9th November 2020
4 Min read
Cloud computing solutions are becoming increasingly popular within business technology ecosystems as they are resilient, scalable and agile. The nature of cloud computing is complex and there are several important security considerations before committing to a cloud solution. As your business moves to digitally transform your operations, cloud security controls should not be an afterthought to ensure risks can be assessed and managed effectively.
According to Sophos, 70% of organisations hosting data or workloads in the cloud experienced a security incident in the last year. Without effective cloud security controls in place, your organisation’s information may be exposed to an increased risk of compromise.
Accidental and unknown exposure can cause significant challenges for your organisation. Sophos found that security weaknesses caused by misconfigurations were exploited in 66% of attacks. As businesses start to bring new cloud services into operation, the opportunity for misconfiguration increases which in turn increases the organisation’s attack surface. Businesses must develop a comprehensive cloud security strategy that involves the integration of all business areas to ensure cloud security is a priority and shared responsibility is established.
Cloud platforms offer your organisation an alternative to building your IT infrastructure in-house. This saves your business the cost of investing in and maintaining systems, technology and applications. There are many companies that offer cloud platforms that support the development and management of your organisation’s IT needs.
1. Amazon Web Services
Amazon Web Services (AWS) is considered one of the most powerful and flexible cloud solutions. Its Identity Access Management (IAM) capabilities offer a large range of granular user permissions heavily centred on the principle of least privilege.
2. Microsoft Azure
Microsoft Azure is a great cloud solution for organisations that predominantly use Microsoft infrastructure and services. Azure is developed to provide flexible integration with Microsoft services such as O365 and Active Directory, enabling organisations to transform and scale existing services to a fast and reliable cloud-based solution.
3. Google Cloud
Google Cloud offers a multi-layered security infrastructure providing organisations with a wide range of services that they can use to build flexible and reliable cloud-based IT environments. Google Cloud focuses on ensuring consistent performance and management with services including Compute Engine, Cloud Storage and Big Query.
4. IBM Cloud
IBM Cloud offers PaaS, SaaS and IaaS solutions. Not all of IBM Cloud’s extensive range of services are cloud-based, some are both virtual and hardware services giving users complete control of their infrastructure. It is fully integrated and manageable within a single environment via the web portal, Application Programming Interface (API) or mobile application.
5. Oracle Cloud
Oracle Cloud Infrastructure offers two main service solutions including cloud infrastructure and data processing. Oracle’s cloud infrastructure services relate to databases, data management and applications, and data processing includes analytics and insights for big data. A clear difference between Oracle and the other cloud platform providers is that it is more suited to large enterprises rather than small businesses or individuals.
The key to developing effective security across your cloud infrastructure is to integrate it into the planning, design and implementation phases of your cloud transformation program. Regular testing can supplement the cloud security strategy to maintain a strong security posture as cloud resources are modified over time.
Think about issues including availability, connectivity, flexibility and scalability. Identify the risks that are unacceptable to your organisation and those that would not be. The NCSC has created 14 cloud security principles that can help you identify the risks you should be aware of. Your service provider should best protect the security risks that are a priority to your business.
Lack of cloud expertise
A significant risk of cloud computing is a lack of cloud expertise. Oracle found that 75% of IT professionals view the public cloud as more secure than their own on-site infrastructure, but 92% feel that their lack of expertise in cloud security programs is creating a readiness gap.
To properly secure your cloud environment, you must be able to leverage the platform tools, secure and configure the architecture and integrate them with third-party services. This requires experts either employed in-house or via a third-party to ensure you can gain complete visibility of your infrastructure. You must know who has access to your cloud services and be able to maintain a security management strategy across your cloud environment.
Gaps in your understanding of cloud security can lead to misconfigurations. Correctly configuring your cloud infrastructure is the responsibility of your organisation, not the cloud provider. One of the main causes of misconfiguration is over-privileged accounts. A report conducted by Oracle found that 33% of organisations reported that cyber criminals gained access to their cloud environments by stealing cloud provider account credentials.
The principle of least privilege means it is important to only grant admin privileges to users that require this access to complete their job functions. Implementing multi-factor authentication on all accounts will make it harder for a malicious actor to gain access via the end-user. Stronger identity measures provide an additional challenge for criminals should your employees’ devices be stolen or lost and their accounts compromised.
Non-compliance with data regulations
Migrating to the cloud can lead to complex issues with data compliance. Organisations that process sensitive data including Personally Identifiable Information (PII) must comply with data regulations, such as the EU’s General Data Protection Regulations. It is important to identify which data regulations you are subject to depending on where your data is processed; as processing data internationally can have additional challenges for compliance.
Shared responsibility models determine that it is the responsibility of the customer to protect data stored in the cloud, while the cloud provider is responsible for the security of the cloud platform. When using a cloud provider it is important to understand exactly where the data is stored in the cloud, who has access to it and how it is protected in accordance with the relevant data regulations you are subject to.
Data loss is one of the biggest impacts caused by the security risks of cloud computing. Companies store sensitive data in the cloud including intellectual property and Personally Identifiable Information (PII) that can have serious implications if lost. Cloud platforms offer features to prevent data loss caused by loss of connectivity, outages and data corruption. However, these features must be configured correctly. Having a backup and disaster recovery plan in place is critical to ensure your data can be recovered if a breach or loss is to occur.
Cloud computing resources are easy and fast to deploy but require knowledge and experience to manage risks effectively. Improving your organisation’s knowledge surrounding cloud services is crucial to fill gaps in the misunderstanding that can compromise your security posture. Cloud services must be configured correctly to secure your infrastructure and prevent data breach or loss from occurring whether it is via the end-user or a malicious actor.
OWASP Top 10 2021 Released
The Open Web Application Security Project (OWASP) is a not-for-profit organisation that aims, through community-led open-source projects, to improve the security of web-based software. OWASP…
What is penetration testing and why is it important to use a CREST-approved provider?
Trusting the effectiveness of your IT security controls is crucial to mitigate risks and malicious access to your systems and the information they store. Penetration…
How secure use of the cloud can digitally transform your business
Companies that move towards digital transformation can innovate more quickly, scale efficiently and reduce risk by implementing cloud security best practices. Businesses must keep up…
How to prepare your business for secure cloud migration
The cloud holds a lot of potential for organisations. Moving your IT environment to a secure cloud provides flexibility and agility. It allows your team…
Celebrating Sentrium’s contribution to cyber security
2020 is the year that remote working exploded. Businesses and the general public had to quickly adapt to new ways of working caused by the…
What is CREST and what are the benefits of using a CREST accredited company?
We’re delighted to announce that Sentrium Security is now a CREST accredited company! This is an exciting achievement for us and it’s great to be…
Application Security 101 – HTTP headers
1. Strict-Transport-Security The HTTP Strict Transport Security (HSTS) header forces browsers and other agents to interact with web servers over the encrypted HTTPS protocol, which…
New Exchange RCE vulnerability actively exploited
Exchange admins now have another exploit to deal with despite still reeling from a number of high profile attacks this year including ProxyLogon and ProxyShell.…
How effective is secure code review for discovering vulnerabilities?
We’ve recently discussed application security and the trend we’re seeing in which companies are increasingly implementing security early on in the Software Development Life Cycle…
Application Security (AppSec)
There is a movement in the IT security world that is gaining traction, and it is based around the implementation of security within applications from…
Enhancing Security in your Software Development LifeCycle – Dealing with Dependencies
The adoption of agile practices has resulted in the emergence of shift-lift testing, where testing is performed much earlier in the Software Development LifeCycle (SDLC).…