How to face the new cloud security challenges?
Cloud computing, once something that only geeks talked about in hushed tones, now dominates our IT infrastructures. This dominance is exemplified by the market size for Software-as-a-Service (SaaS) which is estimated to be worth around $185.8 billion by 2024.
When you change how your business operates, cybercriminals change the way they work too. Hence, the Cloud cybersecurity market will be pulled along with our love of Cloud apps and web servers, to the tune of $12.6 billion by 2024.
Using a Cloud-based infrastructure to host and utilize applications has opened up a whole new kettle of security phish. The Cloud facilitates the flow of data across multiple apps and jurisdictions. According to analysts from IDG, 76 percent of enterprises now have at least one application or some of their computing infrastructure in the Cloud.
Research by Oracle has shown a number of Cloud-based security issues surfacing.
This includes shadow-IT, where unauthorized devices and file sharing apps are used (93 percent of organizations have concerns about this). And, over 50 percent of organizations are concerned about security controls and misconfiguration of Cloud apps and servers.
One way that we can keep ahead of the security concerns of Cloud computing is to turn to the Open Web Application Security Project (OWASP). OWASP generates a regular list of ‘Top Ten Cloud Security Risks’. In this article, we will explore each of the ten security risks when using a Cloud-based infrastructure.
OWASP has been around since its inception in 2001. It is a community-driven organization that is not-for-profit.
OWASP works to build a knowledge-base, including tools and security intelligence across the Cloud technology space. OWASP manages a document and forum space that is open and free to all. They create regular ‘top ten’ lists of issues in a number of key areas including Cloud, web applications, the Internet of Things (IoT) and mobile apps.
Below is the current Top Ten Cloud Security Risks from OWASP with some mitigations to help stem the tide of Cloud-based security threats.
Using a third party to store and transmit data adds in a new layer of risk.
Cloud service providers often also operate across geographical jurisdictions. Data protection regulations such as the General Data Protection Regulation (GDPR) require that the data processors as well as the data controllers, meet the requirements of the regulation. It is important to ensure accountability of data protection, including recovery and backup, with any third-party Cloud providers you use.
Mitigating the risks: Vendor risk management and accountability are the way to manage this issue. The Cloud vendor should have a set of security policies which you can map to your own, to ensure compatibility with your industry standards in data protection.
This should include the Cloud vendors use of technologies like robust authentication, encryption, and disaster recovery policies.
Digital identity is a key part of cybersecurity. It controls vital areas such as privileged access to sensitive resources.
As enterprises increase their use of Cloud apps and have data stored across Cloud services, control of access through identity management is crucial. OWASP suggest using Security Assertion Markup Language (SAML) as the underlying identity protocol to federate across Cloud apps and providers. However, OpenID Connect could also provide a mechanism for federation.
Mitigating the risks: Implement a modern identity service or platform to provide robust, persistent, verified identity controls. Use this as a basis for controlling access to resources using a privileged access model.
OWASP points out the issues of meeting compliance across geographical jurisdictions. For example, if your organization is based in Europe but you use a U.S. Cloud provider, then it might be difficult to map the compliance requirements of EU-centric data protection, and vice versa.
Mitigating the risks: Use a Cloud vendor who understands and applies solutions for the various data protection laws. They should also know how to handle cross-jurisdiction data protection requirements.
Outsourcing your IT infrastructure to a third-party Cloud provider increases the risk of attaining business continuity for the simple reason that it is outside your control. An outage of Cloud services can have serious repercussions for a business. When Amazon went down for 13 minutes, they lost an estimated $2,646,501.
Mitigating the risks: You need to make sure that your Service Level Agreements (SLAs) cover data resilience, protection, privacy, and that the vendor has a robust disaster recovery process in place.
Once data enters the Cloud realm, it is much more difficult to control across its life cycle.
For example, social media sites can be difficult to manage, often defaulting to ‘share all’. Data mining of data for secondary use in targeted ads is a privacy risk.
Mitigating the risks: This can be a very difficult risk to mitigate. Security awareness training is one non-technical approach that can help to reduce the exposure of personal data. Compliance frameworks like GDPR would expect an organization to perform a Data Protection Impact Assessment (DPIA) which extends to their Cloud vendor.
Other approaches such as 24/7 monitoring, encryption technologies, and multi-factor authentication can help augment privacy.
Related Post: 9 Reasons for Data Privacy
The safe transmission of data is a particular risk in Cloud computing models where it is transmitted over the internet.
Mitigating the risks: Secure Sockets Layer and the more recent Transport Layer Security (SSL/TLS) should be fundamental protocols used by your Cloud vendor. These protocols, based on encryption, allow the safe movement of data across an Internet connection.
Cost savings often dictate that Cloud servers are used in a multi-tenancy setup.
This means that you will share server resources and other services, with one or more additional companies. The security in multi-tenancy environments is focused on the logical rather than the physical segregation of resources. The aim is to prevent other tenants from impacting the confidentiality, integrity and availability of data.
Related Post: What is Cybersecurity all about?
Mitigating the risks: If you are in a multi-tenancy agreement there are some ways you can mitigate the risk of sharing your Cloud space with others. Starting with good design, your Cloud vendor can configure the server for logical separation.
The system can also have an architecture built for isolation so that a quarantined virtual infrastructure is created for each tenant. Technologies like encryption also help to prevent data exposure.
If a data breach occurs, you must understand how to identify and manage critical vulnerabilities so you respond to the incident as quickly and effectively as possible. Cloud computing can make the forensic analysis of security incidents more difficult. This is because audit and events may be logged to data centers across multiple jurisdictions.
Mitigating the risks: Check out your Cloud vendor policy on handling, evaluating and correlating event logs across jurisdictions. Do they have technologies in place, such as virtual machine imaging, to help in the forensic analysis of security incidents?
This covers the entire gamut of how to harden the attack surface of a Cloud infrastructure. It includes configuring tiers and security zones as well as ensuring the use of pre-established network and application protocols. It also includes regular risk assessments with updates to cover new issues.
Mitigating the risks: Put in place various measures to improve general security. For example, privileged access management using robust authentication, secure configuration of server and services, and tiered architecture.
Related Post: How Threat Risk Assessments May Prevent Data Leaks
A cloud cybersecurity assessment can also be helpful to understand your cloud cybersecurity posture, get strategic Cloud security recommendations and secure your critical assets before, during or after Cloud migration.
Risks need to be accounted for across the entire life cycle of application development and implementation. This includes pre-production environments where design and test activities occur. Because these environments may have less stringent security applied, they may well open up security and privacy risks.
Mitigating the risks: In test environments, avoid using real or sensitive data. Ensure that individuals working on the pre-production system have privileged access security measures in place. Make sure to leverage the concept of ‘privacy by design’ by implementing appropriate technical and organizational measures as well as effective data protection principles through the entire project lifecycle.
Having a secure Cloud environment means taking a lot of things into account. This is compounded by many of these issues being under the direct control of a third-party vendor. To ensure data protection and privacy, you should use the OWASP Top Ten Cloud Security Risk as a basis for building an effective Cloud security policy.
If you’re unsure about whether your Cloud environment is secure or not, you may want to consider conducting a cloud cybersecurity assessment. This assessment will analyze the security status of your Cloud architecture, governance and policies, your capability to manage your defenses and your ability to react as the situation changes.