Companies relatively new to cloud operations are striving to bolster one’s 360-degree security posture in a rapidly evolving landscape. Vrinda Khurjekar, senior director of AMER at Searce, highlights why that’s necessary and how enterprises can go about it.
The sky’s the limit for cloud migration as Gartner predicts that worldwide end-user spending on public cloud services is forecast to grow upwards of 25% in 2023 after a 20.4% increase in 2022, led by infrastructure-as-a-service, platform-as-a-service, and software-as-a-service spending. Business owners love the increased scaling and operational efficiencies, decreased reliance on physical systems, the access to new technologies, and the subscription payment model.
In the last half-decade of rapid mass cloud adoption, tech businesses enjoyed a newfound sense of cybersecurity, having dispensed with on-premises perimeters to defend. However, in 2022, 45% of data breaches occurred in cloud services. With the coming ubiquity of enterprises increasingly turning to public cloud, multi-cloud and hybrid cloud environments, securing platforms and data in the cloud will need to come of age swiftly to keep pace with the ever-present cyber criminals.
A company applying traditional security measures left over from static environments to cloud environments is setting itself up for failure. Greenfield companies about to migrate or newly migrated to cloud services in particular could be victim to a set-it-and-forget-it approach to security, given that the move to cloud platforms requires a great deal of change management resources even before considering data security. We have observed that greenfield companies must go beyond the basics to secure the organization against the top cloud vulnerabilities, like inadequate identity access management security, insecure APIs and interfaces, misconfiguration and inadequate change control.
See More: How Misuse of Credentials Poses Significant Threat to Cloud Operations
Baseline Security Is Only Step One of Securing Cloud Environments
Baseline security systems and measures are built-in to cloud services of the major providers like AWS and IBM Azure, who, combined, own over half of the world’s cloud infrastructure. The core security infrastructure of such leading providers includes centralized, automated, and fine-grained controls so that CISOs can manage and minimize operational, technical, and security risks. A greenfield company has done well to set up federated identity and least privilege access management policies into its cloud, virtual private cloud firewall rules, a properly configured web application firewall or API gateway, and logging and monitoring dashboards.
But while this may sound like extensive protection to the non-technical executive, this is the most basic coverage. For example, while logging and monitoring tools will alert you to an active threat event, it is still complex and time-consuming to determine the root cause of the incursion. Optimizing the basic security programs built-in to leading providers is only step one to creating a “safe landing zone” for a tech company to conduct business securely.
Beyond the Baseline Security for a Safe Landing Zone
Cloud service providers expose 1st and 3rd party security constructs at multiple layers — storage, network, application and users, among others. To achieve a “safe landing zone” to do business in the cloud, companies should address the gaps in the baseline cloud providers’ security to protect against certain vulnerabilities like SQL injection, cross-site scripting, DoS and brute force attacks. As previously mentioned, companies need more advanced logging and monitoring to be able to detect and analyze a threat event automatically and to measure and assess behaviors related to data, applications and infrastructure.
For growing tech companies recently new to the cloud, they may have plugged one or two pressing needs in their security but fall well short of a stout comprehensive defensive posture. More advanced security postures include cloud armor to understand what’s going on from a web application firewall perspective and a security command center to aggregate different signals coming in from different places and be able to investigate them in depth.
Additionally, companies should appraise their cloud infrastructure and their software supply chain to parse out security gaps, to identify the weak points in their code itself where hackers discover loopholes. They should make sure all these security frameworks are institutionalized into their code base itself.
See More: Scaling Cloud Security with Policy as Code
Assess and Reassess To Stay Ahead of the Increasing Complexity of Cloud Environments
As of 2022, 60% of all corporate data was stored in the cloud. Data breaches cost companies enormous sums of money in non-compliance penalties and business interruption, ruin corporate reputations, and damage trust with customers. The mass business exodus toward cloud computing means we must fortify our cloud security sooner than later. The time is now for tech companies to assess or reassess cloud security postures.
Since cloud technology is enabling the scaling and improvement of other major technologies like IoT, AI, driverless cars, blockchain, and the Metaverse, the digital attack surface will continue to expand, creating more digital territory to defend. Compounding the complexity are the evolving trends toward multi-cloud and hybrid cloud models, increasing challenges in consistently managing configurations and governance.
Although tech companies and cloud providers are engaged in a shared responsibility model (customer’s responsibility + service provider’s responsibility), it is advantageous for company security leaders to approach cybersecurity as their sole responsibility to safeguard a company’s data and identities, devices and applications.
How are you bolstering your cloud security posture? Share with us on Facebook, Twitter, and LinkedIn. We’d love to hear from you!
Image Source: Shutterstock