A tendency toward excessive caution with cloud security seems to have swung too far in the opposite direction. There is a better way.
Exaggerated fears about cloud security can generate considerable costs in unnecessary spending and lost opportunities, but underestimating cloud risks is also ill-advised. In this article, we explain why taking a measured approach to cloud security is essential and outline ways organizations can minimize risk without sacrificing commercial opportunities.
A shift from overly cautious to borderline reckless
When the major providers launched their public cloud offerings in the first decade of the 21st century, businesses tinkered around the edges of the public cloud – experimenting but not committing entirely to the promise of the cloud. However, pressure to introduce digital capabilities made cloud-based infrastructures critical, and that pressure only intensified with the advent of the pandemic. Organizations amended their IT strategies to move an increasing share of their applications and data to public-cloud infrastructure and platforms.
Using the public cloud involves a shift away from the traditional cybersecurity models that many businesses have created over the years. Existing mechanisms were not designed to ensure secure configuration in the cloud or to function fast enough to capture the benefits of agility and speed that the cloud promises. This means that companies keen to capture value from the cloud must take on unfamiliar security architectures and processes to safeguard their cloud workloads.
Once the proper security structures are in place, cloud migration can accelerate business value for organizations, but they must ensure that the security practices they follow protect their critical data while harnessing the speed and agility the cloud can deliver.
During the early stages of cloud adoption, enterprises may have overestimated the risk involved. Cloud security breaches grabbed public attention, prompting some CIOs to limit business use of cloud services. However, the digital transformation imperative made it impossible to meet shifting business and market dynamics without using cloud platforms, so hesitancy bowed to commercial pressure.
As organizations increasingly move their workloads to the cloud, security breaches continue to remain an issue. Indeed, the 2021 Verizon Data Breach Investigations Report (DBIR) revealed that cloud infrastructure is a factor in 73% of cybersecurity incidents. Contrary to what these findings suggest, on-premises architecture is not more secure than the cloud.
Identifying the issue
Most breaches in the cloud stem from misconfiguration, not from attacks that undermine the basic cloud infrastructure. This underscores the importance of the underlying shared responsibility model between the cloud service provider and its customers. Whereas the provider takes care of securing the cloud components that underpin the cloud services it provides, the customer is accountable for how they use the cloud services. Customer responsibilities include correctly configuring identity and access management (IAM), storage and compute settings, threat analysis and defense, as well as securing the application and data they process and store in the cloud.
As cloud providers and cloud security solutions continue to mature and reinforce the security of cloud infrastructure, responsibility for cloud breaches shifts to the cloud customer and their approach to cloud security. Organizations accustomed to very different outsourcing arrangements will need to understand the new division of responsibilities and amend internal processes accordingly.
Gaps in security
The headlong rush toward the cloud that was accelerated by the global pandemic has surfaced shortcomings in security management. However, the imperative to be in the cloud without delay took precedence over considerations of the risks involved in migrating. As a result, many cloud migration and development projects haven’t focused sufficient attention on security dependencies before deployment, forcing teams to go back to fix issues.
There has been a disconnect among groups involved in development and migration, with little consistency in the security solutions each chooses. As a result, groups opt for the solutions they prefer without consulting a centralized governance group or coordinating with each other.
These vulnerabilities are something cybercriminals are working hard to exploit – with the potential for serious consequences. The coming years are likely to see more substantial and damaging data breaches. According to the 2022 Experian Data Breach Industry Forecast, big institutions remain highly vulnerable to attacks by cybercriminals, with a substantial amount of sensitive data remaining on company premises. Organizations need to be prepared.
The sweet spot between risk-averse and risk-tolerant
A data breach can obliterate revenue, efficiencies and reputation. But protecting against one should not hamstring an organization’s cloud initiatives. Excessive caution can lead to missed opportunities and wasted spending. Instead of worrying about unsubstantiated security threats in the cloud, organizations need to focus on whether they are using the cloud securely – particularly because many of their existing security practices and architectures may not work as well in the cloud. For example, on-premises solutions that track IP addresses and other traditional tooling are pointless for containers with a lifespan of mere minutes or seconds.
A well-planned cloud strategy that includes proactive, systemic risk management tactics can help organizations make sound decisions about their cloud use and how they can manage their exposure to risk without losing out on opportunities for growth.
Measures that help you pursue opportunities safely
The appropriate measurement and management of cloud risk is likely to remain a struggle for most organizations for years to come. Adopting an approach that reinforces security without undermining the benefits the cloud can bring involves a shift in thinking — from worrying about the intrinsic security of the cloud to ensuring the organization is using the cloud in a secure way.
Enlist top-down organizational support
Successful cloud security starts with backing and sponsorship from leadership. The strategy should be led at the executive level and informed by input from a broad spectrum of functions, including organizational management, finance, data architecture, product development, IT, security and QA. It is vital that everyone agrees on the importance of cloud computing for the business and rallies behind a proper policy and plan to manage it.
With executive guidance on cloud strategy, the organization can be far more supportive to the business and IT when it comes to requirement analysis, architectural planning and adaptable risk acceptance processes. CIOs then have a clear path on how to direct the use of public clouds, including the nature of the data to be placed in the public cloud and the circumstances of that data use.
Silos must be discouraged, with developers directed to work closely with security professionals. This helps developers know how to work securely in the cloud and enables security professionals to know that developers are implementing the safety measures they recommend. By fostering these kinds of close relationships early, organizations can start their cloud journeys on a secure footing, setting a foundation for the fast, safe delivery of products.
Formulate prudent risk management practices
Risk is always a factor when using public cloud services, and it would be foolhardy to overlook it. Business and IT need to have honest conversations to determine what level of risk the organization is willing to accept. These conversations must focus on the likely impact of a data breach, the probability of such a breach and what it would cost to recover.
They must also look at the chosen cloud provider’s capacity to support their level of risk appetite, keeping in mind the provider’s history of service disruptions and data breaches, their policies on data management and protection and how well their approach to security aligns with the organization’s own regulatory and legal obligations.
Stay on top of the cloud
By the end of 2025, 90% of the organizations that don’t control their public cloud use will share sensitive data improperly. This is a sobering statistic and highlights just how difficult it is to keep pace with your cloud use. Most organizations are exposed to unnecessary risk because of their level of unsanctioned public cloud use. This can be avoided with a modern cloud management platform that provides the cloud governance tools required to manage your public cloud environment successfully.
With most cloud security failures down to customer error, organizations need to strictly enforce their security policies, update them with lessons learned and maintain up-to-date certification and compliance standards. Companies need to know not just where their cloud assets and services are, but the status of those assets and services. It is important to leverage automation for configuration and security checks, with developers given access to highly automated security services via APIs for maximum efficiency.
Where the balance lies
It is natural to worry about the security of public cloud services, but exaggerating cloud risks can mean that opportunities pass you by. However, going too far in the opposite direction and underestimating the risk could be even more dangerous.
A properly researched risk management strategy is a vital element of any organization’s overall cloud strategy, helping to identify where public cloud use makes sense and what can be done to mitigate the risks involved.
If you are concerned about your organization’s stance on cloud security, a trusted partner like DoiT can conduct a cloud security review and provide recommendations that will ensure your safe and profitable cloud journey.