The Beginner's Guide to Cloud Security

As increasing numbers of businesses shift their workloads to the cloud, the security threat we face is changing. Where our data goes, the hackers follow – and now cloud attacks are on the rise.

In its 2017 Security Intelligence Report, Microsoft announced that attacks aimed at users’ accounts and login credentials had tripled over the last year.

The technology giant blamed weak passwords, targeted phishing attacks, poor password management, and breaches in third party services for the rise in compromised attacks.

More Secure Login Credentials

In response, Microsoft’s advice mirrors the advice issued earlier this year by US agency, the National Institute of Standards and Technology (NIST), which detailed new rules around how to protect digital identity and passwords. NIST recommends 16-digit passwords without rules about character formats, avoiding rules that require passwords to be changed regularly, and enforcing multi-factor authentication.

While consumers can learn good password management from this advice, it is of most value for organisations – as they struggle to keep their security up to speed with the rapid changes in their IT environments and subsequent attack surface.

The Changing Attack Surface

However, for organisations struggling to keep up with the new security challenges, user credentials are only a small part of the picture.

The legacy tools that were designed for monitoring and protecting the on-site datacentre are not adequate for protecting the new hybrid environment that most of us now operate.

Hackers aren’t necessarily changing their attack methods – but IT leaders do need to change the way they look for them, the tools they use to identify them, and the new indicators in the cloud environment that identify them.

For example, Distributed Denial of Service (DDoS) attacks have a very different implication in the cloud; one of the benefits of a cloud service is that it can flex in line with demand – making it much more resilient to a DDoS attack. However, this can come at a significant cost to the business; as it needs to pay for the additional cloud computing resources consumed in order to withstand the attack.

Security Designed for the Cloud

Perhaps one of the biggest challenges for IT leaders is that cloud allows us or even forces us to relinquish responsibility – and visibility – of the underlying network infrastructure. As a result, the monitoring tools that we relied on to monitor on-premise traffic are no longer enough.

As a part of GDPR preparation every company which uses cloud-based applications should review their procedures relating to the processing of personal data.

One of the most important things which must be considered is the location where cloud apps are processing or storing your data. New GDPR regulations clearly state that personal data cannot be exported out of the EU without given consent from individuals. This means that if you don’t know exactly where your cloud provider servers are, you may unintentionally be breaching the law.

Regardless of how well secured your cloud-based provider is, there will always be the risk of a data breach. To minimised that you shouldn’t treat your cloud-based storage as an “unlimited bucket” where you can put absolutely everything.

Good practice, currently implemented by a large number of organisations, is to map data flow and create a company data protection policy which defines where the personal and sensitive information can be stored.

The Shared Responsibility Model

However, this lack of visibility of the network layer at your cloud provider does necessarily mean that you will now share responsibility for protecting your services with your cloud solutions provider.

The scope of each parties’ responsibilities will form part of your contract negotiation and must be clearly defined. With the larger cloud providers, like Azure and AWS, the boundaries between responsibilities are defined per service – with the cloud provider taking on more responsibilities on a platform as a service (PaaS) service than on an infrastructure as a service (IaaS) model.

With smaller providers that offer a more bespoke service, you will be better able to agree lines of responsibility that match your own strengths and capabilities. This makes contract negotiations complex, but vitally important to the security of your infrastructure.

Traditional Security Challenges

Of course, without clear visibility of cloud providers' network infrastructure, it is impossible to know the volume of attacks they are withstanding on a daily basis. But, according to Gartner analysts “Through to 2020, 80% of cloud breaches will be due to customer misconfiguration, mismanaged credentials or insider theft, not cloud provider vulnerabilities.”

If this is the case, the need for strong and enforced security policies, staff training, and better user and password management will continue to play an important role in any security strategy.

If you have concerns about securing your data in the cloud, protecting your hybrid environment, or any other aspect of your cyber security strategy, Grant McGregor's security team is on hand to offer advice.

Every year, we help many businesses to develop and implement better security practices.

Can we help you?

Get in touch on 0808 164 4142 or contact us here.

Image source: Freerange Stock