Going into 2020, businesses are expected to continue the transition from on-premise to cloud. Many are increasingly adopting a cloud-first strategy, where if possible, they will run their services on a cloud platform vs keeping them in a data center.
And why not? The benefits of moving to the cloud are enormous and the list is long. They range from – but are not limited to – reduced overheads, improved scalability without the capex costs, and improved efficiencies. The big one that hangs over many decisions is competitive advantage. If they do not take advantage of the benefits the cloud offers, their competitors will. They will simply be at a competitive disadvantage if they do not.
While the benefits are great, we are seeing many companies rapidly shift into the cloud without a clear understanding of the risks associated – and the result of this can be catastrophic. One of many examples to date is the DIY retailer Home depot, who in 2014 suffered a major data breach that exploited their point-of-sales terminals at self-checkout lanes. This impacted 56 million credit card numbers and left Home Depot with over a hundred million dollars in lawsuits settlements and compensation to consumers affected.
How has security changed?
Before the cloud it was easier. A company owned their computer infrastructure and kept them in a data center or a hosting facility. The security responsibility was clear-cut. Everything in their environment was up to the company to secure – all of it – up to the internet connection. No one expected any security from their telecom provider to protect their information. The security perimeter was defined.
But once a company moves to the cloud, the security perimeter instantly starts becoming vague.
There is no longer an internet connection that feeds into your equipment. Your services are now in the internet, not going to the internet. On top of that, what the security team is responsible for and what is the cloud provider is responsible for is often misunderstood. Previously, the company owned all security responsibility. Now, it’s shared between the company and the cloud provider.
What are the consequences of this? Breaches are soaring. According to Risk Based Security, 2019 is shaping up to be a landmark year, as it has seen over 3,800 breaches—a 50% or greater increase over the last four years.
Every week a new headline appears about a company getting breached through one of their cloud services.
Companies have not completely understood their risks when moving to the cloud and are now paying the price.
Why are cloud risks increasing?
A recent study by Centrify came up with some good insights into why this is happening. Here is a summary of their results:
- Centrify found that businesses are not employing a common security model or enforcing least privilege access to reduce risk.
- It is not clear to businesses how to secure multi-cloud and hybrid (cloud + on-premise) environments. They are not sure who is responsible for controlling hybrid environments. Therefore, they don’t use a common security model which is best practice and secure them differently as a result.
- 76 percent are using more than one identity directory in their cloud strategy, which puts them at risk of “identity sprawl” and unsecured cloud attack surfaces
- 68 percent of organisations are not implementing Privileged Access Management (PAM) best practices to control access to cloud environments.
Tim Steinkopf, CEO of Centrify, summed it up best “We know that 80 per cent of data breaches involve privileged access abuse, so it’s critical that organisations understand what they are responsible for when it comes to cloud security, and take a least privilege approach to controlling privileged access to cloud environments. Too much access and privilege puts their workloads and data at risk,”
Companies have not understood how they should secure their cloud assets or not completely thought out what their security model should be for the entire company to include the cloud. In some cases this has made things needlessly more complex.
Recommendations to improve cloud risks
With proper planning and understanding of the cloud landscape, risks can be greatly reduced. Here are three recommendations to follow to improve the security posture of companies:
- Employ a common security model across the cloud platforms and on-premise facilities.
- Enforce Least Privilege across the cloud the same way you would for on-premise to reduce risk.
- Have a clear understanding of who has responsibility for securing all aspects of the cloud especially who is responsible for controlling privileged access.
As organisations continue their journey to the cloud, they must understand the cloud environment and processes to close the gap between their cloud adoption and securing their on-premise platforms. Businesses will need to form a common security model for all their platforms. Many of the same security controls like Least Privilege remain the same, whether in the cloud or on-premise. If companies don’t understand these things, their risks will continue to increase and they will continue to become an easy target for cyber criminals.
About the author
Todd Wade
Principal Consultant, CRMG
Former CTO Skechers (Europe)
Industry Specialism: Rapidly Scaling Startups, Cloud technologies, Retail
Area of Expertise: Cyber Security Executive Management, Technology Risk
Comments