By Naveen Gurusiddaiah and Sandhya Chebiyyam
Cloud computing services play a vital role in how organizations operate their businesses today. The cloud would have been said to be a luxury a few years back but is now looked upon as essential to meet the business demand of an organization in various marketplaces. However, cloud services bring in an important need for security to tackle the threats and risks lurking in the digital space.
Current Trends in Cloud Adoption
According to Gartner, "The adoption and interest in public cloud continues unabated as organizations pursue a 'cloud first' policy for onboarding new workloads."
Gartner analysts say that from 30% in 2021, over 95% of new digital workloads will be hosted on cloud-native platforms by 2025. They also estimate that over 85% of organizations will embrace the cloud-first principle by 2025, with over 95% of new workloads being deployed on cloud-native platforms (up from 30% in 2021). Over the next few years, the analyst firm predicts that cloud revenue will exceed non-cloud revenue for 'relevant enterprise IT markets'. As Gartner VP Milind Govekar points out, "Anything non-cloud will be considered legacy."
One of the best aspects on cloud computing currently trending is the ability to include more than one cloud service provider, which enables them to utilize the best of technologies available from multiple vendors, avoid vendor lock-in and utilize diverse technical platforms on which organizations can build their product/services, but only when implemented correctly in a secure manner.
According to Forbes, "If 2022 was the year of hybrid cloud, then 2023 could be the year that businesses come to understand the advantages of diversifying their services across a number of cloud providers. This is a strategy known as taking a multi-cloud approach, and it offers several advantages, including improved flexibility and security."
The measures an organization adopts to ensure assurance of safety from cyberattacks and for mitigation of risks as a part of cloud security strategy enhances the quality of service to end users and its reputation.
Challenges in Securing Cloud Workloads
With the adoption of cloud computing, digital resources, data assets both unstructured and structured, applications and storage are growing rapidly year on year, along with benefits such as ease of use, cost optimization, and scalability. With the regular increase in risks such as attack surface, breaches, insider threats etc., organizations are compelled to strategize and plan actions to develop cyber resiliency towards the security challenges that cloud computing can pose.
- Loss of data and reputation due to breaches
Data breaches remained the top cloud security threat yet again this year in CSA's report. A data breach results in irreversible damage to the reputation of the organization, regulatory implications, legal liabilities to name a few. The security of the data in the cloud is a responsibility of cloud solution adopters. Moreover, cloud misconfigurations and lack of proper authentication and authorization mechanisms attribute to most data breaches. - Lack of proper cloud security architecture and strategy
The adoption of containers, microservices, APIs, IaC, and other cloud-first technologies introduces new complexities for security and scalability. Lack of proper understanding of the architecture of the cloud and their interdependencies limit the effectiveness of the security measures implemented. Without proper strategy and planning, organizations are vulnerable to security threats that can result in reputational damage, legal and compliance issues. It is recommended to follow an incremental and agile approach to cloud migration planning. - Insufficient Identity, Credential, Access, and Key management
Many cloud security threats are linked to access issues. Overly restrictive privileges and access controls will result in negative business performance and low productivity. According to CSA guidance, this stems from the following:- Improper credential protection
- Lack of automated cryptographic key, password, and certificate rotation
- IAM scalability challenges
- Absence of Multifactor authentication
- Weak passwords
- Inadequate Threat Notifications and Alerts
One of the foundations of any effective cyber security system is how quickly threat notifications and alerts are sent to security personnel. Instant notifications and alerts enable proactive threat mitigation, which can prevent successful hacks and minimize damages. In addition, the systems generate a huge number of alerts. Of which, only a few require further investigation. Threat-alert fatigue exists, and it needs to be addressed through automation that provides actionable threat intelligence and efficient prioritization and analysis of alerts. - Lack of visibility to all the cloud resources in multi-cloud environment
All the unknown assets make them vulnerable and may pave the way into the organization’s network. - Customization of cloud environments to suit the needs of various organization’s policies
If these security policies are not managed in the right way, it will widen the attack surface and potentially compromise the multi-cloud eco system.
Cloud providers have in-built controls for managing user authorization and access privileges. A multi-cloud strategy would require organizations to maintain multiple identity systems simultaneously. Keeping consistent policies across multiple platforms without a centralized control system is a huge logistical challenge.
Regulations and Compliance
As Gartner points out, 90% of businesses will end up sharing sensitive data by 2025 if they fail to control public cloud use. Most of the organizations have no clue where to begin, when posed with a question if they are cloud compliant.
The same regulations that apply to the on-premises infrastructure also apply to the cloud in many circumstances. HIPPA, PCI DSS, GDPR, ISO/IEC 27001, NIST, NERC, Sarbanes-Oxley (SOX), and other regulations are among them. For instance, there are regulations that require companies to protect their workloads in the cloud or comply with specific data privacy regulations from a given country.
Cloud Security Alliance's Cloud Control Matrix (CCM) the most widely adopted framework for Cloud Security. The controls in the CCM are mapped in accordance with industry-accepted security standards, regulations, and control frameworks including but not limited to: ISO 27001/27002/27017/27018, NIST SP 800-53, AICPA TSC, German BSI C5, PCI DSS, ISACA COBIT, NERC CIP, Fed Ramp, CIS, and many others.
The starting point would be to identify the needs of the organization, cost, and the risk appetite. Based on these identified parameters, organizations can choose the appropriate controls from the CCM and start evaluating how to implement them.
How to Reduce the Threat Landscape in Cloud Workloads
Data Discovery & Classification
Securing the cloud workloads is all about the shared responsibility model. Exactly where this responsibility of the cloud provider ends and where an organization’s responsibility begins varies from provider to provider. So, if every cloud provider offers the same level of security is a mistake that is best avoided.
For a successful multi-cloud security strategy, an organization needs a centralized framework that supports all the cloud platforms to apply security and access policies across the board.
The responsibility of securing data is prime when organizations move data to the cloud, this responsibility increases multifold when hybrid and multi-cloud enters in the ambit. One of the main strategies for cloud migration is securing sensitive data, both unstructured and structured. The quantum of the data in real time is always huge and so are the liabilities, hence the best way to start cloud adoption is to discover and classify the sensitive data which is also made mandatory by the privacy regulations and compliance like GDPR, CCPA etc. Apart from the utility options provided by the cloud service providers, what brings in a lot of smart technical sense is utilizing solutions which aid data discovery, classification and protection increases the speed of cloud deployments. The solutions would enable right classification and tagging to relevant compliance policies thereby improving efficiency, reducing cost of protection, and associated risk. Ability to visualize, manage and govern data across multiple cloud platforms offers additional valuable insights and control for leadership.
Application Security
The modern-day application development has evolved through multiple processes in different phases, the modularity aspect in enterprise development has always been growing with large open-source components due to the growing modularity of enterprise software, the huge number of open-source components, micro services and containerization giving an easy scope for increase in large number of risks and vulnerabilities.
Application development on cloud requires changes necessary to reap the benefits of cloud and to be resilient when it comes to security threats. Understanding the vulnerabilities and threats becomes the first and foremost step from an application security perspective followed by development which includes secure development, pre-production security testing, and production monitoring.
Cloud security testing evaluates the security and configuration integrity of platforms hosting business-critical information assets of an organization. Cloud providers such as Azure, AWS and GCP do provide security controls, however it’s the organization itself which is responsible for its assets and resources hosted within their cloud environment with an objective to identify potential security vulnerabilities associated with the cloud service for remediation of risk by creating secure architecture blueprints and non-invadable secure APIs.
Organizations need to eliminate reactive security and instead enable proactive and preventive security by implementing security in the very early stages of development lifecycle and choose to add advantages from shift-left methodologies that enables secure cloud DevSecOps.
Identity-Access Management
A centralized identity management architecture with governance driven automated user lifecycle management following the principle of least privilege, timely user access reviews, certification to overcome the identity provisioning challenges. Federation utilizing industry-standard identity management protocols such as SAML, OAuth, OIDC must be prioritized to overcome the challenge of increasing threat landscape due to cloud adoption. Adaptive access control mechanisms must be implemented to avoid static authentication challenges.
Privileged accounts/entitlements must be clearly flagged in the respective systems defining access. The platform must continuously monitor and report any new access created or deviation in the user access behaviour. Auditing and reporting are essential for meeting the regulatory requirements. A centralized management console for easy admin viewing, reporting and policy enforcement would be a great addition to the IAM platform.
Start with an identity-centric approach to ensure the right people have the right level of access, to the right resources, in the right context, and that access is assessed continuously by using risk-based authentication. Use of risk scoring is also critical to understand the risk of the identity accessing a resource. Risk scoring in IAM enhances the security posture of the organization and provides a robust zero trust layer to begin with.
Scalability and agility need to be strategized as top priority in order to deploy an efficient and effective identity-access management solution.
Security Operations
Awareness and timely communication of security threats to the asset owner or application managers as soon as a threat is identified should be part of a thorough data security and access management plan. This enables to respond and act on threat in timely manner.
Automation plays a significant role in the multi-cloud strategy that reduces human errors. A successful way of ensuring efficient automation is implementing threat identification, validation, containment, and mitigation along with effective cloud workload monitoring driven by automated governance in the planning phase.
The critical elements of intelligent security operations in multi-cloud environment are Artificial Intelligence based unsupervised machine learning, unique profiling, automated real-time correlation and the capability of eradicating false positives and prioritization of threats based on business and financial impact with scalability to meet the ever-changing needs of organization.
Containerization and micro services will simplify the management and security of the cloud workloads. The significant and imperative aspect is to choose cloud agnostic centralized management tools that secure and support multiple platforms and comprehensive policies.
A well designed and strategized approach enables organizations to circumvent challenges of cloud and gain an edge over the competition along with time to market.
- Begin with comprehensive written policies that include specific guidelines for who should have access to sensitive data and the outcomes for those who don’t comply.
- Discover & classify most sensitive data across multi-cloud and on-premise applications to minimize false positives and take actions based on the insights gained.
- Ensure the systems are up to date to ensure any known vulnerabilities are patched, and the workloads use the most recent version of any dependencies.
- Use a unified identity directory for all the user access information, policy management to apply security and access policies across the workloads in the multi-cloud.
- Use a centralized cloud monitoring solution that’s compatible with all the platforms to gain full visibility of your workloads.
Best Practices in Securing Cloud Workloads
NIST has published the six best practices adhered by Federal Trade Commission (ftc.gov) as indicative guidelines for securing cloud workload.
- Take advantage of the security features offered by cloud service companies as they invest heavily in the security and resiliency of their solutions. To have similar security in house; organisations may need to shell out exponentially excessive cost.
- Take regular inventories of assets in the cloud. This helps keep a check on the asset and also control the associated cost.
- Consider encrypting rarely used data, encryption should be done for all the data at rest. As such data may have immense value for organizations and could be a treasure for hackers.
- Pay attention to credible warnings from the regulators and Threat Intelligence Providers. This helps stay compliant and avoid any legal actions or penalties.
- Security is everyone’s responsibility. Implementing controls is not sufficient as it is proven People are the weakest link. It must be imbibed as culture in the organization. Hence Education and awareness is the key to success.
Conclusion
It is therefore imperative for organizations to have a strategy considering business and technical risks and implications for a successful and safe cloud endeavor where every enterprise understands all intricacies of the shared responsibility model for secure operations and delivery by adopting secure cloud concepts thus accelerating creation of value-driven security outcomes in their digital transformation journey.