How to protect your company’s cloud deployments

Robust security depends on companies understanding their own security measures should complement the protections offered by cloud service providers

 

5 minute read

Key takeaways

  • Companies need to understand and map out the extent and limitations of security provided by their cloud services provider
  • Third-party access to cloud deployments requires additional management oversight and compliance with strong security standards
  • Familiarity with the cloud provider’s guidelines and settings can help organizations protect access to critical data and prevent breaches

Cloud capabilities have become essential to almost every type of business. They provide data storage, enable real-time communication and collaboration, link disparate teams and systems and connect new devices to company networks. Importantly, cloud deployments can scale up quickly, which has helped many companies quickly establish new connections and working conditions with partners, customers, internal teams and remote employees.

 

But according to one study, 81% of business leaders named security as their top challenge in cloud computing.1 One problem is that many companies simply have not assessed the risks associated with cloud deployments or have not determined what elements of security are their responsibility.

 

Since most organizations depend on cloud service providers — CSPs — to maintain these systems, it can be challenging to determine what elements of security are the responsibility of the CSP and which are not.

 

Understanding the limits of CSP security

 

CSPs usually offer built-in security features that exceed the technical capabilities and financial resources of most small and midsize businesses. 85% of businesses believe the cloud is secure or more secure than their own infrastructure.2 In fact, the cloud can be as secure as in-house systems, but only if managed with appropriate storage and access controls.

 

While CSPs often provide tools to help manage cloud configuration, there are still many elements of security infrastructure — such as firewalls, devices and account access — that remain the cloud user’s responsibility. In fact, CSPs are not the source of most security incidents. Lack of knowledge among cloud customers and misconfiguration of CSP accounts are responsible for most breaches, big and small.

“Misconfiguration of cloud deployments can lead to serious vulnerabilities related to account access and permissions.”

Misconfiguration, like many cloud security challenges, often stems from staff inexperience. Many security and IT specialists simply don’t understand the intricacies of secure cloud configuration and often lack in-depth knowledge of their company’s CSP security settings and capabilities.

 

Another potential pitfall is inadequate or incomplete security processes. When configurations and permissions are not thought through, employees — and bad actors — can gain access to a world of sensitive information that can be unintentionally leaked or very cleverly stolen through social engineering schemes.

 

This type of insider incident can have serious and costly impacts. Research shows that 82% of companies give third-party vendors highly privileged cloud identity roles — yet in many cases cloud security teams are not aware that these privileges have been granted.3 This kind of oversight could increase the risk of account take-overs by cyber criminals or disruptions to normal operations. In one study, 69% of organizations said that third-party incidents are on the rise — and 51% had experienced a third-party data breach in the past year.4

 

How to overcome the obstacles

 

In many ways, cloud deployment security is similar to traditional on-premise systems. Cloud security should follow a “cover the basics” approach that includes fundamentals, such as:

  • A thorough understanding of the data you gather
  • Powerful identity and authentication tools
  • Access controls based on the principle of least access
  • Correct configuration of the deployment
  • Encryption of data in motion, in use, at rest
  • Network activity monitoring
  • Limited privileged access to cloud settings
  • Proper training of IT, security and individual users

 

For more specific guidance in addressing cloud security challenges, a CSP can be one of the best sources of advice. Service providers offer a range of advanced security and privacy capabilities, as well as guidelines and security defaults for rigorous configuration of cloud settings. But many organizations don’t follow these guidelines, and some may even inadvertently disable essential security settings.

 

A CSP may offer continuous monitoring solutions to help detect suspicious user activity and assess an organization’s threat status in real time. Monitoring is also essential to tracking and prioritizing investigations of malicious incidents.

 

However, CSPs don’t provide much help in minimizing third-party risks. Business and security leaders will need to carefully assess a partner’s security capabilities to make sure they meet or exceed their own. This assessment can also help deter-mine the right amount of access to grant third-party users.

 


 

1Flexera, “2021 State of Cloud Report.”

2IDG and Google, New research: Enterprises more confident than ever in cloud security, July 1, 2021.

3Wiz, 82% of companies unknowingly give third parties access to all their cloud data, February 2, 2021.

4Ibid.