This article is part of our new State of Cloud Security 2021 Series which will interview a diverse mix of cloud security experts, design-makers, and practitioners with a goal of better understanding their perspectives on the current state of and future of cloud security.The following is an interview our CTO, John Grange recently had with IT security specialist and consultant, Thomas Jung.
JG: What is the state of cloud security today?
TJ: Cloud storage and cloud computing are still relatively new technologies that can save companies millions of dollars in infrastructure and storage costs. As companies began to learn about cost savings, they quickly started to pivot using cloud storage and cloud computing. However, due to many companies using agile practices, they prioritized shipping out products as soon as possible over incorporating security and privacy from the start of cloud adoption.
For example, Amazon Web Services (AWS) Simple Storage Service buckets, or simply “S3 buckets,” were configured by default to be publicly accessible. With companies severely lacking awareness about cloud security, many left their S3 buckets misconfigured to public access, allowing data from thousands of AWS S3 buckets were leaked or scraped by bad actors to gain private, personal, and even classified information. This simple cloud misconfiguration accounted for millions of dollars in damage and lawsuits. In response, Amazon Web Services changed the default accessibility settings to private, which has led to a dramatic decrease in cloud storage breaches and scrapping incidents.
JG: What are the most common challenges organizations face when it comes to cloud security today?
TJ: There are many security challenges that organizations face when pivoting towards a cloud environment over traditional on-premise storage. From my experience, these are the top three challenges faced by organizations include:
Data Breaches - a cybersecurity incident where sensitive, protected, or confidential information is released, viewed, stolen, or used by an unauthorized individual.
- Business Impacts: Damages reputation and trust of customers, can lead to the loss of intellectual property to competitors, breach of legal and contractual liabilities, financial expenses spent on incident response, and digital forensics teams.
Misconfiguration and Inadequate Security Controls – this occurs when computing assets are set up incorrectly, which leaves companies vulnerable to malicious actors.
- Business Impacts: data breaches, deletion or modification of resources, service interruptions, ransomware attacks.
Lack of Cloud Security Architecture and Strategy – This occurs when a company is transitioning without implementing an appropriate security architecture to withstand cyber-attacks.
- Business Impacts: Financial loss, stolen intellectual property, reputational damage, legal repercussions, and fines from both customers and regulatory organizations.
JG: What lessons can be learned from the biggest cloud-related breaches of 2020?
TJ: There are several lessons that can be learned from the mistakes that led to cloud data breaches, these include:
- Data is becoming the new oil of the 21st century, and therefore, data is becoming the main target of cyber-attacks. Defining the business value of data and the impact of its loss is essential for organizations that own or process data.
- The Protection of data is becoming a question of who has access to it.
- By making data accessible through the internet, organizations must realize that their most vulnerable business asset can be lost through simple misconfiguration or exploitation.
- Applying encryption techniques to increase cloud security can help protect data but negatively impact overall system performance and create an environment that makes applications less user-friendly.
- Having a strong and vigorously tested incident response plan that considers both the Terms of Service of the Cloud Service Provider and adheres to data privacy laws will help organizations recover from data breaches.
JG: What are 3-5 pieces of advice for organizations looking to improve their cloud security in 2021?
TJ: As cloud business models and security tactics evolve, organizations must raise awareness of critical security issues such as data breaches, misconfiguration, and identity and access management. They must also consider threats caused by the lack-of-control that users may experience with Cloud Service Providers, such as limited cloud usage visibility and a weak control plane. These issues can lead to data breaches or leaks beyond the traditional landscape. Organizations must also consider that user interfaces and application programming interfaces (API) are becoming the new standard way to provide consume services; these alone face significant challenges when it comes to security and privacy. This risk can be reduced with regular internal and external 3rd party penetration testing. The cloud is a complex environment, and because of this, it also creates a perfect place for bad actors to hide and move laterally to even on-premise storage solutions. Lastly, insider threats will always be problematic for organizations; build and foster a business environment of trust and transparency.
JG: What’s the future of cloud security?
TJ: The next frontier of cloud security will likely be developing multi-cloud security solutions that combine tools, software, and technology to manage cloud services and enable business applications. These IT infrastructures are seeing shifts in consumption that make the flexibility of an attractive solution. Unfortunately, this will also create new access points and a larger attack surface. The ways of working have been altered in profound ways; organizations need to consider the seriousness of distributed DevOps best practices that increase collaboration and introduce new cloud security approaches. Organizations can use agile development to embrace virtual collaboration communications, automate DevOps processes that continue to shift left, and allow for new roles to support cloud operating models. This combination of multi-cloud solutions, federated security, and distributed DevOps best practices will enhance cloud security and privacy.