Top 5 Cloud security issues and how to fix them

09.Oct.2018

Outpost24

Cloud and container security

Digital transformation is fueling widespread adoption of cloud computing, allowing organizations to leverage virtualized infrastructure and accelerate innovation. The cost advantages that cloud infrastructures offer is clear, but your approach to security may need to change to fit technology and process differences. As you move workloads to the cloud, how can you assess infrastructure, application, and data security risks that might disrupt your business?

See below 5 of the mains cloud security issues with some tips to fix them:

1. Gain visibility by identifying your cloud assets

Considering the high number of cloud applications that companies use throughout all their departments, it’s almost impossible for the security team to keep track of where they are and who is accessing what across the organization.

Companies that migrate from on-premise infrastructure to the cloud soon find themselves struggling to maintain visibility of their cloud assets, as each department is given more freedom to deploy and use SaaS and IaaS solutions. Hence gaining visibility is the first step for security teams to take control.

Because the cloud assets reside beyond traditional perimeters, it requires a security solution built specifically for this new environment to provide insights into the inventory and security posture of the cloud assets.

Security tips:

Use security solutions which include auto-discovery technology through API. You will be able to have an inventory of all your network, servers, and workloads without shadow IT risk. They allow you to save time and provides a comprehensive view of all your deployments. Better still, implement a full stack security tool that can provide an accurate single pane of glass view of the correlated risks between on-premise and cloud assets.

2. Skill up on cloud security

Following our recent study, 16 percent of organizations have ignored a critical security flaw because they didn’t have the skills to rectify it, while 26 percent have overlooked a critical security flaw because they didn’t have time to fix it.

However, two thirds (64%) of UK IT decision makers said their organizations are losing out revenue because they don’t have the required cloud expertise.

With more than a hundred different services for each Cloud provider (e.g., 142 services for AWS) security teams can’t keep up with all the best security practices and apply them effectively.

If companies don’t have the appropriate cloud expertise in-house, the benefits offered by the cloud can soon be outweighed by risks.

Security tips:

Finding and hiring employees with strong cloud security expertise are notoriously tricky, you must think about outsourced services from cyber security companies. MSSP or software companies with strong cloud competency could be an excellent option to guide your organization through the setup and help with adapting security policy for your cloud environment until you build up sufficient cloud experience internally.

3. Follow security best practices for you cloud configuration and workloads

A recent study from 155 security professionals shows that only 47 percent of organizations patch vulnerabilities as soon as they are known, 16 percent wait for one month, while 8 percent admit to only apply patches once or twice a year. If you think that Infrastructure as a Service providers are the only one responsible for the security protection of your data in the cloud, think again. The IaaS model is based on the shared responsibility model where you (as the customer) are responsible for everything above the line.

Deploying applications and data in cloud infrastructures do not protect you from vulnerabilities and weakness in applications and data. Cloud Workloads have their own vulnerabilities, and they are risky assets because traditional security solutions do not integrate Cloud Workload Protection technology. You must continuously monitor your infrastructure and apply corrections and patches to stay secured.

Security tips:

On the one hand, deploy and configure a standardized architecture that meets the Center for Internet Security (CIS) AWS Foundations Benchmark and CIS Microsoft Azure Foundation Benchmark.

On the other hand, use an automated vulnerability management solution to monitor your environment continuously for your workloads security.

4. Beware of APIs

“Just in 2018 alone, we've seen at least half a dozen high-profile data breaches and security exposures caused by poor API security (Salesforce, Panera Bread, Vemno,…). And that doesn’t even include incidents at T-Mobile, Instagram, and McDonald's that all together exposed sensitive data about millions of their users.” according to Ericka Chickowski from darkreading.com. Application programming interfaces (APIs) are all the rage as developers now rely heavily on them to support the delivery and integration of products and services. They are the public front door to your application, and by default need to be accessible externally. Cloud services allow third-party access by exposing APIs, but many DevOps and companies overlook the importance and fail to secure APIs properly.

Security tips:

Follow security by design approach to application development. With this approach companies will be able to understand the security requirements around publishing APIs and build adequate authentication, authorization, and encryption, as well as making sure the code itself doesn’t contain any apparent vulnerabilities earlier on in the SDLC. You can follow the Rest Security Cheat Sheet from OWASP to get more information.

5. Train your users to use best security practices

A "State of Cloud Readiness Study" survey by Softchoice (500 business executives in North America were interviewed) shows that 53% of IT leaders were struggling to attain the necessary cloud-centric skills for their team.

IaaS providers describe their best security practices for the cloud. Your users can find the top 10 AWS best security practices or the top 10 Microsoft Azure best security practices. Employees’ actions could be the most critical front door to cyber-attack without appropriate training. IT leaders must ensure cloud users know best practices because this is the better way to secure the company’s environment from misconfigurations.

Security tips:

Companies should also identify and empower awareness ambassadors – cloud users who are committed to security initiatives and push their colleagues to do the same - this will help to raise the whole organization's security posture.

Also, annual training is not enough because technologies are evolving. You must set up a long-term plan with customized training regarding each environment needs and data access.

This list of cloud security issues is not exhaustive, and they could be different regarding your environment. As a security company and Cloud Security Alliance member (Sergio Loureiro, Cloud Director, is one of the founders of the CSA), we know that the cloud migration is a big worry for many organizations. Our webinar “Cloud Providers ate hosting companies’ lunch, what’s next? Security!“ will give you more information to resolve your cloud security issues.