20 July, 2023
Organizations are rapidly migrating to cloud computing for increased efficiency and scalability. Yet with this surge comes new and more sophisticated cloud security concerns. For organizations to continue reaping the benefits of the cloud, they must plan for these risks rather than merely reacting to them. In other words, to be able to focus on the future, you must first secure the present.
In this blog, we focus on a few of the top security risks that can hinder the expansion of cloud services, while providing recommendations to mitigate emerging risks.
Among the laws, companies need to abide by local, regional, and international regulations. Yet in countries like the UAE, these laws are still evolving, as seen in the new Personal Data Protection Law.
Ultimately, organizations must understand where their data resides and travels, and how they audit information and provide access controls. This requires mapping out the compliance and regulatory landscape for internal and external stakeholders such as internal business stakeholders, vendors, and clients. Identifying the ideal cloud service provider (CSP) and application trust boundaries, while carefully reviewing CSP contracts around export controls is also essential.
Companies increasingly store sensitive data in the cloud. An analysis by Skyhigh found that 21% of files uploaded to cloud services contain sensitive data, including intellectual property. When a cloud service is breached, cybercriminals can gain access to this sensitive data. Business involvement and understanding which data will be processed, stored, and transmitted by applications is necessary. Moreover, standard CSP contracts will not accept liability for sensitive data. Most add statements such as "prohibits the use of the solutions for processing sensitive personal data". Thus, CSP contracts need to be reviewed so the terms and conditions are amended for the handling of such data.
A significant challenge that cloud services create is the loss of control over the management of complex architectures. Considerable planning is necessary for effective end-to-end monitoring. We found that often an organization's existing monitoring frameworks cannot effectively track both on-premises and public cloud environments. Relevant security and operations teams must be proactively involved in assisting with monitoring requirements and processes during cloud design stages as it's nearly impossible to implement effective monitoring as an afterthought.
If sensitive data is breached, your organization may be required to disclose the breach. Following legally mandated breach disclosures, regulators can levy fines, in addition to potential consumer lawsuits. So again, reviewing CSP contracts and evaluating how a CSP handles their breaches gives you and your organization insights into their process. It is also important to note that, upon go-live, you should ensure a channel of communication is established and responsibilities are assigned for incident communications.
Cloud customers have little to no control over data disclosure whenever an Mutual Legal Assistance Treaty (MLAT), or similar Foreign Access, is requested. It can intrude upon any client data with the CSP. Data encryption and key management controls can help limit data disclosures, but key management is an area that has yet to mature. These security services are typically added as afterthoughts due to late recognition of customers' increasing data security concerns. For example, when CSPs offer the Bring Your Own Key (BYOK) option, it creates the perception of increased security and control. Digging deeper into the BYOK model reveals that it is applied only at varying tiers of the key hierarchy across CSPs, and customers are not necessarily in control of the keys that actually protect data. Organizations must carefully review encryption and key management architecture provided by the CSP.
Statistics show 80% of workers admit to using SaaS applications at work without getting approval from IT. To reduce the risks of unmanaged cloud usage, organizations first need to define their cloud policy. They also need visibility into the cloud services in use by their employees and to understand what data is being uploaded to which cloud services. By doing this, organizations can better govern and protect corporate data in the cloud.
As per IBM’s 2020 X-Force Threat Intelligence Index, threat actors took advantage of misconfigured cloud servers to siphon over 1 billion records from compromised cloud environments in 2019 alone. Misconfiguration occurs when computing assets are set up incorrectly, leaving them vulnerable to malicious activity. The reality is that cloud-based resources can be complex and dynamic, making them challenging to configure.
Organizations should therefore embrace automation and use technologies that continuously scan for misconfigured resources and remediate problems in real-time. Enabling multi-factor authentication (MFA) and ensuring staff undergo adequate technical training is also vital.
Digital transformation initiatives push for faster software development cycles. However, often security is considered last, resulting in additional time and effort spent fixing vulnerabilities. The risk is worse if on-premises applications are deployed on the cloud. For instance, a cloud-native app must include special means for logging state and performance. In particular, they must support technology agnostics APIs and Zero-Trust identity management. Aside from avoiding the deployment of non-cloud adapted apps into the cloud, to mitigate this risk, organizations should consider establishing a security-by-design strategy, incorporating cloud-native application security, and adding CWPP to their DevOps CI/CD toolchain.
You can outsource cloud services and operations, but not security accountability. The ultimate accountability of data on cloud remains with your organization.
For this, the critical success factor is to ensure all stakeholders, including Business, IT, Security and Cloud service provider, are part of the risk assessment and the eventual findings and remediation. Security must also be addressed from the beginning of the project and continue to be evaluated throughout the project, even after its completion. This will ensure the organization proactively manages its network and cloud environments, rather than putting out fires as they arise after deploying new technologies.
The cloud is here to stay, and companies must balance, and plan accordingly, the risks of cloud services with the clear benefits they bring.
Authors:Shivani Jariwala, Oscar-Iván Lepe-Aldama
Cloud Computing Security Issues:https://www.skyhighsecurity.com/en-us/cybersecurity-defined/cloud-computing-security-issues.html
Shadow IT usage statistics:https://track.g2.com/resources/shadow-it-statistics
X-Force Threat Intelligence Index 2022:https://www.ibm.com/downloads/cas/ADLMYLAZ
Meaningful Metrics for Human Cyber Risk:https://www.scopeme.com/cybsafe/CYBSAFE-Meaningful+Metrics+whitepaper.pdf
Caption - The prolific adoption of cloud computing for increased efficiency and scalability has heightened the need for a strong cloud security strategy. In this blog,Shivani Jariwala and Oscar-Iván Lepe-Aldama discuss the top hashtag#cloudsecurity risks that can hinder the expansion of hashtag#cloud services, while providing measures on how to mitigate them. hashtag#cloudservices hashtag#cloudadoption hashtag#cloudcomputing hashtag#cloudmigration hashtag#CPX hashtag#cybersecurity