Understanding security in your cloud environment is an enterprise-wide responsibility—even affecting users who aren’t directly involved in your cloud computing operations. Therefore, it’s essential that mechanisms are put in place to protect your cloud environment at every level.
Cloud environments are much different from on-premises environments, so it makes sense that security in your cloud environment is going to be much different from security in your on-premises environment. However, not every enterprise takes this into account when migrating assets to the cloud, with the consequences being that security can be compromised and data potentially exposed to theft.
One of the big differences between cloud security and on-premises security is that almost everything deployed in the cloud can be accessed remotely via a single console. Most enterprises are conscious of implementing access controls so that each individual can only access deployments they’re responsible for, and so unauthorized access to sensitive data is prevented.
However, a number of high profile breaches have occurred because access keys and passwords are stored unencrypted in the cloud in source code, configuration files, and other locations where automated software can find them. With no firewalls in the cloud to prevent unauthorized access to depositories, hackers have enjoyed an easy time obtaining login credentials.
Issues can start further down the control line
Even when access controls are properly implemented, access keys are properly stored, and passwords stored in the cloud are encrypted, issues with security in your cloud can start further down the control line. These issues are created by hackers looking to obtain login credentials via phishing emails. Any user can be targeted by a hacker—even those not directly involved in your cloud computing operations.
Although the intended target may not have access to any cloud operations, a phisher who takes remote control of their email account can use the account to solicit login credentials from other users—potentially even gaining access to root accounts. The login credentials don’t necessarily have to be disclosed unintentionally. They can often be captured by hackers using keylogging malware.
Consequently, security in your cloud environment involves every user with access to an enterprise email account—from a warehouse assistant to a C-level executive. Training must be provided to reduce susceptibility to phishing emails, and systems must be put in place for users to report suspicious emails—even though this may mitigate productivity and the benefits of operating in the cloud.
3 best practices to improve security in your cloud environment
Controlling access, encrypting data, and reducing the susceptibility of email users are basic solutions for improving security in your cloud environment, and none of the three are foolproof. The majority of cloud data breaches are the result of human error, and therefore more robust security mechanisms are required to eliminate the risk of human error whenever possible.
Multi-Factor Authentication
Multi-Factor Authentication (MFA) is a great way to protect enterprise cloud accounts when a username and password combination has been disclosed or hackers have acquired login credentials from an unsecured repository. MFA systems that use a security key to generate PIN numbers are ideal, because PIN numbers sent to mobile devices are insecure if the mobile device is compromised.
Penetration testing
All major cloud service providers allow enterprises to test their systems, networks, and applications to discover vulnerabilities that can be exploited by hackers. Ideally, you should engage white-hat hackers to conduct penetration tests, as in-house teams can be too familiar with the systems, networks, and applications. Also make sure the cloud service provider is aware you’re conducting a test.
Automation
Monitoring security in your cloud environment can be a time-consuming exercise, and although it’s not ideal to automate every element of cloud security, there are areas in which automation can play an important role—i.e. alerting you to unencrypted storage volumes or accounts with MFA disabled. You can also use automation to restrict or revoke access when suspicious activity occurs.
Understand your risk capacity vs. risk appetite
The final stage of understanding security in your cloud environment is to develop a risk management strategy. In order to develop a risk management strategy, you first have to understand your risk capacity vs. your risk appetite (i.e. what risks exist and those you’re willing to put up with) and the consequences of allowing some risks to remain unaddressed.
This process requires a comprehensive risk assessment that identifies vulnerabilities and calculates the impact of a “reasonably anticipated threat”. With this information, it’s possible to balance security with service to ensure your systems, networks, and applications are as secure as can reasonably be expected without sacrificing service to the point where it’s not worth moving to the cloud.
The mechanisms implemented to reduce your exposure to cloud-based threats should be reviewed and tested periodically in order to update your risk management strategy where necessary. Like the cloud, a risk management strategy should continue evolving in order to accommodate new opportunities, while addressing new risks as your cloud footprint expands.