Many firms are realising that while shifting applications and infrastructure over to cloud computing services can make life easier in some ways, it doesn’t mean they can give up all responsibility for keeping their data secure.
Special Feature
Cloud security is the fastest growing segment of the security market, with spending jumping from $595 million in the US in 2020 to $841 million last year, largely because companies are discovering that it’s a more complicated topic than they realised.
Most businesses use multiple cloud services and cloud providers, a hybrid approach that can support granular security options where vital data is kept close (perhaps in a private cloud) while less sensitive applications run in a public cloud to take advantage of big tech’s economies of scale. But the hybrid model also introduces new complications, as every provider will have a slightly different set of security models that cloud customers will need to understand and manage.
That takes time and (often elusive) expertise. But misconfigured services are high on the list of the causes for security incidents, along with even more basic failures like poor passwords and identity controls. Little surprise that companies are evaluating tools to automate much of this.
That’s leading to interest in new technologies such as Cloud Security Posture Management (CSPM) tools, which can help security teams spot and fix potential security issues around misconfiguration and compliance in the cloud, so they know the same rules are being enforced across their cloud services. Another area of growth has been Cloud Access Security Brokers (CASBs), which also aim to guarantee that an enterprise’s security policies are being enforced across its portfolio of services. Other security technologies that cloud users are interested in, according to industry research, include zero trust and artificial intelligence, and machine learning.
However, many technologies that hold out the promise of improving cloud security are still at an early stage.
None of this is to say that the cloud is inherently less secure. Indeed, because cloud vendors have the scale to invest in skills and capabilities that are beyond the reach of most customers, cloud services and applications are likely to be more secure than those hosted by companies for whom tech is far from their core competency.
But as well as looking at technical innovations it’s also worth scrutinising the levels of service and understanding offered by cloud service providers. The UK’s National Cyber Security Centre (NCSC) has a good set of general principles for cloud computing security that’s worth considering, which can help you judge the security posture of a supplier. There are 14 principles in total, including:
- Your data should be protected against tampering and eavesdropping as it transits networks inside and external to the cloud.
- A malicious or compromised customer of the service should not be able to access or affect the service or data of another.
- The service needs to be operated and managed securely in order to impede, detect or prevent attacks, using vulnerability management, protective monitoring, configuration and change management.
- If service provider personnel have access to your data and systems, you need a high degree of confidence in their trustworthiness and the technical measures in place that audit and constrain the actions of those personnel.
- Cloud services should be designed, developed and deployed in a way that minimises and mitigates threats to their security, including a robust software development lifecycle
- All external or less-trusted interfaces of the service should be identified and defended appropriately, including external APIs, web consoles and command line interfaces.
- You should be able to identify security incidents and should have the information necessary to find out how and when they occurred. The service will need to provide you with audit information, and issue security alerts when attempted attacks are detected.
Developing the right security posture is hard: some companies worry about sophisticated hacking groups, others struggle to stop staff using ‘1234’ as a password. Covering the fundamentals of security, understanding where the market is going, and asking cloud providers tough questions about their own security, is a good path to follow.