Mistakes happen. Yet when it comes to cloud security, even something that at first glance appears to be a relatively minor oversight or blunder can lead to utter devastation. Oopsie!
Getting a firm handle on cloud security includes learning what not to do. That sounds simple enough, but it’s surprising how many cloud adopters keep making the same blunders.
Organizations commit many different types of cloud security mistakes. Poor planning and shoddy strategies are often the cause. Cloud misconfigurations can also open the door to attackers.
Misconfigurations are extremely varied and can come from the customer as well as the cloud service provider, says Elias Miller, assistant solutions engineer at Carnegie Mellon University’s Software Engineering Institute. “Due to the cloud’s many facets and multiple individual components, which need proper configurations to create a secure cloud environment, a cloud implementation’s attack surface is massive and only gets larger when minor misconfigurations exist,” he explains.
Virtually every cloud implementation contains at least one misconfiguration, Miller notes. This fact, combined with the cloud’s ready accessibility, makes it especially important to build a resilient security culture. Adopting strong security methodologies, such as Zero Trust, can help ensure that strong security practices are followed during cloud migration as well as the development of cloud applications. “Mistakes will be made, so it’s imperative to be prepared for them,” he says.
Eyal Arazi, senior security solutions lead at cybersecurity technology company Radware, advises against using multiple application security tools across disparate public cloud platforms. “When you use multiple security tools in parallel, each has its own set of capabilities, security policies, management portals, and logging, so each works a bit differently,” he explains. This leads to inconsistent security policies, varying levels of protection for individual platforms, and disparate logging and reporting. “In essence, it means that the level of protection for each application and service is determined by the platform it resides in, not its threat profile.”
John Stevenson, managing director and cloud security lead with business consulting firm Protiviti, believes that many organizations flirt with danger by failing to adopt formal cloud governance policies. “It’s easy to say we should standardize based on NIST or CIS frameworks, but not instituting governance at a leadership level applicable to all cloud operations will generally sink the ship.” At minimum, cloud users should establish robust metrics to monitor the overall effectiveness of their governance strategy, he says. “But very few actually put it into practice.”
Organizations lacking standardization and automated patterns tend to court vulnerabilities in their cloud infrastructure and applications, observes Ravi Dhaval, a risk and financial advisory senior manager in the cloud security practice of business consulting firm Deloitte. “These vulnerabilities lead to late-stage remediation that can ultimately impact go-live dates for business imperatives.”
DevOps Research and Assessment (DORA) metrics can also be negatively impacted when deployments and change release frequencies are slowed down to resolve identified security issues, Dhaval says. “In turn, vulnerable infrastructure and applications are deployed into production cloud environments, which increases risk due to an insecure posture.”
Many cloud adopters manage their cloud platform security in the same way they handle on-premise or traditional on-location hosting. This can lead to huge problems, Stevenson says. “Managing access and identities is the most important and basic step to take, yet very few companies have comprehensive and effective programs,” he observes. “End-to-end encryption, including a strong key management strategy, should be included in every cloud deployment — yet it isn’t.”
Building a cloud strategy that’s aligned with overall business objectives can help focus the target operating model and the skills needed to sustain cloud growth, Dhaval says. “Additionally, standing up a Cloud Center of Excellence (CCoE) can help springboard cloud adoption and sustain cloud growth,” he notes. “It can do so by bringing together various parts of the organization to create well-defined roles and responsibilities, as well as enabling the automation of processes and capabilities.”
Dhaval suggests that streamlining DevSecOps tooling, processes and roles can help mitigate cloud security mistakes by “integrating security checks into the development pipeline via preventative guardrails — helping to limit new risk in production environments and accelerating cloud migrations.”
Team education is imperative, Miller states. “If practitioners don’t know how to take advantage or leverage security features, it will lead to insecure deployments and greater risk to the organization,” he explains. “Security is everyone’s responsibility, and it needs to be taught to everyone in the organization.”
Security is a culture and needs to be understood and practiced across all levels of an enterprise, Miller says. “The cloud is no different in that sense, and it’s essential to have a strong security presence to protect a business’ assets, reputation, and mission.”