For years now, organizations have resisted moving key enterprise systems to the cloud because of their concerns around cloud security. However, the idea that cloud offerings like IaaS, SaaS, and PaaS lack strong security controls is myth. In fact, Gartner posits that public cloud service providers (CSPs) are even more secure than traditional in-house implementations. Instead of tailoring their products to organizational structures, applications, policies, and politics, cloud products are designed to meet rigorous security standards like ISO 27001, SOC 2, and FedRAMP.
But while these products are often built with strong security controls, human configuration of these tools still creates risk. Gartner estimates that 99% of cloud security failures through 2025 will be customers’ fault. Customizing cloud systems and applications – a necessary step for many integrations – alters the security of the product, exposing organizations to new risks, if not managed properly.
The first step in assessing and managing cloud security is evaluating the tools (e.g., automation scripts, APIs, third parties, VPCs) that are used to generate and provide cloud resources to your users. In this post, we’ll look at the three most critical cloud security risks facing businesses today and how to address them.
Risk 1: Management Plane Security
It makes sense that the most critical area to secure is the control center: the management plane. But maintaining management plane security is a tough challenge. The management plane configures, monitors, and, of course, controls the entire environment. This is where configurations are made and managed and also where cloud security risk germinates. Let’s look at some areas within the management plane that can impact cloud security.
The Perils of Application Programming Interfaces (API) Configuration
APIs give cloud customers the ability to customize their cloud experience and integrate cloud products with other applications. Leveraging APIs is a critical part of making a cloud service useful to the business.
However, APIs are also a source of great risk. They open a communication channel between products, which can expose your platform to security threats. Essentially, your applications are only as secure as the applications connected to them. And even between trustworthy connections, you need strong authentication, authorization, logging, and monitoring controls to maintain API security.
Securing your API environment begins with frequent communication with your application stakeholders. Start by understanding which tools they need to integrate with your cloud platform and then dive into the risks associated with each. In addition, API configurations regularly change with application updates. API updates should follow established change-management procedures, involving key stakeholders (including the security team) and performing regular API configuration reviews. Adhering to a formal change management process for API updates helps ensure an expanding API environment remains secure against new and existing threats.
Limiting User Error through Identity and Access Management (IAM)
Weak identity, credential, and access management continues to plague businesses. Only 28% of U.S. organizations have implemented multi-factor authentication (MFA), and the 2019 Verizon Data Breach Investigations Report found that 80% of hacking-related breaches were the result of stolen or reused credentials.
While cyber awareness training can help address these issues to some degree, the reality is employees will still share passwords, use unapproved software, and download unauthorized content onto work devices. The only effective way to address this risk is through IAM. Limiting access to critical layers of your cloud platform, like the management plane, to trusted, privileged users is the only way to keep malicious actors out. Regular IAM assessments are critical to evaluating your IAM efforts and identifying opportunities for improvement.
Securing Your Virtual World: Software Defined Networking (SDN)
Virtual private clouds (VPC) like Amazon VPC have made software defined networking (SDN) popular among many cloud-forward companies. Using a VPC, organizations can provision a logically isolated section of their cloud platform to launch cloud resources in a virtual network they control and define. VPCs provide complete control over these virtual networking environments, including IP address selection, subnet creation, and route table and network gateway configuration.
However, as with APIs, with great customization comes great responsibility. Companies that choose to leverage VPCs for SDN must routinely assess these environments to ensure strong security and access controls are in place and operating effectively.
Risk 2: Data Security
Data security continues to be one of the biggest challenges facing cloud customers. The first step in protecting your enterprise, employee, and customer data is establishing strong, cloud-specific policies that govern data security.
Leverage Container Storage Policy Tools
Container usage took the globe by storm a few years ago, their ease of use and portability making them incredibly popular. But as their novelty has worn off, companies have turned their attention to the security risks they pose. The key to securing containers and the valuable data stored in them is strong governance. Cloud platforms like Amazon AWS provide organizations with a litany of tools that allow them to establish strong access management policies. Let’s take a look:
- IAM Policies. IAM policies manage who has access to what data and when, giving organizations a centralized way to apply permissions across their cloud platform. IAM ensures that the principle of least privilege is applied across buckets and objects and only grants the necessary permissions, keeping your data in the right hands.
- Bucket Policies. Bucket policies are data-centric policies that guard your buckets and the object keys within them. When a user in your organization needs access to a specific data set, you can use bucket policies to control permissions for the bucket storing this information. Bucket policies can make the data in a bucket read-only, control key lifecycle, manage versioning, and more.
- Access Control Lists (ACLs). ACLs allow you to make very granular changes to broader policies and tools, like IAM and bucket policies, when needed. But proceed with caution. Making changes to ACLs can put your organization at serious risk if done incorrectly. Changes to ACLs should be made sparingly and reviewed regularly to ensure they are still required.
- Query String Authentication/URL-based Access. Query string authentication and URL-based access let you grant permissions based on a specific URL and are perfect in scenarios where you need to grant one-time access. These methods are typically used in two ways: 1) to allow a user to upload a key to a bucket or 2) to provide temporary access to a specific key.
No matter how strong your policies are or how smart your initial configuration is, regular, thorough access reviews are the cornerstone of secure access. While cloud tools like AWS give you a host of permissions tools (IAM, ACLs, and bucket policies), you need to regularly review all access changes and update accordingly.
Being a Good Neighbor: Addressing Multitenancy Risk
Multitenancy has become such a common practice among cloud vendors and customers that many no longer consider it a risk. Sharing application, computing, and network resources in a single cloud environment allows organizations to increase computing speed, use resources more efficiently, and boost business agility. And cloud vendors take great care to ensure customers’ workloads are completely isolated from one another.
However, when tenants begin to customize configurations within their cloud space, they can inadvertently expose their workloads to other tenants, or even worse, open other tenants to outside risk. Features like privileged access management, access logging and analysis, and workload boundary enforcement are important considerations when selecting a multitenant CSP. These help your organization strictly define where your workload can run and prevent unauthorized communications and access.
The Dangers of Incomplete Data Deletion
While cloud products can simplify many processes, data deletion is not one of them. In fact, data deletion is typically a more complicated, riskier process in a cloud environment. It is difficult for organizations to understand where their data is physically stored in the cloud, making secure deletion a challenge. This is further complicated in a multitenant environment, because this data may be located in several different storage devices across the platform. On top of it all, deletion processes vary by CSP, creating another hurdle between you and secure data deletion.
The inability to securely and completely delete data leaves companies unable to verify that leftover data is not available to hackers and creates greater compliance risks, as laws like the GDPR and CCPA give consumers more control over their data.
Risk 3: Third-Party Management
As with any third party your organization chooses to work with, CSPs come with their own set of risks that can have a serious impact on your organization if not addressed.
Avoiding Vendor Lock-In
Vendor lock-in occurs when the cost of moving to a different CSP is so high that an organization is forced to stay with its current vendor. Unfortunately, this is a pretty common issue with serious implications:
- The quality of service may decline
- Changes to service offerings may alter capabilities so they no longer meet your needs
- The CSP may go out of business
- Prices may increase once the vendor knows you are locked in
The best way to mitigate this risk is to minimize your reliance on your CSP. Achieve this by 1) making sure your data is highly portable, 2) keeping internal backups, and 3) setting up a multi-cloud environment. These measures make it easier to move your data to a new environment, minimize migration costs, and help reduce your dependency on a single vendor. In addition, putting a clear exit strategy in your cloud service level agreements (SLAs) can help you avoid lock-ins.
Setting Up Service Level Agreements (SLAs)
SLAs are critical to the security of your cloud environment. SLAs determine everything from mean time between failures (MTBF) to privacy measures and should be tailored to your business’s unique needs and risks. However, with multiple business functions soliciting cloud services from different vendors, it can be extremely difficult to ensure the universal application of strong SLAs, putting your data at serious risk. The keys to establishing strong, secure SLAs are 1) involving cybersecurity leadership in all SLA conversations and 2) tying defined financial consequences to SLAs to hold your CSP accountable to your agreements.
Managing the CSP Supply Chain
When you select a CSP, you may be choosing to work with more than one organization. A number of CSPs outsource pieces of their infrastructure, operations, and maintenance to third parties, who may or may not meet your security requirements. During the contracting process, it’s important to talk to your CSP about what functions they outsource, what security standards they require their third parties to meet, and how they enforce compliance.
Ensuring Data Availability
One of the scariest parts of trusting a CSP with your data is the issue of data availability. Platform outages, platform maintenance, platform migrations can all limit your ability to access your data. While the reasons may vary, one thing remains the same: your organization is unable to access the information it relies on to do business, and you are totally dependent on the CSP team to fix it. The good news is there are ways to mitigate this risk. First, when drafting your SLAs, make sure to tie financial consequences to essential services like mean time to repair (MTTR), MTBF, read request timing, and number of retries. In addition, taking the precautions we recommended around vendor lock-in can help improve data availability in the event of a cloud migration or an extended service outage.
Building Cloud Governance
A Forrester study found that 67% of respondents migrated to the cloud “by accident,” meaning they were experimenting with cloud solutions and then evolved that test environment into a full production environment. This means that only a third of respondents actually had cloud governance policies in place before making the move to the cloud. When migrating from an on-premise infrastructure to a cloud environment, the bulk of your governance controls will be rendered ineffective, impacting performance management, risk exposure, value delivery, and strategic alignment.
The solution here seems simple: be intentional in your migration and take time to build a cloud-specific governance structure. But, as demonstrated in the Forrester study, this is easier said than done. However, better late than never certainly rings true here. If your organization made an “accidental” move to the cloud, taking the time now to build a unified governance program, covering both on-prem and cloud operations, will help you achieve compliance and reap the full value of your platform.
Cloud security fears have held a number of organizations back from the opportunities and benefits provided by the cloud. The answer to this fear isn’t boycotting the cloud, but instead understanding the central sources of cloud risk and how to address them. As discussed above, limiting customization to necessary changes, involving the security team in cloud integration and management, monitoring access controls and policies, and managing strong third-party relationships can help you reduce cloud risk, while still reaping the financial and operational benefits of moving to the cloud.
Focal Point specializes in helping organizations build cloud strategies, implement cloud solutions, assess and improve cloud security, and manage cloud compliance. Learn more about how we can help or connect an expert below.
Want more risk management insights in your inbox?
Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.