Content

The Five Pillars of Cloud Security

Five classical pillars on a computer, blur office background. 3d illustration

As more employees move to remote work, more of today’s business environment is shifting towards the cloud. Indeed, approximately 90% of companies use at least one cloud-based service.

While it brings great benefits, the cloud also brings challenges, including properly securing cloud-based assets. Cybercriminals are well-versed in corporate cloud usage and are successfully exploiting that knowledge. In the past year and a half, nearly 80% of companies suffered a cloud-based data breach. And attacks have hit everyone from the smallest companies to the biggest names, like Accenture, Yahoo, Facebook, and more.

Many companies are failing to adequately protect themselves in this shift to the cloud, as cloud security is more complex than simply applying existing on-premise security policies and protocols in a cloud environment. Moreover, companies cannot simply rely on their cloud providers to deal with security. Organizations need to understand their responsibilities for cloud security, the unique security strategies that come with the cloud, and the steps they should take to ensure they have the most secure environment possible.

Five Steps Every Organization Should Take to Strengthen Its Cloud-Based Systems

1) Know Your Responsibilities

It’s tempting to believe that because you obtain cloud services from an outside vendor the vendor has full responsibility for the security of those services. Unfortunately, nothing could be further from the truth.

Most cloud service providers employ a shared responsibility security paradigm. Your degree of responsibility depends on the type of services you employ and the degree to which you have transitioned services and data to the cloud. Responsibilities vary significantly from companies that solely use software-as-a-service (SaaS) and those that move to the cloud more fully, using infrastructure-as-a-service (IaaS).

While the levels of shared responsibility may differ from provider to provider, Microsoft Azure’s shared security chart offers one clear example of how responsibilities can be delineated.

Graphic showing Responsibility, SaaS, PaaS, IaaS, and on-prem

In this example, cloud customers always maintain responsibility for their data, devices, and users. But depending on the services, customers may also have responsibility for applications, network services, operating systems, and more.

Knowing what you must secure is the first step in creating effective cloud cybersecurity policies and programs.

2) Implement and Enforce Security Policies

Organizations must be diligent about adopting effective security policies, and they must be more than boilerplate examples that an organization copies off the internet. While policy templates can be an excellent starting point, companies must tailor their policies to their individual situations.

Crafting security policies requires consideration of how to build security into every facet of business workflows. Understanding principles like security-by-design and privacy-by-design, and ensuring corporate policies apply these principles, goes a long way towards creating a solid framework for company security programs.

Of course, policies can’t be effective if companies do not practice them on a regular basis or enforce them. Automation is one key component of enforcement, and companies should turn their written policies into self-executing practices. Policy-as-code is an important tool for companies looking to automate their security protocols.

With the proper policies and tools in place, companies can protect their systems, their data, their clients, and —as a result — their reputations.

3) Be Rigorous About Configurations

Cloud service misconfigurations are a primary source of attacks on corporate cloud systems. Studies indicate that between 65 and 70% of all cloud breaches arise from misconfigurations.

There are a range of common cloud service misconfigurations companies should be vigilant in remediating. Among these are:

  • Unrestricted inbound and outbound ports: When companies allow more open ports than necessary, hackers have easily exploitable opportunities for both infiltration and exfiltration.
  • Failing to manage ICMP properly: There is some debate about whether companies should always block the Internet Control Message Protocol (ICMP). But failure to manage and monitor ICMP creates a critical attack vector that hackers can exploit for malware insertion and DDoS attacks.
  • Poor secrets management, identity management, and access controls: This issue is so crucial and so often a problem that it warranted a separate section below.
  • Improper API management and documentation: Failure to properly distribute, manage, document, and control APIs in a cloud environment can create security blind spots in your system — vulnerabilities you can’t remediate because you don’t even know they exist.

In addition to generic cloud configuration issues, each cloud service has its own set of unique configuration issues. Just see the graph below of common misconfiguration of Amazon Web Services .

Bar chart showing common misconfiguration of Amazon Web Services. Instance in auto scaling group is at the top.

Companies must therefore be diligent about managing their cloud system configurations.

4) Be Careful With Access

Far too many companies make it easy for hackers to access corporate cloud environments by failing to proactively restrict access. Too many employees have access to too many systems and too much data.

Because it is still relatively simple for hackers to compromise user credentials, overly permissive access policies allow hackers broad access to corporate systems. And hackers seek out so-called “privileged accounts”—for example, accounts with access to the most sensitive corporate data or those with administrative access.

Corporate security policies should focus on restricting user access to the level necessary their role . Identity and access management controls, least access policies, and zero trust policies should be at the heart of every cloud security program.

In addition, companies must apply rigorous user authentication methods. In addition to requiring strong passwords, organizations must put additional authentication protocols, such as multi-factor authentication, in place.

5) Monitor Your Systems Closely

Once you have put security policies, protocols, and automated systems in action, it is time to make sure they are doing what you intend. Monitoring your cloud traffic for indications of problems and potential threats is, therefore, critical. Effective monitoring can help you identify if you have misconfigurations, if you have overly permissive access policies, and if hackers are attempting to insert malware into sensitive systems.

Many cloud service providers offer specific modules that provide visibility into cloud traffic. And there are also a range of third-party providers that can help you aggregate log data across hybrid and multi-cloud environments.

The best cloud traffic monitoring platforms use advanced tools like artificial intelligence and machine learning to convert massive amounts of traffic data into easily comprehensible and actionable insights. And as AI algorithms become even more advanced, security tools are becoming more accurate, with fewer false positives to distract security staff from important tasks.

Conclusion

Remote work is here to stay, and so are cloud business environments. Companies have the responsibility to secure theirs properly. By implementing the steps we’ve just discussed, you’ll be well on your way to doing just that.

Additional Resources


Guest blog courtesy of Arctic Wolf. Read more Arctic Wolf guest blogs here. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program.

You can skip this ad in 5 seconds