Gartner predicts that, through 2022, at least 95% of cloud security failures will be attributable to user error and suggests rather than ask is cloud computing secure, businesses should be asking “am I using cloud computing securely?”
Before businesses start deploying assets in the cloud, it’s natural that one of the first questions asked is if cloud computing is secure. Misreported data breaches can often create the wrong impression that, because breached data was stored in the cloud, cloud computing is far from secure. However, on closer inspection, it’s not the cloud that’s at fault, but the people using it.
Most major cloud security failures are attributable to user error—typically misconfigured databases (i.e. Hova Health), poor password management (i.e. Uber), improper access controls (i.e. Time Warner Cable), and unsecured storage buckets (i.e. Accenture). Indeed, you can search by keyword for data maintained in unsecured storage buckets using a publicly-accessible search engine.
Creating a Cloud Center of Excellence (CCoE) can also help prevent misconfigurations and security breaches from happening. Learn more about building a successful cloud infrasturcture security and compliance practice with our whitepaper here.
The problem has developed because when many businesses started deploying assets in the cloud, they assumed Cloud Service Providers (CSPs) had the responsibility for keeping cloud computing secure. Though this is partly true – CSPs take responsibility for infrastructure and software security—businesses are ultimately responsible for how their data is used and accessed.
How Cloud Service Providers keep cloud computing secure
One of the best comments we’ve heard about cloud data security vs. on-premises data security was made by a Microsoft Azure MVP. He said: “Is your data more secure because it’s on an [on-premises] server you can go and look at?” He certainly has a point. If you’re concerned about data security in the cloud, think about the lengths CSPs go to in order to keep cloud computing secure.
Investment in security
Because of the reputational damage a breach at a Cloud Service Provider’s data center would cause, CSPs invest heavily in security, personnel, software, and processes to protect their infrastructure. The level of investment is much more than what most businesses could put into their in-house security, and whereas most businesses are investing against current threats, CSPs invest in researching future threats.
CSP’s data centers are monitored around the clock by teams of security experts who use advanced threat analytics, big data, and machine learning to identify trends, recognize threats, and respond quickly. Other teams of security experts simulate attacks in order to test detection and response processes. Even the largest on-premises enterprise data centers cannot match CSP’s security operations.
Entry into CSP’s data centers is strictly controlled and staff roles separated, so that those who can access hardware are isolated from those that can access data. This security process is extended to staff responsible for patching and updates, who are monitored at all times to prevent mistakes or malicious actions. Few businesses can afford to separate hardware maintenance from application maintenance.
How businesses fail to keep cloud computing secure
In addition to the user errors mentioned above, there are many ways in which businesses fail to keep cloud computing secure. The non-profit organization Cloud Security Alliance recently produced a top ten list of cybersecurity threats, and eight of the ten are attributable to user error rather than the actions of an external actor – although an external actor will more than likely take advantage of any user error.
- Insufficient identity, access, and credential management (user)
- Abuse and misuse of cloud services (user)
- Insecure graphical user interface and APIs (user)
- Shared technology vulnerabilities (user)
- Sudden information leakage (user)
- Advanced persistent threats (attacker)
- Insufficient due diligence (user)
- Cloud account hijacking (user)
- Denial of service attack (attacker)
- System vulnerabilities (user)
What is important to note is these cybersecurity threats are not exclusive to businesses operating in the cloud. Gartner believes that businesses moving to the cloud are more aware of these threats, and those that implement appropriate cloud visibility and control tools will experience one-third fewer security failures than businesses with on-premises data centers.
Gartner also states businesses who automate cloud operations will further reduce the potential for human error and suffer at least 60% fewer security failures than businesses with on-premises data centers. However, businesses that don’t take measures to keep cloud computing secure will contribute to Gartner’s prediction that at least 95% of cloud security failures will be attributable to user error by 2020.
Addressing cloud security failures attributable to user error
One of the biggest problems businesses face is that many tools for keeping cloud computing secure are too complex for users accustomed to on-premises data centers. One survey found that the difference between providing full control over an AWS S3 bucket and read-only access was the choice of one drop down menu over another. For users unaccustomed to the process, it’s not surprising mistakes are made.
To address cloud security failures attributable to user error, security experts recommend implementing a cloud management platform that provides unified visibility and control over both cloud infrastructures and on-premises infrastructures. This will allow consistent policies to be applied business-wide that will eliminate the user errors that lead to security vulnerabilities.
Ideally, the cloud management platform should have logging and reporting capabilities that enable system administrators to identify patterns and trends so they can adjust data protection policies accordingly. The platform should also have – as Gartner recommends – automation capabilities that identify and block suspicious behavior 24/7, and mirror CSP’s around the clock security operations.
Most importantly, considering the difficulty some users have experienced in applying cloud security measures, the selected cloud management platform has to be easy to use and backed by accessible customer support. Without ease of use and customer support, it may prove impossible for a business to fully address cloud security failures attribute to user error and keep its cloud computing secure.
CloudHealth: visibility, control, automation, and support
CloudHealth from VMware is a cloud management platform that provides unparalleled visibility into cloud-based and on-premises operations. The platform collates data from all sources to give system administrators a “single-pane view”, through which they can monitor infrastructure activity and its impact on cost, performance, and security.
With total visibility into cloud operations, and our unique “Perspectives” evaluation tool, your business can proactively reduce spend, streamline configurations, and remediate risks. We also offer a free CloudHealth Health Check that identifies issues across your infrastructure and makes recommendations for optimizing costs, performance, and security, and for simplifying governance.
Once the recommendations are actioned, CloudHealth maintains the optimized state via policy-driven automation. Policies can be applied to many different areas of your cloud-based and on-premises operations in order to keep your cloud computing secure and mitigate on-premises cybersecurity threats.