Out of the Haze
The challenges surrounding cloud security are significant. A 2019 study of 700 IT and security professionals conducted by CSA and AlgoSec found that common problems revolve around misconfigurations, visibility into the entire cloud estate, inadequate audit preparation and compliance, holistic management of cloud and on-premises environments, and managing multiple clouds. What’s more, human error factored into many problems. In all, 11.4% of respondents reported a cloud security incident in the past year, and 42.5% had a network or application outage. Eighty-one percent of cloud users said they encountered significant security concerns.
At a most fundamental level, cloud security incorporates any and all data that touches private, public, and hybrid clouds. The risks and protections are similar to conventional IT systems, but the topography and structure of cloud networks create far more intrusion points and data exposure hazards. APIs make it easier to bypass conventional perimeter-based security protections, and in many cases provide a backdoor into systems that can lead to a takedown. Clouds are also highly dynamic, and threats to the infrastructure are constantly changing.
And while cloud providers—including the likes of AWS, Microsoft, Google, Rackspace, and Oracle—have strong security controls in their data centers and offer security tools in applications, default configuration settings can create problems. “Default configurations aren’t necessarily safe, and the cloud provider may not notify you that this is the case,” Yeoh explains.
Problems often revolve around authentication methods, permissions, whether data is encrypted at rest and in motion, and which cloud services and components are open by default. Not surprisingly, cloud providers often lean toward convenience and ease of use. Often, channel pros and others engineering and designing IT frameworks don’t bother to examine how systems are configured and how they interact with each other within the realm of security. “If you’re not careful,” Yeoh says, “you inadvertently wind up with systems that can expose a lot of sensitive information. If someone has access to cloud components, folders, or files, they can do a tremendous amount of damage.”
For MSPs, it’s unwise to view cybersecurity as the primary responsibility of cloud service providers. There are simply too many moving parts and bits of data to think that checking settings and connections is sufficient.
“Unless it's specifically called out in a contract, a cloud provider’s focal point is availability and uptime … not security,” says Kevin Beaver, principal information security consultant at Principal Logic. The problem extends to SOC 2 audits, he continues. These reports “often paint a rosy picture in terms of security ... but actual vulnerability and penetration testing that highlights technical flaws is also needed.”
A sense of complacency can be fatal, Gartner’s Riley adds. “Over the last decade we’ve gone from, ‘I’ll never trust cloud computing to be secure’ to ‘It has to be more secure because AWS, Microsoft, and Google are offering these services.’” However, cloud security failures are more common than ever, he points out. What’s more, “They’re almost always the fault of the customer for not appreciating that they have the primary responsibility and taking time to ensure that everything is configured properly.”