WEBINAR: Live Event Date: September 20, 2017 @ 1:00 p.m. ET / 10:00 a.m. PT
Designing a Proactive Approach to Information Security with Cyber Threat Hunting REGISTER >
From the very beginning of the cloud computing era, security has been the biggest concern among enterprises that are considering the public cloud. For many organizations, the idea of storing data or running applications on infrastructure that they do not manage seems inherently insecure.
CloudPassage's 2016 Cloud Security report found that 53 percent of those surveyed listed "general security risks" as one of their biggest cloud adoption barriers, making it the biggest obstacle to the cloud. In addition, 91 percent of those surveyed were either "moderately concerned" or "very concerned" about cloud security.
However, those concerns may not be well-founded. Only 9 percent of those surveyed by CloudPassage said that their organizations had actually experienced a cloud-related security incident. And Gartner predicts, "Through 2020, public cloud infrastructure as a service (IaaS) workloads will suffer at least 60 percent fewer security incidents than those in traditional data centers."
Thanks to their massive scale, public cloud vendors have the resources to hire large teams of security experts and to invest in the latest and most effective technologies. Most organizations, even the very largest, simply cannot duplicate those efforts. As a result, many security experts are quick to say that the public cloud is more secure than private data centers.
However, surveys continue to show that people still worry about cloud security.
Part of the problem may be that business and IT leaders still do not completely understand the benefits and risks of cloud computing. "Ambiguity about what cloud computing actually delivers to an organization is compounded by a variety of real and imagined concerns about the security and control implications of different cloud models," said Jay Heiser, research vice president at Gartner.
Experts say that enterprises can increase the security of their public cloud deployments by following best practices and deploying the right cloud security technologies. According to Gartner, "By 2018, the 60 percent of enterprises that implement appropriate cloud visibility and control tools will experience one-third fewer security failures."
Enterprises that want to be among the organizations experiencing fewer security issues should take the following steps:
1. Understand your shared responsibility model
In a private data center, the enterprise is solely responsible for all security issues. But in the public cloud, things are much more complicated. While the buck ultimately stops with the customer, the cloud provider assumes responsibility for some aspects of IT security. Cloud and security professionals refer to this as a "shared responsibility model."
The leading infrastructure as a service (IaaS) and platform as a service (PaaS) vendors, like Amazon Web Services (AWS) and Microsoft Azure have documents that explain which entity is responsible for which aspects of security. The chart below offers a good overview of how public cloud vendors in general and Microsoft in particular approach this shared responsibility.
Source: Microsoft Developer website
Enterprises that are considering using a particular cloud vendor should review that vendor's policies about shared security responsibility to make sure they understand who is handling the various aspects of security. That can help prevent misunderstandings — and the possibly of security incidents that occur as a result of a particular security need falling through the cracks.
2. Ask your cloud provider detailed security questions
Along the same lines, organizations should ask their public cloud vendors detailed questions about the security measures they have in place.
It is easy to assume that the leading vendors have security handled, but security methods and procedures do vary from one vendor to another. Some cloud providers have taken steps to have their security certified by various organizations, while others have not. That could impact an organization's choice of cloud vendor — particularly for sensitive workloads or for organizations with strict compliance requirements. While one vendor may be the best choice for mission-critical applications or personally identifiable customer data, another vendor may be the better choice for less-sensitive workloads.
3. Deploy an identity and access management solution
In the CloudPassage survey, respondents said the two biggest security threats to public clouds were unauthorized access (53 percent) and hijacking of accounts (44 percent). Both of these threats can be mitigated by deploying a high-quality identity and access management (IAM) solution.
Experts recommend that organizations look for an IAM solution that allows them to define and enforce access policies. It should also have role-based permission capabilities. And multi-factor authentication can reduce the risk of unauthorized people gaining access to sensitive information, even if they manage to steal usernames and passwords.
In addition, organizations may want to look for an IAM solution that works across their internal data centers as well as their cloud deployments. This can simplify authentication for end users, as well as making it easier for security staff to ensure that they are enforcing policies across all of their IT environments.
4. Train your staff
As attackers become more sophisticated, phishing and spear-phishing attacks seem to be succeeding with more frequency. In order to prevent hackers from getting passwords for cloud computing services, organizations need to train all of their workers in how to spot dangerous emails, how to select a strong password and how to avoid putting the company at risk.
In addition, employees need to understand the inherent risk of shadow IT. At most organizations, it's all too easy for staff to circumvent IT and start using a service like Dropbox or AWS without the IT department's knowledge. Enterprises need to explain why this practice is dangerous and hammer home the potential consequences for the organization — and for the employee's career.
Organizations also need to invest in training for their security staff. The threat landscape shifts on a daily basis, and IT security professionals can only keep up if they are constantly learning about the newest threats and potential countermeasures.
5. Establish and enforce cloud security policies
Organizations need to have written guidelines that specify who can use cloud services, how they can use them, and which data can be stored in the cloud. They also need to lay out the specific security technologies that employees must use to protect data and applications in the cloud.
Ideally, security staff should have automated solutions in place to ensure that everyone is following these policies. In some cases, the cloud vendor may have a policy enforcement feature that is sufficient to meet the organization's needs. In others, the organization may need to purchase a separate security solutions with these policy enforcement capabilities.
6. Secure your endpoints
Using a cloud service doesn't eliminate the need for strong endpoint security — it intensifies it.
If you already have a strong defense-in-depth on your network that includes firewalls, anti-malware, intrusion detection, access control and other measures, you probably have the necessary technology in place. New cloud computing projects offer an opportunity to revisit those strategies and make sure that the protections you are currently using are adequate to address evolving threats.
7. Encrypt data in motion and at rest
Encryption is a key part of any cloud security strategy. Not only should you encrypt any data in a cloud storage service, you should also make sure that data is encrypted during transit — when it may be most vulnerable to attacks. In fact, in the CloudPassage survey, respondents said that the two most effective cloud security technologies were data encryption (65 percent) and encryption of data in motion on networks (57 percent).
Some cloud computing providers offer encryption and key management services, and third-party cloud and traditional software companies offer encryption options as well. Experts recommend finding an encryption product that works seamlessly with existing work processes, eliminating the need for end users to take any extra actions in order to comply with company encryption policies.
8. Use intrusion detection and prevention technology
According to the CloudPassage survey, the third most effective cloud security technology is intrusion prevention and detection. These solutions can help organizations identify when an attack has occurred and take action to stop attacks in progress.
Again, organizations have options for both cloud-based and traditional software when it comes to IDS and IPS solutions. You may want to look for a product that can encompass both your on-premises and public cloud environments.
9. Double-check your compliance requirements
Organizations in industries like retail, health care and financial services face strict regulations when it comes to customer privacy and data security. And businesses in certain geographic locations may have special compliance requirements as well.
Before establishing a new cloud computing service, organizations need to review their particular compliance requirements and make sure that their service provider will meet their data security needs.
10. Consider a third-party partner
Dozens of companies offer solutions or services designed to enhance cloud security. If your internal security staff don't have cloud expertise or if your current security solutions don't support cloud environments, it may be time to bring in some outside help.
Cloud access security brokers (CASBs), software designed to enforce cloud security policies, have become increasingly popular as organizations begin using a larger number of cloud services. Experts say that a CASB solution may make sense for your organizations if you use many different cloud computing services from several different vendors.
Cloud-based security solutions, particularly those that rely on artificial intelligence and machine learning to analyze log data, are also becoming more popular. In fact, IDC has predicted, "By 2020, more than 25 percent of enterprises will secure their IT architectures through cloud, hosted, or SaaS security services"
11. Conduct audits and penetration testing
Whether you choose to partner with an outside security firm or rely on internal staff, experts say that you should run penetration testing to determine whether your existing cloud security efforts are sufficient to protect your data and applications.
In addition, you should conduct regular audits of your cloud security capabilities. The audit should include an analysis of your vendors' capabilities, including double-checking to make sure that they are meeting the security terms specified in your SLAs.
Also, because insiders represent a significant threat, you should also audit your access logs to make sure that only appropriate and authorized personal are accessing sensitive data and applications in the cloud.
Experts emphasize that, in most cases, concerns about security should not prevent organizations from using public cloud services. Often, organizations actually have fewer security issues with their cloud-based workloads than with those that run in their traditional data centers. And by following cloud security best practices, they can reduce the risk even more, while taking advantage of the benefits offered by cloud computing.