Cloud computing is a non-negotiable tool for many businesses. Benefits like cost-efficiency, flexibility and scalability, to name a few, are why the majority of organisations are already using the cloud. In fact, Gartner reports that worldwide end-user spending on public cloud services is forecast to grow 20.7% to $591.8 billion in 2023 – up from $490.3 billion in 2022.
But despite its popularity, like any data storage system, the cloud needs to be used by skilled experts – otherwise organisations can face security risks. According to Pluralsight’s 2023 State of Cloud report, 90% of UK businesses want to boost their cloud strategies this year, but only 6% have all staff cloud certified. Even more concerning is that cloud leaders identified security as their top skills gap.
Historically, businesses have debated whether the cloud is secure. Really, leaders should be questioning whether they are using the cloud securely. While cloud security adopts a shared responsibility model between organisations and the cloud providers, the biggest risk to a cloud environment is the misconfiguration and misuse of solutions – not whether or not cloud providers are doing their jobs.
A successful cloud strategy is not simply about migration. It must ensure that critical applications and sensitive data are safeguarded, with the technology and skilled people in place to mitigate risk.
Basic security practices, such as implementing multi-factor authentication or keeping operating systems and security patches up to date can only go so far. Technologists can begin building to optimise cloud security around the following five aspects.
1. Identity and access management People are an enterprise’s largest security risk. Research shows that half (50%) of IT and security leaders lack confidence when it comes to knowing where their sensitive data is stored. Especially in our current economic climate, where many industries have faced layoffs, knowing who has access to what is imperative. If technologists aren’t diligent about removing user accounts from their systems and effectively managing access permissions, organisations are left vulnerable to attack.
By adopting the principle of least privilege, organisations can limit users’ access rights to only what is vital for doing their job, and role-based access controls mapped to job functions can help define access to cloud resources. Staying on top of these controls helps ensure that IT leaders can monitor access to ensure these policies are enforced. This will minimise the potential attack surface in reducing the doors to cyber-attackers to gain entry and cause damage.
2. Infrastructure protection
Zero-Trust is a high-level cybersecurity strategy that assumes breach and verifies each request as it is from someone who cannot be trusted. While this is often touted as the most effective security framework, it can give organisations a false sense of security. Businesses can never fully remove risk for applications because they will need to be made accessible to customers, partners and third parties at some point – trust will need to be granted.
Instead, focussing on variable trust, which dictates who is allowed to access what within your systems will allow users to offload some security responsibilities to managed services. Though it might sound overwhelming to manage, all major cloud providers offer tools that fulfil this purpose.
3. Data protection
For optimised data protection, organisations can leverage two forms of encryption: data in transit and data at rest. Data in transit refers to information moving through a network, while data at rest refers to data that is kept in persistent storage.
To protect data in transit, it’s essential to utilise industry-standard security protocols such as Transport Layer Security (TLS) and IPsec. These protocols are supported by major cloud providers and ensure that data is protected as it moves within the cloud or between on-premise data centres and cloud resources. Encryption in transit helps prevent man-in-the-middle attacks that can lead to data theft, credential theft, or data corruption.
Encryption at rest is just as important, as it secures data held within databases, data lakes, or buckets in cloud providers. All major cloud providers support AES 256-bit encryption, which makes it impossible for an attacker to access or read data without the encryption key.
4. Detection controls
Detection controls are essential for identifying weaknesses and enabling prompt action. However, data breaches are primarily caused by misconfigurations. All major cloud providers offer native tools that can actively scan for vulnerabilities, misconfigurations, suspicious activities and compromised instances. Some of these tools can also provide alerts if an instance is engaging with a known malicious network, contacting a command-and-control server, or exhibiting unusual behaviour. This functionality ensures that organisations are promptly alerted to any suspicious activity and can take steps to mitigate risks before they cause harm.
5. Incident response
IT leaders should aim to automate the incident response process as much as possible. For example, most cloud providers provide the ability to create serverless functions that can be used to remediate common scenarios, automating the most basic of incident response tasks to free up time for security teams and allow them to focus their energy on more complex incidents that require human interference.
Cloud security requires teamwork
With organisations investing more resources into the cloud every day, it is crucial that security remains front of mind. Businesses need to be working with their people to ensure they have the skills and technological know-how to use the cloud securely and help mitigate cloud data security challenges. A successful cloud strategy is a team effort and requires a diverse team of technologists to astutely detect blind spots and improve overall cloud security posture.