From April to May 2020, the Cloud Security Alliance (CSA) conducted a survey of experienced cloud security architects, designers, and operators from large organizations to, in part, determine the challenges of public cloud workloads in 2020. After surveying 200 respondents, they found that anticipated security challenges included:
- Data Privacy
- IAM Procedures
- Configuration Management
- Compliance Requirements
At the same time, the diversity of production workloads in the public cloud were also expected to increase in 2021, including the use of container platforms, function-as-a-service/serverless approach, and cloud provider services. Use of virtual machines is also expected to increase.
7 Fundamentals of Cloud Security
Don’t just migrate to the cloud – prevent security threats by following these tips:
1. Understand what you’re responsible for – different cloud services require varying levels of responsibility. For instance, while software-as-a-service (SaaS) providers ensure that applications are protected and that data security is guaranteed, IaaS environments may not have the same controls. To ensure security, cloud customers need to double check with their IaaS providers to understand who’s in charge of each security control.
2. Control user access – a huge challenge for enterprises has been controlling who has access to their cloud services. Too often, organizations accidently publically expose their cloud storage service despite warnings from cloud providers to avoid allowing storage drive contents to be accessible to anyone with an internet connection. CSO advises that only load balancers and bastion hosts should be exposed to the internet. Further, do not allow Secure Shell (SSH) connections directly from the internet as this will allow anyone who finds the server location to bypass the firewall and directly access the data. Instead, use your cloud provider’s identity and access control tools while also knowing who has access to what data and when. Identity and access control policies should grant the minimum set of privileges needed and only grant other permissions as needed. Configure security groups to have the narrowest focus possible and where possible, use reference security group IDs. Finally, consider tools that let you set access controls based on user activity data.
3. Data protection – data stored on cloud infrastructures should never be unencrypted. Therefore, maintain control of encryption keys where possible. Even though you can hand the keys over to cloud service providers, it is still your responsibility to protect your data. By encrypting your data, you ensure that if a security configuration fails and exposes your data to an unauthorized party, it cannot be used.
4. Secure credentials – AWS access keys can be exposed on public websites, source code repositories, unprotected Kubernetes dashboards, and other such platforms. Therefore, you should create and regularly rotate keys for each external service while also restricting access on the basis of IAM roles. Never use root user accounts – these accounts should only be used for specific account and service management tasks. Further, disable any user accounts that aren’t being used to further limit potential paths that hackers can compromise.
5. Implement MFA – your security controls should be so rigorous that if one control fails, other features keep the application, network, and data in the cloud safe. By tying MFA (multi-factor authentication) to usernames and passwords, attackers have an even harder time breaking in. Use MFA to limit access to management consoles, dashboards, and privileged accounts.
6. Increase visibility – to see issues like unauthorized access attempts, turn on security logging and monitoring once your cloud has been set up. Major cloud providers supply some level of logging tools that can be used for change tracking, resource management, security analysis, and compliance audits.
7. Adopt a shift–left approach – with a shift-left approach, security considerations are incorporated early into the development process rather than at the final stage. Before an IaaS platform goes live, enterprises need to check all the code going into the platform while also auditing and catching potential misconfigurations before they happen. One tip – automate the auditing and correction process by choosing security solutions that integrate with Jenkins, Kubernetes, and others. Just remember to check that workloads are compliant before they’re put into production. Continuously monitoring your cloud environment is key here.
Secure Your Cloud with Stefanini
Across Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS), we will work with your unique business needs to balance data accessibility with security concerns and address the growing need for agility to adapt to a connected world. We are here to help your business scale by delivering new functionality whenever you need it and by managing your complex Cloud (public, hybrid, private cloud) environments with complete operational insights and security controls.
We work to build a long-term partnership to evolve with your company past initial cloud implementation and into the digital future. Let’s work together to generate new ideas and convert them into your transformative business future. Contact us today!