By Paul Jolliffe, Lead DSM: Security at T-Systems South Africa
- Business need to understand what cloud security threats are
- A sound, enforceable security model with a maturity plan is required to minimise risk of threats
- Cybersecurity partners can simplify and reduce the complexity of cloud security
Businesses are fast adopting cloud, moving towards a multi cloud environment. With this shift, security becomes critical – and vastly more complex. Organisations don’t always have a full understanding of the threats and which cloud security requirements they should concern themselves with, particularly when a wide number of different cloud platforms are in use.
Of critical importance is choosing the right cloud solution for your business and understanding which workloads to shift to the cloud. Having a well-thought out strategy which considers the business benefits of either a single or multi-cloud environment, while factoring in the spread of workloads across clouds and the security controls of each, will pave the way to a secure, functional cloud ecosystem. From there, you can more easily identify the threats, and implement frameworks, technologies and future roadmaps to manage them.
Many organisations fail to realise that even if they opt for public consumption-based cloud services, they are responsible for their own data security. It is vital to take cognisance of what security measures each cloud platform offers and ensure alignment with individual security controls and desired outcomes.
Know the threats
The cloud brings to light a host of new cybersecurity concerns. The Cloud Security Alliance (CSA) has published a list of top twelve cloud security threats, broadly covering the potential security concerns that could affect any business evolving to the cloud.
Data breaches as well as poor identity and access management controls are equally problematic in the cloud as they are in traditional environments. With cybercriminals becoming increasingly brazen, targeted attacks are prevalent. That being said, data breaches can also be a result of human error or simply a lack of adequate access controls in place. Where there is insufficient identity and access management, unauthorised data access can lead to the loss, destruction and dissemination of valuable data – intentional of otherwise.
Many application program interfaces (APIs) for cloud communications are developed quickly to get to market first. This results in insufficient testing, grading and reviews which create gaps and opens the door to cyberthreats. Insecure APIs allow conversations and communications to be exposed, and stronger security protocols will need to be looked at, at the development stage.
Insider threats are another key concern to be aware of. Many data breaches come from sources internal to organisations, whether from disgruntled employee, or one unaware of proper security protocols. This is a potential gateway to Advanced Persistent Threats (APTs), which have been known to infiltrate cloud platforms.
Accidental data loss, abuse of cloud services and the vulnerability of sharing a platform with other organisations all pose significant risks to businesses using the cloud.
Apply the right controls
For organisations implementing a hybrid cloud strategy, leveraging a private cloud while consuming public cloud services, enforceable control mechanisms across both environments are critical.
As your business becomes more digital, using more and more of the cloud, the right controls need to be put in place. There are several frameworks that offer guidance on which controls are suitable to various cloud environments, and working with these to build a holistic cloud security control policy will ensure protection across all platforms.
Frameworks and guidelines are given by the International Organisation for Standardisation, SANS, NIST, CoBit and, of course, the Cloud Security Alliance. These offer a variety of options that you can adapt and adopt to suit your business and cloud model, enabling and equipping you with the perfect combination of security controls to minimise the risk of threat at every avenue.
Once your security control policy is in place, it needs to be implemented and – more importantly – enforced across all channels of the business. All stakeholders, including staff, suppliers and customers need to be fully aware of the limitations and controls that apply to them, so communicating the strategy effectively is an essential element to your strategy’s effectiveness.
Maturing your security strategy in line with cloud maturation
Many of the frameworks mentioned above have maturity models which can be applied to ensure your security controls keep apace with your business’ digital evolution. CoBit, for example, offers rated, weighted auditing measures which addresses different levels of maturity and allows you to augment your security strategy in line with your cloud strategy.
However, as your business advances in the cloud, levels of customisation may introduce more complexity. As this happens, your cloud security controls strategy needs to be revisited, reviewed and updated time and again, to avoid new threats as they emerge.
Invest in sound technology
When you have a cloud security policy in place, supported by a sound governance policy, it quickly becomes evident which security technologies you will need to enable them.
From cloud security access brokers, who cover the full range of security technologies needed, to individual technologies such as endpoint protection, data protection, advanced threat detection and workload protection, your policy will ensure you select and implement the tools best suited to your requirements.
A cyber security partner can be integral to assisting your business across the entire cloud security journey, and can even alleviate most of the pressure by managing your security concerns for you. Whichever cloud journey you make, and the cloud security controls you adopt to secure that environment, empower yourself – and your business – to grow, with a cloud security policy that is robust, flexible and enforced.