The Cloud Security Solutions GuideCloud is an enabler of modern business. Getting cloud security right is key to keeping yours going. By: Secureworks
Cloud is instrumental to digital transformation. Companies use cloud to rapidly roll out innovative digital products and services, modernize IT environments, and support hybrid working. Consequently, cloud adoption has already reached remarkable levels and continues to grow. According to the Flexera 2021 State of the Cloud Report , 80% of organizations have a private cloud, 97% use a public cloud, and 92% leverage multiple clouds. Industry-analysis firm Gartner estimates that in 2022, organizations worldwide will spend $482 billion on public-cloud services such as software-as-a-service (SaaS), infrastructure-as-a-service (IaaS), and platform-as-a-service (PaaS). This projection implies a 21.7% year-over-year growth compared to 2021.
As more sensitive data makes its way to the cloud, privacy regulations like GDPR and CCPA weigh in, and cybercrime continues to rise, businesses are ramping up their investment in the ability to protect themselves. Gartner forecasts that worldwide security and risk management spending will exceed $150 billion in 2021, and cloud security will be the fastest growing security-market segment, expanding 41.2% year-over-year to reach $841 million.
Cloud Security is a Shared Responsibility
Organizations and their cloud infrastructure provider(s) share the responsibility for security and compliance by following a “shared responsibility model.” As illustrated for AWS in Figure 1 below, the infrastructure provider is responsible for security of the cloud, while the customer is responsible for security in the cloud. The infrastructure provider is on point for protecting everything from concrete to hypervisor, i.e., data center facilities and hardware, software, and network infrastructure. Customers are accountable for data and applications that run on the cloud infrastructure. So, the proverbial unsecured AWS S3 buckets that have resulted in sensitive data exposure for numerous organizations illustrate a misconfiguration problem on the customer side.
Top Cloud Security Threats
Cloud users are a prime target for malevolent hackers, and protecting complex cloud environments is no small feat for organizations. Experts at the Cloud Security Alliance have identified the following 11 critical threats to cloud computing (ranked in order of severity), referred to as the “Egregious Eleven:”
- Data breaches. Security responsibility: customer and cloud-service provider
- Misconfiguration and inadequate change control. Security responsibility: customer
- Lack of cloud security architecture and strategy. Security responsibility: customer
- . Insufficient identity, credential, access and key management. Security responsibility: customer
- Account hijacking. Security responsibility: customer and cloud-service provider
- Insider threat. Security responsibility: customer
- Insecure interfaces and APIs. Security responsibility: customer and cloud-service provider
- Weak control plane. Security responsibility: customer
- Metastructure and applistructure failures. Security responsibility: customer and cloud-service provider
- Limited cloud usage visibility. Security responsibility: customer and cloud-service provider
- Abuse and nefarious use of cloud services. Security responsibility: customer and cloud-service provider.
How to Approach Cloud Security
Building a continuous cloud-security management program for your organization is critical. As a first step, you may want to familiarize yourself with leading security frameworks (such as NIST Cyber Security Framework and related publications, ISO/IEC 27017, etc.) and best practices for cloud security (such as Center of Internet Security Benchmarks providing security-configuration guides for various cloud environments—from AWS to Azure to Google Cloud Platform to Alibaba Cloud).
The Cloud Security Alliance (CSA) publishes a Cloud Controls Matrix (CCM) that outlines fundamental security principles and controls to “guide cloud service providers (CSPs) and cloud service customers (CSCs) seeking secure implementation, assessment, and management of cloud services security risks.” CCM covers 197 controls across 17 security domains, such as Audit and Assurance, Application and Interface Security, Change Control and Configuration Management, Governance, Risk and Compliance, Infrastructure and Virtualization Security, Threat and Vulnerability Management, and others.
You can leverage cloud security consultants to examine how your enterprise processes, stores, accesses, and uses data in the cloud, then you can craft a custom data-governance protocol and other elements of the security-management program aligned to your business objectives and risk profile. Professional cloud security assessments and penetration testing would also be instrumental to helping you utilize the cloud in a compliant and secure fashion.
In the unfortunate event of a company experiencing a breach, having a cloud incident response plan in place is crucial to mitigating the impact of an attack and minimizing damage. Enduring any catastrophic enterprise event is traumatic enough, but how the enterprise reacts after such an event will often determine their fate. Moreover, the organization’s response plays an influential role in the potential cost of a cyber breach.
Protect Your Cloud With Secureworks®
A secure cloud infrastructure is a requirement that every modern business must meet to remain competitive. Learn more about our cloud security products and services and leverage our expertise to create a cloud security strategy that fits your business needs.