Cloud security management explained
Cloud security involves the use of solutions, process, policy, and people to help protect an organization’s data and applications residing in cloud computing environments. Both public and private cloud environments can require the same measures of security or more as any on-premise IT network.
Cloud computing security issues and risks
There are shared concerns around cloud computing security with on-premises environments. But several unique security issues plague cloud computing environments, increasing the threat surface and, therefore, risk:
Reduced visibility – There is an increasing cybersecurity risk due to the nature of the cloud (where a provider owns and manages the underlying infrastructure) as well as the cloud’s exposure to the Internet. Whether it’s data breaches, malicious access to the environment, or operational disruption, the nature of the cloud can create lowered visibility and control that can make it more susceptible to malicious actions.
Lack of a perimeter – A traditional on-premises network has the logical perimeter of the network, defined at the firewall. But with the cloud, the perimeter is extended not just out to your cloud-hosted applications or data, but to wherever the endpoints exist, be it a remote office or the local coffee shop. With a lack of a perimeter, attackers utilize the accessibility to take advantage of any weaknesses in an application, endpoint, or user security.
The cloud is continually changing – A key benefit of the cloud is the ability to quickly spin up and down services, virtual machines, storage, and applications. Traditionally, on-premises security is relatively static in nature. Cloud computing security needs to be responsive to the dynamic environment of the cloud, provided security is in place with each change made in the cloud.
Cloud security is data and identity-centric – Traditional on-premises environments used the logical perimeter as a primary defense. Given the exposed nature of the cloud, cloud security needs to change with a focus on protecting data and any use of user credentials to authenticate.
Shared responsibility – Many cloud providers subscribe to the shared responsibility model where the cloud service provider (CSP) takes responsibility for parts of the environment. For example, CSPs take care of the underlying infrastructure, and the customer is responsible for the applications and data that reside on that infrastructure. The same is true for cloud security—most CSPs take responsibility for security of the infrastructure, but the customer is responsible for any operating system, application, and data-level security controls. Knowing which parts of cloud security are yours to address will be essential to see to it that the entire environment is highly secured.
Cloud security best practices
It is possible to provide protection to your cloud infrastructure. But it’s going to take continual focus and stronger controls to see to it that every aspect of your cloud environment remains properly safeguarded. To assist, here are eight cloud security best practices:
Understand your cloud security responsibilities
In an on-premises environment, the organization is solely responsible for all security measures. But in the cloud, the CSP takes on responsibility for some parts of IT security. The often-used “shared responsibility” concept provides an excellent example of where the customer and the CSP should draw the line. In general, the CSP is responsible for physical security (as in protecting their data center), but the remainder of the responsibility depends entirely on what service the customer organization is utilizing.
Determine what security the cloud provider can offer
Despite the shared responsibility model, larger CSPs realize the need to provide customers with security solutions already integrated into the CSP’s platform. For example, Microsoft Azure offers a wide range of solutions – VPN, encryption, continuous monitoring, identity and access management, vulnerability management, and more are all available to customers as their solutions of choice.
Put users through security awareness training
The easiest way to gain access is to fool a user into clicking on malicious content found in email or on the web. To prevent attackers from gaining access to cloud computing services, organizations need to educate users and developers on the need to incorporate good security hygiene into their everyday work, as well as on the tactics and methods used by attackers to trick users. A knowledgeable security user in the cloud is one that reduces the threat surface for the organization.
Use constant data encryption
Encryption allows only approved eyes that ever see valuable or sensitive data within the cloud. So, your cloud security strategy needs to include encryption of data both in transit (e.g., SSL encryption) and while at rest within cloud storage. Many CSPs offer integrated encryption and key management services. Be sure to employ encryption that does not put a burden on the user when needing to encrypt or decrypt.
Don’t forget compliance mandates
Organizations in industries and geographies that are subject to compliance regulations (such as healthcare and financial services or businesses servicing the European Union) face massive fines should they fail to maintain the security of customer data. Newer regulations provide specific guidance around the protection and availability of protected data. Before implementing new cloud services, understand the security needs around workloads dealing with protected data sets.
Threat actors attempt to gain access to cloud-based applications and data using simple social engineering tactics in phishing emails. All it takes is tricking a user into thinking they are logging into a cloud application using an attacker-controlled simulated login page. By implementing an identity and access management (IAM) solution, along with the use of multi-factor authentication, organizations can significantly reduce – and perhaps eliminate – the ability for threat actors to gain access to the cloud environment.
Protect every endpoint
The ability for any time, any device, any location access to cloud workloads is a security challenge. In addition to placing security controls within the cloud, implement a security strategy to provide that every endpoint that can access your cloud environment has a minimum amount of endpoint security in place. Firewall, endpoint protection, anti-malware, and VPN are probably a good starting point for a discussion around what controls should exist on any device that connects to your cloud.
Act like an attacker
Phishing attacks remain the number one means by which malware enters an environment. Performing regular phishing testing against users helps organizations recognize where their weak links are within their user base. Users failing phishing tests should receive additional security awareness training. Additionally, many CSPs allow some form of penetration testing against your cloud workloads. Performing regular penetration testing helps organizations to understand whether the current controls in place are adequate to stop attacks that don’t involve phishing.
This document is provided as a general informational overview. Mention of third-party products or services is not an endorsement of the same.