Cloud-based infrastructure is often cheaper, more flexible, and more scalable than hosting systems in-house. As a result, a growing number of organizations are moving sensitive data and applications to cloud-based deployments.
However, the outlook regarding the cloud isn’t entirely rosy. While many organizations are whole-heartedly embracing cloud computing, fewer are adopting good cloud security practices. Many organizations treat cloud-based environments the same way they do an on-premises deployment.
The fact is that cloud security differs greatly from on-premises security. An organization’s security team has a very different level of control over the infrastructure that they are using and, as a result, different responsibilities for securing it.
Many organizations have failed to understand the cloud shared responsibility model for security and the controls and configuration settings provided by their cloud service provider (CSP). As a result, they have failed to properly configure these settings, leaving sensitive data vulnerable to attack.
The cloud shared responsibility model
The cloud is a very different environment from the on-premises deployments that many organizations are used to. One of the biggest differences is the concept of the cloud shared responsibility model.
In an on-premises deployment, an organization’s security team owns every piece of their network infrastructure. The team theoretically has full visibility of, and control over, everything - from the physical hardware in the server room to the top-level applications running on that hardware. This means that they also have complete responsibility for securing their network environment.
Depending on the details of the cloud services that they are renting, a greater or lesser portion of their infrastructure stack is actually owned and controlled by their CSP. With this loss of ownership also comes a loss of visibility and control for the customer’s security team.
In the cloud, the CSP and the customer share responsibility for security. Some levels of the infrastructure stack are completely under the CSP’s control, and they are responsible for securing those levels. Others are under the customer’s control, and are their full responsibility. Where the two sections meet, CSPs and their customers often share responsibility.
In many cases, CSPs provide their customers with security controls and configuration settings that they can use to secure the portions of their cloud deployment that are their responsibility. A failure to understand the shared responsibility model (and the fact that some aspects of their cloud security are their own responsibility), and to properly configure these provided security controls, has caused many organizations to leave sensitive information vulnerable to threats.
The threat of cloud security misconfigurations
Properly configuring cloud security settings requires an understanding of the settings, how they work, and how to map them to an organization’s overarching security policy. Since 97% of organizations have adopted multi-cloud policies, this can be harder than it sounds.
Properly securing the cloud requires a clear understanding of the cloud shared responsibility model, yet only 27% of security professionals feel that the model is very clear. As a result, most security teams are operating with an imperfect understanding of what aspects of cloud security are their responsibility, and which ones are the job of the CSP.
Once the security team has a clear understanding of their responsibility in securing the cloud, they need to identify and appropriately configure the security controls provided by their CSP. In multi-cloud environments, all with their own collection of security controls and configuration settings, this can be a complicated task.
Failure to securely configure a cloud deployment makes it very easy for sensitive information to be leaked. The cloud is designed to be easily accessible from anywhere and lies outside the network perimeter where many organizations deploy the bulk of their cybersecurity threat detection and data protection solutions.
As a result, it is not surprising that many organizations have experienced data breaches caused by the misconfiguration of their cloud security controls - and are often unaware of the fact until they are notified by ethical hackers.
Securing a cloud deployment
The difference between on-premises and cloud deployments impacts the effectiveness of various security solutions in the cloud. Many security solutions designed for on-premises deployments lose some or all of their effectiveness when migrated to a cloud deployment.
Securing cloud computing requires developing and implementing security strategies and policies specifically for the cloud. While these should parallel and conform with an organization’s overall security policy, the details of their implementation need to be specific to the cloud.
An organization needs security solutions that are designed to provide visibility and control of a cloud deployment, and especially of CSP-provided security configurations and controls.
Copyright 2019. Article was made possible by site supporter Jessica Foreman