The 2022 Thales Cloud Security Report reveals that 45% of businesses have experienced a cloud-based data breach or failed audit in the past 12 months, up 5% from the previous year, raising greater concerns regarding protecting sensitive data from cybercriminals.
We asked three industry experts how organizations can ensure they improve their cloud security.
Brian Grant, ANZ Director at Thales Cloud Security
The pandemic has accelerated Digital Transformation by three years on average, according to McKinsey. With every passing day, an increasing number of organizations are migrating their data and applications to the cloud for improved business flexibility and scalability. However, many are still navigating the complexity of the cloud ‘shared responsibility model’.
Shared responsibility in the cloud – Your data, their cloud
As the volume of data stored in the cloud has increased, so too has the number of cyberattacks and data breaches. While cloud service providers (CSPs) offer some native data protection, businesses are still responsible for protecting the security of their data, on-premises resources and the cloud components they control, as well as compliance with data regulations.
Ultimately, it’s your data, their cloud.
To minimize the impact of data security incidents, security and privacy regulations either mandate or recommend the adoption of data encryption.
Encryption and control
Merely encrypting sensitive data in the cloud is insufficient. The Cloud Security Alliance (CSA) and National Institute of Standards and Technology (NIST) recommend that cloud customers control their encryption keys and configure the key management components for cloud-based applications.
Managing both key lifecycles and data encryption is critical for ensuring confidentiality, integrity and availability of cloud data.
Cloud security challenges
When it comes to cloud adoption, the 2022 Thales Cloud Security Study reveals three major data security challenges:
1. Privacy and data protection is more complex in the cloud. Over 50% of organizations said that managing privacy and data protection was more complex in cloud environments.
2. Attacks on cloud data are increasing. Over a quarter of organizations saw an increase, not a decrease, in attacks on cloud data and applications.
3. Failed cloud audits and data breaches continue to rise. A growing number of organizations are failing security audits or reporting data breaches associated with their cloud platforms.
The right approach to cloud data security
Good data encryption and key security will mitigate risk when adopting a cloud-first policy. With CSPs being responsible for the security ‘of’ the cloud, and organizations being responsible for securing their data ‘in’ the cloud. Five tips for organizations include:
- Classify cloud data to identify sensitive data that needs protection
- Apply encryption to sensitive data to obfuscate it from unauthorized users or processes
- Impose access control over who, what, where and when data is written to or read
- Retain control over, and ensure redundancy of, encryption keys
- Enforce separation of duties between users of data and those securing it
Cloud services enable organizations to transform at an accelerated rate. Yet we have a social responsibility to people and organizations that work with us to secure their sensitive data.
Dean Houari, Director of Security Technology and Strategy, APJ at Akamai Technologies
The COVID-19 pandemic has been a catalyst for the Digital Transformation of companies across all industries and established the value of the cloud. With lockdowns creating a remote workforce and changing how consumers shop, the scalability and Business Continuity of the cloud has allowed for a quick and seamless transition.
This increase in remote access and online presence of businesses significantly expanded the size of the attack surface. Akamai recorded over five billion web attacks in a single quarter, two billion more than the previous quarter.
The shift from an on-prem to a hybrid or multi-cloud architecture and the rise of cloud-native application workloads shows that the traditional enterprise and cloud data center security perimeter defenses are no longer enough.
Adopt a Zero Trust security approach
A new security model is needed to effectively secure this new attack surface. Zero Trust changes security from ‘Trust and verify’ to ‘Never trust and always verify’. Every user, device and application are now potential threats.
The Zero Trust is a framework that uses different technologies to ensure network trust and thwart malicious attacks. It provides secure access to applications and reduces complexity.
Below are five steps organizations can take towards adopting a Zero Trust model:
- Know what Zero Trust means – Authenticate and authorize every person and device before any access and data transfer regardless of its location. This entails moving beyond passwords to multi-factor authentication as well as verifying the device, its location and behavior.
- Identify what you need to protect – Visibility to all assets is essential and this includes a range of data from customer, employee, financial, application business process and intellectual property as well as data from IoT devices.
- Design your network from the inside out – Software defined micro-segmentation can quickly segment environments and applications to mitigate breaches and ransomware attacks.
- Log all traffic – Real-time analysis of traffic logs can help identify cyberattacks as the data that is collected can help create a feedback loop that makes your network stronger over time.
- Be in it for the long haul – Zero Trust is an on-going journey. Start small and select one system to use as a test case while ensuring that you have all the controls, logging and monitoring in place. Once this is done successfully, move on to the next system.
Peter Marelas, New Relic Chief Architect, Asia Pacific and Japan
There was once a perception that on-premise data centers were more secure than the public cloud because they’re not ‘open to the public’. However, if you look at big cloud providers like Microsoft Azure, AWS and Google Cloud, they’ve invested heavily in the security posture of their platforms, as security, (or lack thereof) can make or break an organization’s reputation.
Early cloud configurations allowed the public to access a customer’s cloud resources for the sake of convenience, and it was up to the customer to alter security provisions. As demand for cloud increased, it attracted threat actors, and cloud providers learnt the hard way that sometimes, customers need to be protected from themselves.
To combat this, they enforced strict policies like the principle of least privilege. This simple evolution – coupled with a strong focus on risk profiling, automation and software maintenance – has helped to keep cloud platforms incredibly secure.
However, the nature of software development means that organizations are always going to contend with some level of risk; there’s always going to be situations where engineers’ actions can result in security vulnerabilities.
While there’s a number of things that organizations can do to improve their cloud security posture such as multi-factor authentication, account isolation and adequate monitoring of their cloud environments, security literacy and advocacy within the engineering organization is one of the most important factors.
By developing and fostering a security mindset among engineering teams (and the wider organization), businesses’ can significantly limit their exposure to cloud security risks.
There’s an assumption that some engineers don’t have a view on how their actions impact a company’s security because they just want to code and produce great software, but by embedding security signals into the engineering teams’ day to day operations, this mindset can be shifted so potential risks are addressed early on.
A really effective way of tackling these potential vulnerabilities is through observability. With the right observability platform, engineers are informed where potential security vulnerabilities exist so they can properly understand the risk profile associated with their actions.
This is achieved by aggregating existing security signals from integrated security vendors solutions, and correlating them with telemetry data generated by the observability platform.
Centralizing and correlating these sources of data allows engineers to understand the risk profile and surface area as it relates to production and pre-production environments.
Incorporating these principles across the entire stack and at every stage of the software development lifecycle (SDLC) enables engineers to play a role in securing the company’s assets, and prevent security issues leaking into production environments.
Making security less of a chore by instilling it into the engineers’ day-to-day activities via a unified platform is a great way to reduce potential vulnerabilities, and speed up deployments because teams have all of the data they need to make informed decisions and limit risk.