“There is no business strategy without a cloud strategy,” said Milind Govekar, vice president at Gartner. Gartner predicts that in 2022 global cloud revenue will total $474 billion—an increase of $66 billion from 2021—and that by 2025, “95% of new digital workloads will be deployed on cloud-native platforms.” Almost every organization is using one or more public, private, or hybrid clouds these days, so it’s not surprising that cloud security threats are one of the top threats organizations face in 2022.
The Persistent Myth of Cloud Security
With the vast majority of organizations using cloud services, your cloud environments are an attractive target for cybercriminals. The 2021 Thales Global Cloud Security Study conducted by 451 Research found that 40% of organizations experienced a cloud-based data breach in the 12 months preceding the survey. It further found that 83% of organizations had half of their sensitive data in the cloud and unencrypted.
So why isn’t cloud security at the forefront of every organization’s cybersecurity discussions? Enter the myth of cloud security. Outside of IT teams, there is a persistent myth that cloud storage is secure if you choose a good cloud provider. Sadly, this is not the case. Even if your cloud provider has strong security, it’s only as good as your organization’s cloud security policies and overall cybersecurity. Both you and your cloud provider share responsibility for securing your cloud and the data you store in it.
The Top 5 Cloud Security Challenges
Let’s look at the top 5 cloud security challenges and how you can reduce your organization’s risks.
- Choose the right cloud provider for your needs. Carefully vet your cloud providers. You may have heard the old joke, “There is no such thing as the cloud – only other peoples’ computers.” While this is certainly a simplification, it’s important to regularly assess the security of your cloud provider and ensure they keep their security up to date. The NIST Cloud Computing Standards Roadmap provides some great advice on how to define your needs, select a cloud provider and secure your cloud data.
- Watch for cloud configuration errors. Cloud misconfigurations are common mistakes that are easy to make. One report found that 90% of organizations may be vulnerable to a cloud breach due to misconfiguration issues. Organizations like CVS and Wegmans, just to name a few, have had their data exposed via cloud configuration errors. According to Fugue’s cloud security report, organizations cited the following reasons as the top causes for their cloud misconfigurations:
• 52% said it was caused by lack of awareness of cloud security and policies
• 49% stated it was due to the lack of adequate controls and oversight
• 43% noted that they had too many APIs and interfaces to adequately govern
• 32% cited negligent insider behavior
How do you solve cloud configuration errors? In good news, many of these errors can be prevented with cybersecurity oversight, increased cloud security awareness and training, and closer attention to your cloud security controls. Here are several tips to counter common cloud misconfiguration mistakes:
• Regularly review your cloud configuration. Cloud settings and security cannot be a “set it and forget it” process – you need to regularly evaluate your cloud security controls.
• Implement misconfiguration detection and alerting tools. Take advantage of tools offered by your cloud provider and consider third-party tools that offer additional security.
• Schedule an annual cloud security assessment. Just as organizations should have an annual pen test to ensure your environment is secure, an annual cloud security assessment is also crucial. You may also want to consider regular proactive cloud threat hunting – this can uncover indicators that your cloud container may not be secure.
• Regularly train your IT team. Major cloud providers frequently offer online training classes. Ensure your team stays current on the security features for your cloud storage providers. You should also plan for continuing education through tabletop simulation exercises, cybersecurity and incident response trainings, and more. If you are using AWS, check out this blog on AWS cloud adoption tips.
- Understand how many cloud services you organization actually uses. Most organizations have “shadow IT” challenges. This means that departments or employees are using services, in this case cloud services like Dropbox, Huddle, Google Drive, etc., without the IT team’s knowledge or review. Most of the time, employees don’t even realize they should have these type of cloud services approved by the IT team to minimize risks and provide standard policies. You can combat this challenge by:
• Routinely inventorying your organization’s cloud services. Have your IT team conduct an annual review – you need to know all the cloud providers your organization is using so you can properly assess and mitigate these cloud risks.
• Create cloud use policies and preferred providers, then share the information with all employees. Have written company-wide polices regarding what cloud platforms are allowed, the rules for secure use, and the need to contact IT for approval before using any new cloud platforms. Ensure that you periodically remind employees of these policies and make it part of your new employee training materials.
- Prevent cross-cloud attacks. Cloud security is a shared responsibility. Both your cloud security provider and your organization must have adequate cloud security controls and processes to keep your data safe. Cross-cloud attacks can occur when criminals gain access to one cloud application and then spread to others. This is frequently a result of a criminal accessing an employee’s email account. If the breached employee re-uses passwords, the criminal can attain access to multiple cloud accounts. You can get more detailed advice on cross-cloud attacks in the top threats of 2022 blog or watch this 10-minute video that explains cross-cloud attacks and prevention strategies.
Here are a few high-level prevention strategies:
• Use multi-factor authentication (MFA). We know we mention this a lot, but any time you can use MFA, you should. Most apps and services offer it these days. MFA is an added layer of protection to verify it’s really you who is accessing your account and not a hacker.
• Implement a password manager. A good password manager suggests and securely stores each password in an encrypted vault; this ensures your team members won’t need to re-use passwords. Plus, the suggested passwords are usually stronger than what most people create.
• Provide regular cybersecurity training for everyone in your organization. Phishing is a popular way criminals access email accounts and is frequently the root cause of a cross-cloud breach. Whether you subscribe to a security awareness training portal with built-in phishing tests, provide monthly cybersecurity tips and articles to your employees, or do a quarterly training – however you can afford to start, you should provide regular cybersecurity training to all your employees. In fact, here are free tip sheets that you can email directly to your employees about phishing prevention, password security, and remote work safety, so you can get started right now!
• If your suspect one password is compromised, consider resetting all of the user’s passwords. Many IT teams make the mistake of only resetting the password for a specific cloud account if they think a user’s credentials may have been compromised. All too often, criminals start by hacking email or a local system, and spread to the cloud. If the criminal is still lurking in the employee’s email account, they can simply reset whatever passwords you change and strike again! When in doubt, always reset the victim’s email password, as well as any other passwords that may be related.
- Create a strategic cloud security plan. This is another case where the NIST Cloud Computing Standards Roadmap can be a great tool to help you organize and map out your cloud security plans. Read The 4 Most Common Cloud Storage Security Risks to confirm that you address the most common security issues consultants find when doing cloud security assessments. Ensure you have a strategic plan that identifies your cloud security maturity and includes annual security growth goals.
With the growth of cloud security, it’s crucial that you have a strategic plan to ensure the security of your cloud platforms and the data stored within them. While implementing all of these steps may seem overwhelming, start with the steps you can manage and plan to grow your efforts every year.
This blog is distributed with the permission of LMG Security.
ABOUT LMG SECURITY
At LMG, our singular focus is on providing outstanding cybersecurity consulting, technical testing, training, and incident response services. Our team of recognized cybersecurity experts have been covered on the Today Show and NBC News, as well as quoted in the New York Times, Wall Street Journal, and many other publications. In addition to online cybersecurity training, LMG Security provides world-class cybersecurity services to a diverse client base located around the United States and internationally.