The work-from-home movement prompted by the pandemic has accelerated the move to the cloud. More businesses now rely on the cloud to support remote workers and keep operations running. While the cloud has been extremely beneficial in enabling business continuity, cloud expansion also has amplified the cloud security challenge, which was already huge.
One of the biggest issues with cloud security is that it hinges on a shared responsibility model, which is a big cause of confusion. In this model, cloud providers assume some responsibility. The rest is up to the customer. This is very different than the on-premises data center model, in which companies have complete control of their infrastructure and data and how to secure it.
The shared responsibility model creates confusion because it changes depending upon the infrastructure and cloud services type. The three V’s in the cloud — volume, variety and velocity — only compound this challenge by dramatically increasing the attack surface.
A Very Vexing Venture
The volume and variety of data are humongous. People and machines are uploading “a staggering 24,000 gigabytes” of data to the internet every second.
Last year, the World Economic Forum published an article that said “the entire digital universe is expected to reach 44 zettabytes by 2020.” This was before Covid-19, which led to new data collection efforts and which McKinsey said “vaulted” digital adoption five years forward.
Meanwhile, the technologies replacing traditional infrastructure are increasing cloud velocity. Virtual machines, which will seem old school in a few years, last for days, weeks or months. Containers last an average of nine hours. Serverless functions may exist for just a few minutes.
That’s an extremely dynamic environment to get a handle on, especially considering the cloud doesn’t provide you with total control. It’s up to the enterprise to keep up with these changes and make sure someone is addressing the security and compliance challenges they present.
A Learning Opportunity
The first step to doing that is education. You need to work to understand where your cloud service providers’ boundaries end and where your boundary of responsibility begins.
You’ll want to assign responsibility for application-level controls, client and endpoint protection, data classification and accountability, host infrastructure, identity and access management, network controls, and physical security. Do this exercise separately for infrastructure as a service (IaaS), on-premises, platform as a service (PaaS) and software as a service (SaaS).
A House Of Security
Every good information security program includes closed-loop security. The closed-loop approach to security is important because no security mechanism is foolproof.
This concept is akin to the security in a house. A house has doors and windows, which we can lock. The second level of protection is using heat sensors and motion detectors to monitor for intruders. If an event suggests that remediation is required, the monitoring system can trigger an alarm to call the police, providing a third level of protection. I call this the “house of security.”
The closed-loop enterprise house of security starts with assessment. Cybersecurity threats are always evolving, so you need to evaluate your security landscape continuously. Intrusion detection and prevention systems (IDS and IPS) can help with this first level of cybersecurity.
Monitoring and remediation are the second and third levels of protection. Monitoring involves using security monitoring tools such as security information and event management (SIEM) and cloud-native log management tools with business logic to flag incidents and raise alarms. Remediation entails understanding and using risk assessments to prioritize and fix the incidents that triggered the alarms.
An Assessment Of Risk
Risk assessment should be part of any robust information security and/or compliance program. This exercise involves trying to make sense of security-related events to better prioritize which ones are most important and how you are going to deal with them.
This starts with identifying what’s important and what’s not. You need to know what assets are critical so you can protect them against threats. Also, work to understand which threats and threat actors are important. You’ll want to consider your ability to detect and respond to threats as well. Likelihood and impact are import factors in assessing enterprise risk.
You can’t solve for everything, so you need to first prioritize and then address problems.
A Means To Scale
It’s also impossible to adequately address cybersecurity manually. Speed and velocity are critical for cloud security success because hackers can steal data within minutes or seconds.
Yet it typically takes companies about nine months to learn about and contain a breach. The volume and variety of data, and the velocity of the cloud, make locating the source of a breach like finding a needle in a haystack. So, automation is key in enabling effective cybersecurity.
You need sophisticated, fast-acting tools operating at cloud speed to contend with today’s gigabytes-per-second world and avoid the financial and reputational damage that cybersecurity events can create.
A Way To Divide And Conquer
Organizations can reduce the attack surface, secure critical applications and improve their regulatory compliance posture with micro-segmentation. This method also addresses the fact that attacks do not always come from the outside. Attackers increasingly are gaining access to IT networks and then moving laterally to find a target.
Micro-segmentation spreads the network out into individual sections so that someone can easily monitor and control traffic. Security teams can then establish controls and deliver services for each unique segment — or community of interest — of the infrastructure.
A sound micro-segmentation strategy allows for consistent implementation of security policies across data center and cloud platforms.
A Myth Debunked
Many people think the cloud is secure. That’s a myth.
If you don’t understand and address cloud security, your organization will be exposed.
With the cloud, you don’t have full control over your infrastructure. That’s why the shared responsibility model exists. You need to take control by understanding this model in detail.
At the end of the day, security is your responsibility.