Moving on Up: The Challenges of Cloud Security

Many organizations are not in the technology business, and the work of hosting their own infrastructure can be a distraction from their core business activities. By leveraging the services of cloud service providers, these organizations can leave infrastructure management to the experts and reap the benefits of sharing infrastructure costs with other cloud customers.

However, the differences between maintaining infrastructure in the cloud and on-premises deployments aren’t all to an organization’s benefit. The cloud is a very different environment than what IT staff and employees are used to when working with company-owned systems. These differences can create significant challenges when trying to adapt to the cloud.

Many serious cloud-related challenges come in the field of cloud security. The move of company infrastructure from within the organization’s perimeter (on company owned and controlled systems) to systems that are under the control of a third-party vendor requires a very different approach to security. And, with the rapid adoption of the cloud, failing to meet these challenges can result in a devastating data breach.

Challenges of the Cloud

Adoption of cloud computing by enterprises is growing rapidly. In 2018, it was estimated that over three quarters of enterprises are using the cloud, and that number is only expected to grow in the coming years. Unfortunately, one thing that isn’t keeping up with the rapid pace of cloud adoption is cloud security. Securing the cloud is a very different proposition than securing on-premises systems. As a result, a large number of data breaches occur due to improperly secured cloud repositories every year.

Understanding the potential challenges of cloud security is an important component of overcoming them. Three of the biggest problems faced by IT professionals when trying to secure an organization’s cloud deployment are the rapid adoption of cloud computing, the lack of visibility into infrastructure leased on the cloud, and security misconfigurations in cloud deployments.

  • Rapid Adoption

One of the biggest challenges that IT professional cite regarding cloud security is the massive success and rapid growth of the use of cloud computing solutions. The benefits of cloud computing can mean that organizations can benefit greatly by leveraging its “as a service” offerings; however, the massive response by organizations and employees has left security in the dust.

In fact, 93% of IT professionals polled in a recent survey regarding cloud security say that they are having trouble keeping up with the rapid pace of cloud adoption. In fact, they estimate that a third of the files stored on the cloud have no business being there. The nature of cloud computing means that these files can easily turn from misplaced to breached or leaked.

  • Limited Visibility

A second challenge that many IT professionals face when attempting to secure cloud computing is the limited visibility that they have into the infrastructure that supports their cloud-based deployments. Cloud service providers’ (CSPs’) “as a service” offerings help decrease the infrastructure requirements of organizations by outsourcing them to a third party.

However, along with the need to maintain these systems, moving to the cloud means that organizations also give up the ability to monitor them. With cloud computing and data storage, an organization is likely unaware of the exact location of their data at any given time. The inability to perform audits of a CSP’s infrastructure means that these organizations need to trust that their CSP is appropriately protecting the data and applications entrusted to their care.

  • Cloud Security Misconfigurations

Cloud security misconfigurations are one of the most common ways that organizations breach sensitive data in the cloud. These issues typically boil down to a lack of understanding of the fact that “public” really means public.

Most cloud data storage providers provide different levels of security settings that a customer can apply to their cloud deployment. The simplest option is choosing whether to make a cloud data repository private or public. A private repository is accessible by invitation only, while a public one can be accessed by anyone who knows the shared URL.

The lesson that many different companies and organizations have learned the hard way is that it is not difficult for an unauthorized party to learn the URL of cloud data stores. In fact, tools exist that are specially designed to search the web for URLs of cloud repositories and then check the permissions to determine if the security settings are appropriately configured to protect the data inside. While several security researchers make a habit of scanning for and ethically reporting vulnerable repositories to their owners, hackers can do so as well, allowing them to make off with the exposed data, likely without the owner having any idea.

Securing the Cloud

Many of the challenges associated with cloud security are caused by the fact that organizations are trying to secure their cloud deployments in the same way as on-premises systems. While many of the same cyber defense solutions are needed in the cloud, trying to apply the same tools used in protection of on-premises assets may have unexpected results.

The cloud is a very different place from a traditional on-premises deployment and requires tools that are designed and implemented to work in the cloud. As organizations move more of their assets from on-prem into the cloud, the security of their data and sensitive applications becomes increasingly dependent upon them choosing to deploy appliances designed specifically to provide cloud security.