Comprehensive IT security is essential for effective protection of cloud-based resources
It has been part of the IT infrastructure of companies for more than 15 years; however, adoption rates continue to accelerate, Aden Axen in Somerville writes.
Cloud computing came into mainstream usage when Amazon launched its public cloud resources in 2006. Since then, organizations of all sizes have been drawn to the concept due to the flexibility and cost savings on offer.
Cloud adoption has been boosted by pandemic restrictions that have forced many people to leave their desks and work from home. Moving applications and data to a cloud platform made remote access easier and allowed staff to stay productive.
The Challenges of Effective Cloud Security
Although cloud platforms can provide significant business benefits, they can also pose challenges when it comes to providing effective IT security. Rather than having digital assets housed in an on-premises data center protected by a firewall, they are entrusted to an external platform managed by a third party.
In addition to using tools capable of protecting resources hosted on a cloud platform, organizations must also ensure that they comply with regulatory requirements. An example is that of Australia Privacy Act 1998, which sets out clear guidelines on how the privacy rights of Australian citizens should be addressed.
Compliance with law and other regulations is a company’s sole responsibility, whether the data is stored on-premises or in the cloud. While the responsibility to protect data stored on-premises is easy to understand, many companies don’t understand the concept of shared responsibility for cloud security.
While cloud service providers are responsible for managing the security and availability of cloud infrastructure, the companies that use it remain responsible for the security of their own data and applications.
Achieve strong cloud security
To ensure that data hosted on a cloud platform is as secure as possible, businesses must follow certain essential steps. They understand:
- Data encryption during transmission and at rest
- Ensure effective cryptographic key management measures are in place
- Constant monitoring of remote access management, including multi-factor authentication (MFA)
- Adopt a zero-trust architecture to protect resources from unauthorized access
Many organizations will find that they lack the knowledge and skills required to provide effective security in the cloud. In these situations, advice and assistance should be sought from an experienced technology partner.
Problems posed by increasing complexity
As more resources are moved to the cloud and multiple clouds are used for different purposes, the complexity of the resulting IT infrastructure can quickly increase. According to a recent study, 51% of organizations agree that managing privacy and data protection is more difficult in a multi-cloud environment than on-premises.
The complexity is further exaggerated by the current problem of skills shortages. According to ISC 2022 Cloud Security Report:
- 93% of organizations are moderately or extremely concerned about the shortage of skilled IT staff
- 61% of companies say having the right skills to deploy and manage cloud security is their biggest challenge
When the methods used by cybercriminals to steal data from cloud platforms are examined, it becomes clear that ransomware is the number one threat. According to Verizon 2022 Data Breach Investigation Report, ransomware attacks increased by 13% in 2021. This increase was as large as the last five years combined.
To gain access, cybercriminals tend to follow three main attack paths. These include compromised credentials, phishing campaigns, and exploits of vulnerabilities.
Ongoing investment in safety is vital
Relying solely on preventative controls will never provide the level of security protection required by a modern cloud-centric organization. Unfortunately, there is no bulletproof solution and so having a security practice layered with resilient response methods is the best approach.
When data breaches occur, it’s important to have the ability to detect and recover as quickly as possible. The Verizon report found that nearly 70% of hacked organizations detected the attackers in days or less.
However, while this percentage looks promising, it must be tempered by the realization that there are still 25% that still took months or more to detect a problem. Ignorance and late response times are the biggest enemies of business continuity.
For this reason, continued investment in security tools and services is vital. Organizations must have the ability to react quickly to an attack and thus avoid long periods of business interruption.
Preventive controls should also be accompanied by detailed incident response and business continuity plans. Other measures include robust data recovery capability so that all affected systems can be brought back online as quickly as possible.
Making strategic investments in security measures, and seeking external assistance and guidance when necessary, can enable an organization to achieve appropriate levels of security for its cloud-based resources. The significant benefits of the cloud can then be enjoyed without exposing the organization to additional risk.
Aden Axen is Head of Cloud Services at Somerville.