With the rapid growth in public cloud adoption over the last several years, an extraordinary 96% of companies now leverage public cloud services such as AWS, Azure, or GCP to enhance business functions, according to Flexera’s 2020 State of the Cloud report. While you are probably familiar with some of the capabilities of the cloud and its overarching benefits, you may be less familiar with the subsequent security controls needed to protect those various offerings. Many individuals new to the cloud are not aware of the Shared Responsibility model, which outlines security responsibilities between the cloud provider and consumer. Unfortunately for consumers, there are still many security concerns to be aware of in the cloud despite the abstraction and third-party management of the underlying computing hardware.
A similar disconnect exists at the organizational level. The swift adoption of cloud services needed to compete in the market has resulted in oversight at the security level. This is something the security industry has seen time and time again (e.g., corporate website development, database adoption). It is worth noting that even in those example cases, security issues still abound today, years after initial adoption. This explains why in the latest State of Cloud Security report by Sophos, 96% of sampled organizations are concerned about their level of security in the cloud.
And their concerns are justified. An IDC research study revealed 79% of surveyed companies suffered a cloud data breach between 2019 and the first half of 2020. And these are not just COVID-borne entrepreneurs spinning up Squarespace websites; breached organizations include Facebook, Instagram, and CapitalOne. Focusing on data breaches is often labeled as fearmongering, but these statistics simply demonstrate that organizations recognize the need to invest in cloud security and recognize the lack of controls they have in place due to alternative resource prioritization.
Identifying Cloud Security Risk
So, if these companies know they have cloud security issues, why do the issues still exist? It is due to the same limiting factors that affect every business: budget, time, and talent. Cybersecurity programs are stretched across domains like IAM, SecOps, and AppSec to name a few, so adding dedicated resources and budget allocation for cloud security is often a challenging pitch to leadership.
Additionally, because cloud security is a relatively new space and often needs to be tailored by the vendor, the required skillsets are often not available within an existing security team. Each of the three major vendors offer introductory trainings and certifications to acquire basic familiarity with the proper security protocols, but these endeavors still require money and time away from other responsibilities.
Knowing the security risks that exist within your organization can help you make a strong case for investment in cloud security. Demonstrating the impact these issues can have on your organization if not addressed can compel leadership to shift budget allocation and prioritize cloud security. The fastest, most reliable way to identify these risks is through a comprehensive cloud security assessment, performed either in-house (if the right skillsets are available) or by a third-party consultant.
When performing a cloud security assessment, there are a few key considerations to ensure your assessment has a lasting impact. Let’s take a look.
Unlocking the Value of your Cloud Security Assessment
Tailor your Assessment
Applying a standard or canned approach to assessing your cloud environment can lead to missed vulnerabilities and overlooked opportunities. If you’re using an industry framework or standard to evaluate your cloud environment, ensure you are adjusting it to fit every domain within your unique environment. If you’re working with an outside firm, have an in-depth discussion about their approach to assessing your environment. Standard assessments will likely cover areas like misconfiguration, access policies, logging, and encryption. But, more tailored assessments should also look at niche domains such as serverless architecture at the application level. Tailored assessments ensure you have an accurate representation of your environment, not the average environment in your vertical.
Build an Actionable Roadmap
Identifying the issues only solves half the problem. A robust assessment provides actionable results. When considering an assessment provider, ask to see sample deliverables, so you can see if they simply offer a list of problems or if they provide a clear roadmap to remediation. In addition, the best firms can also provide expert support to help fix issues and continuously evaluate your program. This approach allows you to have better conversations with your leadership team. Instead of presenting a list of issues without solutions, you can come to them with an actionable plan, a clear ask, and options for executing the plan (e.g., external partner vs. in-house).
View your Assessment as an Opportunity
Many times, organizations can mistakenly view assessments as something that highlights inadequacies and failures, instead of viewing them as opportunities. Your cloud security assessment should provide your organization with new opportunities for advancement. Perhaps the assessment uncovers a lack of skillsets on your team. Instead of viewing staff as inadequate, see this as a chance to advocate for training and help your team build new skills. Or maybe your evaluation shows a number of misconfigurations. Instead of positioning this as a failure, your assessment should provide you with opportunities for advancement. Your goal should always be progress, not perfection. As your cloud security program grows, it will get stronger, but first you must identify the opportunities for growth.
Moving Forward with your Cloud Security Assessment
Your organization’s journey to a secure cloud experience began when you adopted your first cloud solution. Whether you’re just getting started on your cloud journey or you’ve just lacked the resources to invest in cloud security, a cloud security assessment should be your starting point. Good cloud security assessments will provide you with a clear picture of your cloud security posture, an actionable roadmap to addressing risk, and ongoing value. These results will help you demonstrate the health of your cloud environment and advocate for additional investments if needed.
Focal Point specializes in cloud security assessments, helping the Fortune 500 and industry leaders build cloud security programs that protect their businesses and provide lasting value. After our team’s initial assessment effort, you will have a comprehensive cloud inventory, a roadmap for success with outlined, actionable initiatives, and a team of experts on-hand to help guide and act upon each one. Combined with a continuous delivery model of ongoing posture evaluations, you will receive an assessment delivery model that defies traditional consulting ideas.
Want more cybersecurity insights in your inbox?
Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.