Using the cloud: Navigating risks and ensuring data security

Cloud security is a top priority for cloud leaders and also a significant skills gap in their organizations. And yet, many organizations still struggle to understand and implement cloud security practices. 

They struggle because they prioritize the security of individual cloud services over the security of their practices. This blog challenges that mindset and gives leaders three ways to ensure they use cloud technology securely.

Cloud security encompasses the tools and practices used to maintain the privacy and security of your business data across various cloud platforms, applications, and services. While some of the standard security principles from traditional security still apply, cloud security differs in one major way: cloud security operates under a shared responsibility model between your business and the cloud providers you use.

The cloud comes with its own risks. But leaders questioning whether the cloud is secure are asking the wrong question. The cloud is secure. How organizations use the cloud is up for debate. 

Cloud service providers are invested in the security of their offerings, partly because they know if they don’t secure their platforms, you wouldn’t use them. And they spend billions of dollars every year ensuring the technology they provide is as secure as possible. 

It’s how you use the services, how you structure your cloud solutions, and how your teams access cloud data that determines the success or failure of your cloud security initiatives. According to Gartner, 99% of cloud security failures will be the customer’s fault and 90% of the organizations that fail to control public cloud use will inappropriately share sensitive data.

The cloud comes with its own risks. But leaders questioning whether the cloud is secure are asking the wrong question. The cloud is secure. How organizations use the cloud is up for debate. 

Cloud service providers are invested in the security of their offerings, partly because they know if they don’t secure their platforms, you wouldn’t use them. And they spend billions of dollars every year ensuring the technology they provide is as secure as possible. 

It’s how you use the services, how you structure your cloud solutions, and how your teams access cloud data that determines the success or failure of your cloud security initiatives. According to Gartner, 99% of cloud security failures will be the customer’s fault and 90% of the organizations that fail to control public cloud use will inappropriately share sensitive data.

Cloud data management consists of the tools, policies, and procedures that govern how organizations control their data stored, accessed, or processed in the cloud. At it’s core, it should cover identity and access management, intrusion detection and prevention, and data backups.

Identity and access management (IAM): IAM technology is used to manage users and access permissions. With proper authentication, users can work with your applications from any location and device. One form of IAM is when enterprises use Single Sign-On, giving employees access to all approved applications. Another example is Multi-factor Authentication, which requires users to verify their identity across multiple devices. 

Intrusion detection and prevention: Your organization can detect and protect against threats early with services that defend against malware, spyware, and other attacks. One example of such a service is Cloud IDS, which provides full visibility into your network traffic and lets you monitor VM-to-VM communication. There are many other intrusion detection systems you can use.

Data backups: To prevent data loss, free up space, and keep data safe, performing regular data backups is imperative. We recommend storing your data remotely, encrypting your transferred files for enhanced security measures.

Software vulnerabilities aren’t new. But if they occur in the cloud they can cause many new problems for your organization. In a cloud environment, one vulnerability has the opportunity to be replicated across workloads and affect your entire cloud infrastructure. For most organizations, this would affect half their overall technical infrastructure. 

Approximately 63% of source-code repositories have high or critical vulnerabilities, most of which are at least two years old. For internet-facing services in public clouds, the number drops to 11%, but with more than 70% of those more than two years old. 

Cloud vulnerabilities can be broken down into four categories: misconfiguration, poor access control, shared tenancy vulnerabilities, and supply chain vulnerabilities. Misconfigurations (when cloud engineers misunderstand shared responsibility models or make cloud service policy mistakes) and poor access control (when vulnerabilities bypass authentication and authorization policies, or the policies themselves are weak) are the most common. Organizations can mitigate these risks with patch management.

Patch management is how organizations identify, test, and verify patches for security vulnerabilities. These policies and procedures should cover:

Identification and prioritization of vulnerabilities: You should regularly scan your systems for vulnerabilities and monitor the CVE list for new vulnerabilities and exposures. Once you have your list of vulnerabilities you need to triage it and decide which vulnerabilities are the most high-impact or urgent. Automated vulnerability management programs can help identify vulnerabilities.

Patch testing and verification: Not all patches play well with your cloud environments. Your teams should have a process for verifying patches were successfully applied. They should also test patches to make sure they don't affect other systems or existing patches.

Securing data in the cloud is complicated. Between multi-tenancy complications, ensuring end-to-end data encryption with your cloud providers, supply chain vulnerabilities, and the risk of man-in-the-middle attacks, there’s a lot to watch out for. 

And it’s made more challenging if your organization has immature or inconsistent cloud policies and practices. At the end of the day, though, the responsibility for data security ultimately rests solely with you. Cloud configuration management can help.

Cloud configuration management is the process of maintaining cloud systems in their desired state. It also monitors system performance, making sure it remains consistent over time. Configuration management is critical in cloud environments—and more so in multicloud environments—because of its ability to audit and control changes. 

Organizations have two choices when it comes to cloud configuration management: cloud-native or third-party tooling.

Cloud-native tools: These are offered by the individual service providers and link closely with other native services, offering deep capabilities for cloud engineers.

Third-party tools: These tools are offered by SaaS vendors. They require more manual actions from cloud engineers, but work with multiple platforms at one time.

The cloud itself is a safe place to house data. But improper usage and carelessness can result in data leakage and other destruction. Cloud leaders need to take stock of their cloud security policies and practices as they continue to adopt and use cloud services.