In the Press

Shoring up cloud security

Most businesses, regardless of size, now understand the potential value of the cloud. We’re beyond that stage of early skepticism in which technology decision-makers questioned whether cloud services would factor significantly into corporate operations. Wholesale adoption is now underway and has been for years.

And why not? The benefits of the cloud are obvious. The ability to access cloud-hosted applications and services from anywhere, store and recall data and content without regard to physical data center limitations such as capacity and aging hardware, and grow or shrink infrastructure elastically to meet the changing needs of your business is invaluable. As a complementary part of your overall IT strategy, the cloud can definitely accelerate your corporate growth and help achieve your goals and desired business outcomes.

Danger, unfortunately, still lurks within the cloud for the unwary. All the attributes that make the cloud so convenient and efficient—such as ease of access and decentralization of IT services and data—create the very conditions for risk in the form of security breaches. As more companies embrace public cloud resources and hybrid cloud infrastructures (as opposed to traditional on-premises IT infrastructure) and begin to push more of their workloads and data (especially sensitive data) into these environments, we are witnessing a steady increase in companies experiencing cloud security breaches. The reality for every company embracing cloud is that a cybersecurity incident will eventually occur—it’s just a matter of when.

 

Inevitable security breaches

The inevitability that your business will encounter a security breach, whether through inadvertent carelessness or perhaps through a threat actor’s concentrated efforts, is sobering. The host of problems stemming from such a situation includes legal ramifications, potential governmental sanctions, and most certainly brand reputational damage. Most sources agree that a single security breach can cost your organization millions of wasted dollars, not to mention the fact that it will defocus your organization and alarm your customer base (many of whom might have sensitive personally identifiable information (PII) somewhere in your data ecosystem).

You might have the impression that all your cloud data is highly secure no matter what, especially when you’re leveraging public cloud services that tout rock-solid security measures. Go ahead and rethink any self-assurances or complacency about your cloud security posture. The potential problems are manifold: most security measures in cloud environments must be consciously deployed and configured properly; well-trained (and expensive) professionals must remain alert and monitor cloud environments regularly; and your entire organization must participate in a culture of safe cyber-activity in order to thwart the efforts of hackers employing not only technical acumen but social engineering trickery to find cracks in the armor.

Don’t get me wrong—this is not a scare tactic convincing you to lose faith in your push to the cloud. Quite the contrary! With proper planning and some deliberate and persistent vigilance within your organization, you can confidently rely on your cloud-based IT infrastructure and cloud data services. And, just know that you’re not in the fight alone!

The major web service providers understand the problems and threats just as intimately as any organization can, and they’re trying to stay one step ahead of bad actors. With the mainstream adoption of automation in the form of machine learning (ML) and artificial intelligence (AI), these companies are merging next-generation machine intelligence with standard cloud-based operations and workloads to detect anomalies and potential threats to their customers like you, without your direct intervention.

 

Taking cybersecurity problems seriously

One way to see how major cloud providers are taking the cybersecurity problem seriously is to view the types of intellectual property patents they file. For example, a patent filed by a subsidiary of Microsoft details the method by which machine intelligence can automatically monitor API transactions and detect anomalous requests in the form of mismatched cloud providers. This might indicate a mounting and intentional threat. On top of using automated machine intelligence to monitor and detect these kinds of situations on a massive scale, the patent details mitigation and remediation efforts in the form of data sharing between cooperative cloud providers. All good measures!

Evolving tech like this helps cloud services providers—and their customers—move closer to a Zero Trust posture in which no request or transaction is assumed legitimate, and instead enforces multiple or many challenges before allowing access to data or services to avoid the dangers of implicit trust. Obviously, maneuvers such as these would be done at the service provider level and wouldn’t necessarily involve intervention from customers or their employees. That doesn’t mean, though, that you should rely solely on the methods that your cloud services provider implements in order to keep your IT infrastructure (and all that potentially sensitive data) safe.

With a deliberate effort to build your organization’s cybersecurity consciousness, you can improve your chances of delaying that event I claimed earlier in this piece was inevitable. While these tactics may seem simple, they go a long way toward closing potential security holes and certainly complement the tech that your cloud services provider no doubt is in the process of deploying to keep you and all those other customers secure:

Don’t be fooled into complacency by relying solely on traditional perimeter security such as firewalls, perimeter monitoring, and intrusion detection. Cloud environments are incredibly distributed so even knowing the extent of your perimeter becomes challenging.

 

Data-centric security

Consider more data-centric security such as format-preserving encryption or tokenization, especially when you house PII or other highly sensitive information. Data nowadays is rarely at rest, and you want data security that can travel with it.

If your organization has embraced DevOps, make sure you include the Sec in there to form DevSecOps. Data security shouldn’t be an overlay once most of the development is complete—move security up front to the planning phase to ensure it’s built right in.

Encourage a culture of security among all your employees. Never let them forget that all it takes is one oversight for threat actors to pounce. Talk openly about times when you almost feel for that social engineering trick, and keep those lessons learned alive for all to see.

Prioritizing data security, integrating DevSecOps practices, and fostering a security-conscious culture among employees are crucial steps toward safeguarding sensitive information in today’s dynamic digital landscape. By proactively addressing security at every stage, organizations can mitigate risks and uphold the integrity of their data assets–and reputation–in the face of evolving cyber threats. So when it comes to data security, remember: prevention is always better than a cure.