The public cloud sits at the heart of global digital transformation efforts. It offers huge advantages of on-demand, highly scalable compute power to drive IT agility, cost savings, and innovation-fuelled business growth. It’s no surprise that worldwide spending is set to grow at a CAGR of over 22% from 2019-23 to top $500bn, according to IDC.
But as more organisations come to rely on public cloud deployments, and complexity grows, so do security risks. IT teams need not only the right tools to respond to cyber-attacks but also to identify and remediate policy violations stemming from insider threats. Without them, protecting the bottom line and corporate reputation will remain a significant challenge which could inhibit cloud adoption.
What’s the problem?
The world is going cloud crazy. Analysts claim the shift from traditional models is happening most in professional services, telecommunications, and retail – but in truth, it’s going on everywhere. SaaS represents the largest spending category, but infrastructure will be fastest growing over the next four years, at a CAGR of 32%. It’s easy to see why: IaaS environments offer development teams the perfect set of tools to drive fast-moving, agile DevOps processes, enabling firms to react quickly to changing market demands to stay ahead of the competition.80% of public cloud breaches in #2020 will be a result of misconfiguration, mismanaged credentials, and insider threats. Click To Tweet
That’s the good news. But there are inevitably cyber-related risks attached. Perhaps running counter to common perceptions, however, these are mainly linked to internal rather than external issues. Cloud providers do have vulnerabilities which can be exploited by hackers. But according to Gartner, the vast majority (80%) of cloud breaches by next year will result from misconfiguration, mismanaged credentials and insider threats.
Major cloud leaks resulting from simple misconfigurations are an almost weekly occurrence today. A 2018 report from IBM X-Force revealed that 70% of the 2.9bn records compromised in 2017 were as a result of such incidents, which soared 424% from the previous year.
These are highly preventable situations. In some cases, all that is needed is to switch the cloud account to private or to protect access with a password.
Shining a light
Unfortunately, many organisations are falling at the first hurdle because they don’t understand their responsibilities in securing public cloud environments. When Barracuda Networks polled several hundred EMEA IT leaders in 2017, the vast majority claimed that their public IaaS provider is responsible for securing customer data in the public cloud (64%), securing applications (61%) and operating systems (60%). In fact, all of these functions are the responsibility of the customer organisation.
As the public cloud becomes more popular, organisations are investing in platforms from multiple providers, making it harder still to monitor for compliance with security policy. Incident response times are woeful, with stretched IT security teams and developers having little time to devote to such tasks.
The result is incidents which could have a major impact on the bottom line and corporate reputation, with the added risk of major regulatory fines. This week’s massive GDPR fines levied against Marriott International and BA should serve as a warning shot to organisations to improve compliance efforts.
Looking then leaping
The first stage towards reducing cyber risk in the public cloud is awareness. But once organisations understand how far their shared responsibilities for security extend, what next?
It’s certainly important that they have in place comprehensive security controls to mitigate external cyber-attacks exploiting vulnerabilities in cloud infrastructure. These should include IDS/IPS, file integrity monitoring, app control, virtual patching, anti-malware and so on.IDS/IPS, monitoring, app control, etc., can't do anything on their own. Security infrastructure is built on policies and the ability to remediate violations.Click To Tweet
But these tools will be no good on their own: security infrastructure is only as good as the policies it’s built on. Thus, IT leaders also need tools to develop and deploy best practice security policies, and the ability to then monitor and enforce these policies. Automated remediation of any policy violations would be a significant boost for IT, freeing up under-pressure developers and security staff to focus on higher value tasks while ensuring that internal risks like misconfiguration are mitigated swiftly.
In that 2017 Barracuda Networks research, 64% of EMEA respondents claimed security concerns are restricting their migration to the public cloud, a figure rising to 70% in the UK. With the right tools in place to monitor and enforce internal policies, there’s no reason not to take the leap and start using the public cloud to drive business success.
Automate security policy compliance in the cloud.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.