When it comes to cloud security, too many organisations are making the same mistakes over and over, and are still surprised when they are breached. To break this cycle, they need to have awareness of the modern cloud security landscape and address issues with a firm and well-thought-out strategy in place.
As entities in every industry build application, they need to realise that each of these provides a possible foot in the door for bad actors, if not properly secured. For instance, when there are instances of zero-day attacks, or highly dangerous threats such as Log4j, organisations need to ask themselves if they are using software that is making them vulnerable to exploitation.
Too many companies, irrespective of size, have trouble getting a grasp on all of their cloud providers, their cloud instances, as well as the range of different services that they’re using. Therefore, to start building a better cloud security posture, businesses need to know which data and workloads they have in the cloud, where software is used in the cloud infrastructure, how are these assets secured, and whether there is a plan in place in case of a security event.
And this isn’t about implementing a security tool, its about understanding the number of containers and serverless deployments. It’s about knowing if different accounts are being used, and whether good segregation is in place. It’s about knowing how information is being stored, used, archived, and backed up, and how assets are being managed.
Having this visibility and awareness is key to keeping the cloud safe and secure.
There are also risks that aren’t necessarily cloud-specific, such as risks posed by using third-party suppliers, cloud providers with inadequate measures, as well as simply determined and advanced adversaries who might target your business or that of your cloud provider.
To protect your company from cloud security risks, it’s vital to return to the basics, which include implementing and practicing good security hygiene, keeping software updated, and everything patched as soon as one is released. Most importantly, it’s about conducting regular security training for your employees to make sure they understand the threat landscape and don’t make stupid mistakes that could prove catastrophic for your business. Also, train your workforce on particular providers’ tools and capabilities to help them understand how they manage serverless environments, how they function, how storage and networking work, and more.
For those just embarking on a cloud journey, the Cloud Security Alliance (CSA) offers an excellent framework to help companies understand overall governance, how to view any challenges in terms of the varying layers of applications, infrastructure and other technologies, and how to map these to any security standards that are being employed. It’s a good way to accurately assess your business’s risks. More importantly, it sheds light on the shared responsibility model and helps business to understand what they should be asking their multiple providers, to ascertain who is responsible for which elements of security.