How to protect your cloud deployments
Robust security depends on understanding the security measures that complement the protections offered by cloud service providers
- Companies need to understand and map out the extent and limitations of security provided by their cloud services provider
- Family offices also need to ensure their family members are properly trained on sharing and posting information on cloud networks, including social media
- Third-party access to cloud deployments requires additional management oversight and compliance with strong security standards
- Familiarity with the cloud provider’s guidelines and settings can help organizations protect access to critical data and prevent breaches
Cloud capabilities have become essential to almost every type of organization. They provide data storage, enable real-time communication and collaboration, link disparate teams and systems and connect new devices to company networks. Importantly, cloud deployments can scale up quickly, which has helped many companies quickly establish new connections and working conditions with partners, customers, internal teams and remote employees. Cloud capabilities extend into personal services as well, such as email, social media and entertainment services.
According to one study, 79% of organizations recognize that security is one of their top cloud challenges.1 One problem is that many companies simply have not assessed the risks associated with cloud deployments or have not determined what elements of security are their responsibility.
Since most organizations depend on cloud service providers (CSPs) to maintain these systems, it can be challenging to determine what elements of security are the responsibility of the CSP and which are not.
Understanding the limits of CSP security
CSPs usually offer built-in security features that exceed the technical capabilities and financial resources of most small and midsize businesses. One study shows, that 39% of organizations are running more than half of their workloads in the cloud.2 The cloud can be as secure as in-house systems, but only if managed with appropriate storage and access controls.
While CSPs often provide tools to help manage cloud configuration, there are still many elements of security infrastructure — such as firewalls, devices and account access — that remain the cloud user’s responsibility. In fact, CSPs are not the source of most security incidents. Lack of knowledge among cloud customers and misconfiguration of CSP accounts are responsible for most breaches, big and small.
“Misconfiguration of cloud deployments can lead to serious vulnerabilities related to account access and permissions.”
Misconfiguration, like many cloud security challenges, often stems from staff inexperience. Many security and IT specialists simply don’t understand the intricacies of secure cloud configuration and often lack in-depth knowledge of their company’s CSP security settings and capabilities.
Another potential pitfall is inadequate or incomplete security processes. When configurations and permissions are not thought through, employees — and bad actors — can gain access to a world of sensitive information that can be unintentionally leaked or very cleverly stolen through social engineering schemes.
This type of insider incident can have serious and costly impacts. Research shows that organizations who experienced a data breach with a hybrid cloud model on average cost $3.80 million.3 It is important to know your third-party vendors and what privileges have been granted to reduce the risk of account take-overs by cyber criminals or disruptions to normal operations. In one study, 45% of data breaches of companies occurred in the cloud.4
How to overcome the obstacles
In many ways, cloud deployment security is similar to traditional on-premise systems. Cloud security should follow a “cover the basics” approach that includes fundamentals, such as:
- A thorough understanding of the data you gather
- Powerful identity and authentication tools
- Access controls based on the principle of least access
- Correct configuration of the deployment
- Encryption of data in motion, in use, at rest
- Network activity monitoring
- Limited privileged access to cloud settings
- Proper training of IT, security and individual users which includes:
- Caution sharing personal data publicly
- Caution posting location/travel data
- Strengthening of home cyber security controls
For more specific guidance in addressing cloud security challenges, a CSP can be one of the best sources of advice. Service providers offer a range of advanced security and privacy capabilities, as well as guidelines and security defaults for rigorous configuration of cloud settings. But many organizations don’t follow these guidelines, and some may even inadvertently disable essential security settings.
A CSP may offer continuous monitoring solutions to help detect suspicious user activity and assess an organization’s threat status in real time. Monitoring is also essential to tracking and prioritizing investigations of malicious incidents.
However, CSPs don’t provide much help in minimizing third-party risks. Business and security leaders will need to carefully assess a partner’s security capabilities to make sure they meet or exceed their own. This assessment can also help determine the right amount of access to grant third-party users.
Neither Bank of America nor its affiliates provide information security or information technology (IT) consulting services. This material is provided “as is,” with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this material, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, quality and fitness for a particular purpose. This material should be regarded as general information on information security and IT considerations and is not intended to provide specific information security or IT advice nor is it any substitute for your own independent investigations. If you have questions regarding your particular IT system or information security concerns, please contact your IT or information security advisor.