How to improve cloud provider security: 4 tips
Many IT pros remain concerned with the risk of data loss and leakage in the cloud, according to a new survey from AlgoSec.
At RSA 2019, Brian Roddy of Cisco discussed what CISOs should include in a cloud security plan.
Many companies are increasingly looking to the cloud as a more effective and efficient way to manage their applications and other business assets. Ideally, a cloud environment can offer the agility, flexibility, and scalability that a company may not be able to achieve internally. However, the cloud carries its own set of concerns and challenges, several of which were highlighted in a Tuesday report released by security provider AlgoSec.
In a survey commissioned by AlgoSec and conducted by the Cloud Security Alliance, security was the top worry among the 700 IT professionals polled. A full 81% expressed significant concerns about security when moving data to a public cloud platform. The risk of sensitive customer or personal data being lost or leaked was cited as the biggest security fear.
SEE: Hybrid cloud: A guide for IT pros (free PDF) (TechRepublic)
Respondents pointed to specific security concerns when running applications in the public cloud. Those concerns included unauthorized access to cloud-based data, infiltration of more sensitive areas of the network (either in the cloud or on premises), data corruption, outages due to Denial of Service attacks, and the abuse of resources (e.g., cryptomining).
AlgoSec
Ideally, using a cloud provider should alleviate some of the internal effort involved in managing applications and other assets. But IT pros still need to manage security in the public cloud, and that task carries its own challenges. Proactively detecting misconfiguration and security risks with public cloud vendors was the top obstacle cited in this area.
Respondents also pointed to other public cloud security challenges, including a lack of visibility into the entire cloud estate, compliance and preparation for audits, managing both cloud and on premises environments, managing a multi-cloud environment, and a lack of expertise in cloud-native security.
The survey also posed questions about multi-cloud environments. Yes, using multiple providers reduces the reliance on a single provider. But a multi-cloud environment adds certain challenges as well.
Among the respondents, 66% said they rely on several cloud providers, with 35% reporting that they use three or more providers. To add to the complexity, organizations may use both public and private clouds. A full 55% of those polled said they use a hybrid cloud environment with at least one public and at least one private cloud. Some 35% said they use a combination of a multi-cloud and hybrid cloud environment.
"As companies of all sizes are taking advantage of the value of the cloud with its improved agility and flexibility, they are also facing unique new security concerns, especially when integrating multiple cloud services and platforms into an already complex IT environment," John Yeoh, global vice president of research for Cloud Security Alliance, said in a press release. "The study findings demonstrate how important it is for enterprises to have holistic cloud visibility and management across their increasingly complex hybrid network environments in order to maintain security, reduce the risk of outages and misconfigurations, and fulfill audit and compliance demands."
How to improve cloud provider security
To tackle some of the risks and challenges in using cloud providers, AlgoSec served up a few recommendations.
1. Build in security and compliance
Cloud providers now offer tools for managing security and compliance, many of which meet certain industry and government regulations. As such, IT pros should available themselves of these native tools.
2. Take responsibility for security internally
Certainly, organizations should establish shared security responsibilities with their cloud providers. But businesses also need to manage security internally. That means identifying a department responsible for cloud security, establishing cloud security policies across business units, and raising the level of education and awareness for all employees.
3. Detect misconfigurations and security risks
Cloud providers continue to add features to improve the security of their services. Organizations should be kept abreast of any updates to such services. Further, customers should always be notified of misconfigurations of publicly exposed services, insufficient credentials, and the misuse of any other cloud-based features.
4. Know when to automate
Automating certain components of your security can help manage a complex cloud environment. Such automated tools and functions as log activity, data aggregation, threat detection, and security policy management are a few ways that organizations can more quickly find security gaps, compliance violations, service misconfigurations, and service outages.
Conducted online by the CSA from December 2018 to February 2019, the survey was sent to almost 700 IT and security professionals at organizations of different sizes and at different locations. Around 500 organizations answered the majority of the 20 questions in the survey.
For more, check out How to make CISOs comfortable with cloud security on TechRepublic.
Also see
Image: iStockphoto/erdikocak
Gloss