For years, many business and IT executives have been leery of the public cloud — and even avoided these services outright — because of concerns about security threats.
Those worries have largely abated as the cloud services market matured and the leading cloud providers built highly secure infrastructures. But that doesn’t mean the threats have gone away or that cloud customers should assume they’re no longer responsible for making sure their data is protected.
, and extensive logging capabilities, Riley said. “Some can be integrated with privileged access management tools. Most services also offer some form of ‘effective permissions’ evaluator, which helps remove the guesswork from determining whether the permissions of a user or service account are overly scoped.”
Too-broad permissions on accounts and too-broad access control lists on objects represent the most common and most dangerous cloud security problems, Riley said.
2. Prevent security misconfigurations
The greatest threat to cloud environments is misconfigurations, said Frank Dickson, program vice president, security and trust at research firm IDC.
For example, open Amazon Web Services’ (AWS) Simple Storage Service (S3) buckets has been a source of high-profile breaches, and yet some organizations choose to leave the public cloud storage resources open, Dickson said.
“S3 buckets though are not open by default; they are closed,” Dickson said. “The client had to make a decision to open the buckets and leave them exposed. The old adage said that an ounce of prevention is worth a pound of cure. Well, an ounce of investment in proper cloud configurations is worth 20 pounds of cloud security tools.”
Cloud misconfiguration is the first thing attackers check for, according to CSA, and a small security oversight such as failing to remove an old account can cause problems in a matter of seconds. Among the common ways a cloud can be misconfigured are a lack of access restrictions; and a lack of data protection, particularly for personal information that is uploaded in plain-text form in the cloud.
Another reason for misconfigurations, CSA said, is failing to audit and validate cloud resources. A lack of regular audits of resources and configurations can lead to a security flaw ready to be pounced on by malicious exploiters, the group reports.
Companies can also neglect logging and monitoring. The timely checking of data and access logs is vital to identify and flag security-related events.
Finally, organizations can provide “over entitlement” of access to users. User access should be restricted to only the applications and data that an individual is permitted to use, CSA said.
3. Reduce the complexity of cloud management
Providing sufficient security for even a single cloud service can be a big challenge for organizations. Add more cloud services and more cloud providers to the mix and the challenge of protecting data becomes even greater.
[ Related: ]
And for a growing number of organizations, a migration to the cloud ultimately means having a multi-cloud or hybrid cloud environment. This can result in a highly complex infrastructure, encompassing a variety of public cloud service providers and types of cloud services, and it can introduce a number of security risks.
One of the early steps in addressing cybersecurity in a cloud-dominated environment should be to reduce complexity, Dickson said. IDC estimates that 80 percent of companies have more than one Infrastructure-as-a-Service (IaaS) provider, he said.
Many organizations are using multiple software-as-a-service (SaaS) and platform-as-a-service (PaaS) offerings from different providers as well, as they look to reduce operating expenditures and gain greater agility in providing services to users and customers.
Having multiple clouds, each with its own peculiarities, can be hard to protect. “Minimize the number of cloud providers if possible,” Dickson said. “Fewer cloud providers often means fewer security providers. Vendor consolidation further reduces complexity.”
4. Focus increased attention on detection and response
As a consequence of ceding some control with the cloud, organizations should expect to perform more monitoring of cloud activity, Riley said, in order to demonstrate that governance procedures are in place and are being followed.
“Most CSPs provide the necessary tools to instrument resources, workloads and applications to gather raw log data, but might place limits on where log data can be stored,” Riley said. “Converting this data into useful information presents challenges and might require a CSP-provided or third-party product or service, especially if log data needs to be moved from one geographic region to another.”
[ Related: ]
Some Gartner clients prefer to rely on existing security information and event management (SIEM) tools, and many cloud services support the more popular ones, Riley said. Other clients report that SIEM tools are unwieldy and noisy, and instead prefer more cloud-native services.
“Before investing in yet another product, however, organizations should first investigate the cloud service’s built-in logging, reporting and analysis capabilities,” Riley said.
SaaS applications tend to offer collections of various reports that aggregate, correlate and analyze behavior. “These could be sufficient for organizations [that] use only one or a few SaaS applications,” Riley said. For organizations that subscribe to many SaaS applications, a cloud access security broker (CASB) or SaaS management platform (SMP) would likely be a better choice for assessing SaaS security posture and standardizing control and governance.
“IaaS and PaaS providers offer the primitives necessary for instrumentation and expect their customers to gather the outputs into a service that can make sense of the data,” Riley said. “Increasingly, IaaS and PaaS CSPs offer native incident analysis and investigation capabilities.”
In addition, cloud security posture management (CSPM) tools offer highly effective mechanisms for assessing the configurations of workloads and for detecting and remediating out-of-compliance settings.
5. Deploy data encryption
Data encryption is one of the stronger security tools organizations can use to protect data if it somehow falls into the wrong hands.
[ Related: ]
“The protection of data becomes important in the cloud as data, by default, leaves the premises,” Dickson said. “Encryption of data in motion and data at rest is a must.
Encryption offers an extra layer of logical isolation, Riley said. “For many security teams, debate swirls around the question of whether to encrypt everything by default,” he said. “For IaaS and for bulk storage in PaaS, a reasonable approach could be to do exactly that. It simplifies configuration procedures, avoids situations in which sensitive data is inadvertently exposed, and is useful for destroying data by just deleting the keys.”
Encryption also serves as a double-check for access control strategies, Riley said. “To read an encrypted object, an account must be present on two access control lists: that of the object itself and that of the key which encrypted the object,” he said. “Mechanisms that must agree when granting access represent a useful form of defense in depth.”
For SaaS and application layer data in PaaS, the decision is more complicated, Riley said. “Encrypting data outside the context of the PaaS/SaaS application reduces application functionality,” he said. “Organizations must weigh the trade-offs between functionality and isolation.”
Encryption is no substitute for trust, Riley said. “Doing anything useful with encrypted data requires decrypting it first and reading it into memory — leaving it exposed to memory-based attacks,” he said.
6. Make training and education a priority
Finally, as with any other cybersecurity initiative, educating users about security risks is vital. Migrating to the cloud is still a relatively new concept for many organizations and employees, so training and written guides for procedures needs to be a priority.
“Start educating yourself and your staff on cloud security,” said John Yeoh, global vice president of research at CSA. “There are a number of educational documents and courses available to learn about security fundamentals in the cloud.”
The CSA has a foundational document called , and a training course called .
“For those using specific cloud services and tools, it’s important to have the knowledge of those tools,” Yeoh said. “Providers constantly add and change features in their services. Keeping up with the proper use of the features and understanding standard configurations is vital to the secure use of those services.”
Establishing a culture for security with basic cloud knowledge “is a great step to improving a company’s security posture by reducing the human error element and creating awareness of best practices in the cloud,” Yeoh said.
Education should also extend to knowing exactly what cloud providers offer in the way of security.
CSA’s allows you to view and compare how cloud service providers meet or exceed baseline security requirements, Yeoh said.
“Having a framework of common cloud security controls that are being implemented in the industry creates trust and assurance for that cloud service provider and their services,” Yeoh said. “Identify security requirements that are critical to your organizational use of that service, and ensure that those requirements are met through controls provided in the framework. This practice can expedite the procurement process and improve your security posture.”