Understanding the landscape of cloud security

Smartphone with cloud on screen, mitigating security risks in cloud computing

(Image credit: Pixabay)

As a catalyst for change, the pandemic has proved highly effective in influencing business mindsets to accept the viability of remote working. With no choice but to rethink working practices to ensure business continuity, IT management departments across the country were suddenly pushed into investigating, instigating and accelerating cloud computing strategies. As a result, there has been a huge increase in companies moving to the cloud – almost 70% of organizations have stepped up the pace of their digital transformation plans in some way as a result of COVID-19.

About the author

Chris Deverill is UK Director at Orange Cyberdefense.

The benefits of cloud-based working are not in doubt, with its flexibility, low upfront investment, and suitability for remote working, and it looks like more than half of UK-based IT will be in the cloud by 2023, with 75% of companies having already switched to a ‘cloud-first’ strategy. Cloud-based working is clearly here to stay, but with the upsides comes a new environment, but this also carries a number of risks. Cloud is the new playground for criminals.

Cybercrime is now a major league business. According to the World Economic Forum, this year the global cybercrime damages may hit $6 trillion – their surveys concluded that a cyberattack was the second most concerning risk for global commerce for the next decade. Cloud has changed the cybersecurity landscape. Networks are more complex, and the traditional firewall-protected perimeter is being breached. With the confusion of hybrid and multi-cloud implementations, and the very basic problem of a lack of skilled personnel, many businesses are not aware of the extent of the risks, or how to protect their networks and assets.

The cloud has no borders

IT teams new to managing their organization's cloud communications are having to negotiate decentralized and heterogeneous points of control. Company personnel are accessing multiple applications in multiple environments from a huge range of access points, both local and international. By its very nature, cloud has no borders, and this makes achieving end-to-end security a moving target, as the dispersed nature of activities makes it far more difficult to track, control and manage security procedures.

There are many points of potential access for cybercriminals – not just the obvious company-owned IT infrastructure or cloud connections, but homeworkers’ routers and devices, public wi-fi networks, and any vulnerability across the direct supply chain or from their suppliers, to name just a few. In the recent SolarWinds incident the attackers illustrated the risks of this complexity by pivoting from a compromised internal network to the Office 365 environment by using stolen authentication tokens. The impact of a successful attack can be wide-ranging and in many cases, the damage is not immediately obvious. The fallout from the SolarWinds hack from last year is still not clear, as the ripples continue to spread.

The most common attacks are identity theft via phishing, using an employee’s access to hijack and control resources; malware (as used for the SolarWinds attack) that steals, modifies or deletes data; web application attacks that enable information and files to be stolen; and DDoS attacks that take services completely out of action. We not only contend with ‘regular’ cybercriminals but also Advanced Persistent Threats (APT) - highly professional and targeted long-term cyberattacks that infiltrate a network and silently damage both data and infrastructure.

Cybercriminals are regularly finding new ways to compromise companies, and constant vigilance is essential. All these threats and more must be considered when risk analyses are conducted. It is understandable that in the rush to the cloud fueled by the coronavirus many organizations simply did not have time to follow correct procedures. However, it is never too late to improve security.

Solutions

Here are just three ways to do so:

Moving operations to the cloud does not mean offloading responsibility for security procedures, and multi-cloud implementations add extra complications. Each cloud environment has its own technical and configuration approaches, and IT departments need to navigate the organization, management, control and visibility of services on each host. Every organization remains responsible for its own data, and cloud providers require implementation of their management and security policies in order for their clients to be compliant with regulations.
To secure your new external perimeter, you must first have a clear view and understanding of where these new assets are. Software, hardware and cloud Asset Inventory is a vital step for an organization. Manually or automatically maintaining an accurate database of the servers, services, accounts and platforms is an essential first step in the security process.
Many organizations are considering a zero-trust approach to security. There are many technologies out there that can help, including identity-aware proxies, EDR, multi-factor authentication, and identity and access management, but ‘Zero Trust’ is a mindset, not a technology. The Zero Trust security model assumes that a breach is inevitable or has likely already occurred, and thus eliminates implicit trust in any one element and instead requires continuous verification of the operational picture from multiple sources to determine access. In many ways cloud-based web applications lend themselves better to new ‘Zero Trust’ approaches, so the move to cloud is a good time to start to move to Zero Trust also.

As yet, there is no magic bullet that will guarantee 100% security of any network, and vulnerabilities are being exposed in the most sensational manner – as the Solarwinds incident illustrates. The approach to security for many organizations needs to undergo a paradigm shift. Every business is connected in some shape or form to the wider world, and cybercriminals only need one weakness in order to breach protection and wreak havoc. Security has become a collective responsibility, in both technological and business processes – there is no room for error, and no time for complacency.