Cloud security: What’s needed to secure and protect the cloud, and why does it matter?
Cloud usage is higher than it’s ever been, with 92% of enterprises using a multi-cloud strategy and 82% utilizing a hybrid strategy (Flexera 2021 State of the Cloud Report). COVID-19 accelerated cloud workload adoption, and as our organizations become more decentralized and elastic, cloud usage will continue to grow. What does all this cloud growth mean for security? How can we work to truly secure workloads in the cloud regardless of our strategy? We spoke with Pat Smith, technical consultant II, and Brian Rauls, sr. technical marketing engineer, to learn more.
How does cloud security compare to on-premises security?
Years ago, servers, endpoints, users and data all resided within the 4 walls of an organization. From a security admin standpoint, IT had pretty good visibility and control of these assets. Fast forward to today’s work-from-anywhere, hybrid-enabled workloads: these assets are now all over the place, and without visibility IT has no control. Users are connecting from anywhere, usage of cloud applications are on the rise, and all kinds of data (including that of a sensitive and priority nature) is being stored in the cloud.
To have a sound cloud security approach, organizations need to understand the following:
What security threats does my organization need to prepare for in the cloud?
Believe it or not, one of the biggest threats to an organization might originate from an unlikely source—the inside. Compliance and privacy mandates are on the rise, and they are put in place to protect sensitive data from being inadvertently (or intentionally) exfiltrated. On-premises data loss prevention (DLP) and cloud-based DLP/cloud access security broker (CASB) solutions are necessary to help protect against these threats. Untrained users and malicious insiders are a real threat.
Another threat is found with third-party contractors. This was seen in the example of a hacking group that entered a network through a connected fish tank. From this entry point, the hackers had access to the main casino network. The fish tank had sensors connected to the internet that regulated the temperature, food and cleanliness of the tank. According to the Washington Post, “Somebody got into the fish tank and used it to move around into other areas of the network and sent out data.”
Authentication access roles must be set to prepare to be in the cloud. A strong CASB solution is key: if a user performs “red flag” actions too many times, they’re deemed a risky user. This places that user’s permissions into a different risk pool or allowed actions until they get trained.
What is my organization’s responsibility for the security of our assets in software-as-a-service (SaaS), platform-as-a-service (PaaS) and infrastructure-as-a-service (IaaS) settings?
Generally speaking, service providers are responsible for the security “of” the cloud. IT is responsible for the security “in” the cloud. Even though you’re relying on a cloud provider to offer security to the environment, the owner organization is always responsible for security of the data. We review the shared responsibility model in further depth in our “Deeper dive into securing the cloud” video—see our video asset post for more.
How can we effectively implement a cloud security strategy?
To start, identify where sensitive data exists within the organization. Then, identify where DLP/CASB tools would help. Ingram Micro’s Digital Transformation Solutions team offers a cloud security assessment to give an overview of current status with remediation recommendations and as always, our Cybersecurity Delta Force is here to help you as well.
How do I know that my data can’t be accessed by other customers?
Many CASB solutions can evaluate your IaaS/PaaS/SaaS environments for any security concerns (S3 buckets, server configs, etc.). It is important to regularly review access configurations. Cloud workload protection vendors such as Fortinet and CloudCheckr can assist from an IaaS security perspective, and other monitoring and assessment services provide additional insight.
Is my data encrypted while in transit and at rest?
For data in transit to the cloud, make sure your browser shows “https” in the URL and/or displays a lock logo. VPN should also be used whenever possible to ensure encrypted data in transit. For data at rest in the cloud, this varies based on the cloud application.
Customers can use on-premises encryption to make sure all sensitive data is encrypted, so as it moves about it remains encrypted. Encryption status is largely based on inherent encryption in the applications being used. If encryption is not built in, it’s important to make sure you’re using https, tunneling, etc. to make sure it is encrypted. If you adopt a CASB, encryption status will be visible to you within that tool.
What methods of user authentication are supported by cloud products?
Multifactor authentication (MFA), identity and access management (IAM) and many other types of user authentication are supported by cloud products. Cloud users need to understand and implement privileged access management, and have a good grasp on who should have access to what, their rights and application of those permissions appropriately. Only specific users should have full admin rights to best protect data and assets.
Who is liable if a cloud provider experiences a security breach?
To answer this question, consult a lawyer—especially if you have compliance requirements like PCI, HIPAA or SOX. Under current law, the data owners (the firm or organization that is storing user data) are responsible for data breaches and will pay any fines or fees as a result of legal action.
Ingram Micro’s Cybersecurity Delta Force is here to help connect you to cloud security solutions that meet your needs and make sense for your organization’s specific cloud usage and strategy. Leverage our team to help work through available options that meet your needs.
Cloud Security 101
Get an introduction to cloud security from Patrick Smith, technology consultant II at Ingram Micro.
Cloud Security 201
Take a deeper dive into cloud security.
Cloud Security Specialists