Top 7 - Cloud Risks and Mitigations05 Oct 2020 | Shivani Jariwala
In my last blog, we discussed the Risk Assessment Framework for Cloud Security. In this blog, I'll focus my advice on the top security risks that will impede the adoption and implementation of cloud services.
Most companies need to abide by local, regional and international compliances including but not limited to data sovereignty and privacy. In the UAE, data sovereignty laws are still evolving, with no clear mandate or defined regulation but:
Companies increasingly store sensitive data in the cloud. A Skyhigh analysis found that 21% of files uploaded to cloud-based file-sharing services contain sensitive data, including intellectual property. When a cloud service is breached, cybercriminals can gain access to this sensitive data. Certain cloud services can even pose a risk if their terms and conditions claim ownership of the data uploaded to them.
A significant and unplanned challenge cloud services create, is the loss of control over the management and monitoring across complex cloud architectures. Considerable planning is necessary to achieve effective end-to-end monitoring of software and hardware stacks deployed across on-premises infrastructures and private and public clouds. We've found that it is unlikely that an organisation's existing monitoring frameworks can effectively track both on-premises and cloud environments. To this point, relevant security and operations teams must be proactively involved to assist with monitoring requirements and processes during the cloud design stages. Not having them involved early on is highly risky, as it's nearly impossible to implement effective monitoring as an afterthought.
Cloud customers have little or no control towards data disclosure, whenever an MLAT, or similar Foreign Access, a request is invoked on any client data at CSP. Data encryption and key management controls can help with limiting data disclosures. However, key management is an area which has not yet matured even in the big cloud service providers. These security services have typically been added as a layer on top of their existing stacks; they're afterthoughts due to late recognition of their customers' increasing data security concerns, and are not enterprise-grade. For example, when CSPs offer the bring your own key (BYOK) option, it creates the perception of increased security and control. But digging deeper into the BYOK model reveals that it is applied only at varying tiers of the key hierarchy across CSPs, and customers are not necessarily in control of the keys that actually protect data.
Organisations must carefully review the encryption and key management architecture provided by the CSP. Cloud Security Alliance, in its Security Guidance for Critical Areas of Focus in Cloud Computing, recommends that sensitive data should be:
According to the Ponemon BYOC study, 64 % of companies can’t confirm if their employees are using their own cloud in the workplace. Trust us—they are.
With the above two steps Organisations can establish compliance, and governance to protect corporate data in the cloud.
As per IBM’s 2020 X-Force Threat Intelligence Index, threat actors took advantage of misconfigured cloud servers to siphon over 1 billion records from compromised cloud environments in 2019. Misconfiguration occurs when computing assets are set up incorrectly, leaving them vulnerable to malicious activity. Some examples of misconfiguration include: 1) Unsecured data storage elements or containers, 2) excessive permissions, 3) unchanged default credentials and configuration settings, 4) standard security controls left disabled, 5) unpatched systems and logging or monitoring left disabled, and 6) unrestricted access to ports and services.As cloud-based resources can be complex and dynamic, they can prove challenging to configure.Traditional controls and approaches for change management are not effective in the cloud. Organisations must:
In conclusion, you can outsource cloud services and operations, but not security accountability. The ultimate accountability of data on cloud remains with your organisation. For this, the critical success factor is to ensure all stakeholders, including Business, IT, Security and Cloud service provider, are part of the risk assessment and the eventual findings and remediations. Security must also be addressed from the beginning of the project and continue to be evaluated throughout the project, even after its completion. This will ensure the organisation proactively manages its network and cloud environments, rather than putting out fires as they arise after deploying new technologies.
The cloud is here to stay, and companies must balance, and plan accordingly, the risks of cloud services with the clear benefits they bring.
Connect with us