A company’s data is one of its most valuable assets, yet also one of its most at risk.
While customer and business data is essential in supporting a variety of business functions, it is also a lucrative target for cybercriminals. According to a recent report, one small business in the UK is successfully hacked every 19 seconds.
In this article, we explore key cloud security risks and outline controls to help protect data and assets in the cloud.
What is cloud security?
Cloud security is the implementation of security controls to protect confidential information stored in cloud environments and reduce the risk of data breaches. It is essential to safeguarding the data of organisations that use cloud infrastructure, cloud platforms and cloud services.
Prior to the Coronavirus pandemic, the cloud had an increasingly important role in many workplaces. However, reliance on SaaS applications such as Microsoft 365, G Suite and Zoom has grown significantly in recent times due to the flexibility these solutions provide for remote working.
A recent survey revealed that 87% of IT decision-makers think the COVID-19 pandemic will lead to an increase in migrations to the cloud.
Cloud security benefits
Benefits of cloud-based security include:
• Improved visibility of assets and data
• Easier and faster solution deployment
• Reduced maintenance and management
• Faster and centralised data processing
• Greater scalability
• Lower hardware and storage costs
Cloud security: a shared responsibility
Cloud security is the responsibility of the organisations which offer cloud infrastructure, services and applications as well as the companies and employees that use them.
Under shared responsibility models, cloud providers such as Amazon, Microsoft and Google take responsibility for the security of the cloud, while organisations are responsible for securing the data and workloads they upload to it.
However, organisations are not always fully aware of cloud security risks or of their security obligations.
Understanding cloud security risks
With more enterprises choosing to operate in the cloud in some form, cloud security risks are now greater than ever. Some common examples include:
An expanded attack surface
Cloud computing widens an organisation’s attack surface and therefore the area its security team must defend. The recent shift to mass remote working has widened the attack surface further still and dissipated the traditional security perimeter, meaning endpoints and other assets are more exposed.
Cloud data breaches often result from poor cloud security management. Even if an organisation meets all of its responsibilities, it can still be harmed by a data breach caused by errors made by third parties.
Attackers are increasingly targeting cloud back-ups and providers of cloud services. One recent example of this is the cloud computing company, Blackbaud. In May 2020, it was the subject of a ransomware attack which is thought to have affected over 160 organisations in the UK.
While Blackbaud managed to prevent the attack from encrypting its files, it chose to pay the ransom demand in response to the hackers stealing data from its network and threatening to publish it online.
Cloud services place more control into the hands of employees. While this offers greater flexibility, it also increases the risk of inappropriate content being shared or confidential data being stolen or accidentally exposed.
Gartner estimates that up to 95% of cloud breaches occur due to human errors such as configuration mistakes, and it expects this trend to continue.
Malware and ransomware infections
When companies put data and services in the cloud, they often mistakenly believe that their data is automatically backed up and safe in the event of a disaster. However, this isn’t always the case.
Attackers are increasingly targeting cloud back-ups and providers of cloud services. Ransomware on a worker’s laptop computer can be synced to the cloud, infecting any data stored there.
Poor management of data security controls puts organisations at risk of failing to meet compliance requirements such as those outlined in the GDPR, ISO 27001, PCI DSS and NIS Directive, potentially leading to significant fines and other sanctions.
Keeping your data secure with cloud security
Protecting data can be achieved using a range of cloud security controls:
Targeted employee training
It is recommended that companies provide specialist cloud security training to IT and cyber security staff and general awareness training to the remainder of the workforce. Cloud security awareness training should cover areas such as password management, phishing and data protection.
Multi-factor authentication (MFA) is one of the best ways to secure cloud-hosted systems, providing a supplementary layer of protection in the event of user passwords and credentials falling into the wrong hands. Organisations should aim to enforce multi-factor authentication across all cloud applications. However, a recent survey revealed that adoption remains low.
Separate accounts for admins
Limit the risk of accounts with elevated privileges being compromised by ensuring that system administrators have separate accounts for day-to-day operations and system administration.
Regular security assessments
Organisations should assess their cloud security on a regular basis and quickly and efficiently address gaps. This can be achieved through cloud vulnerability assessments and penetration testing, which can identify risks such as misconfigurations and providing guidance to help remediate any vulnerabilities discovered.
Cloud security monitoring
Minimising risks of data theft also requires organisations to be proactive in their approach to threat detection and response.
Cloud security monitoring can help organisations to detect changes that could indicate the presence of an attacker. Suspicious activities include data loss, infrastructure changes and irregular user and account activity.
Better data protection through cloud security
The ongoing evolution of the threat landscape means that data remains highly vulnerable to cyber-attacks. While cloud security is an important aspect of safeguarding data, it must be reviewed regularly to ensure the highest level of protection and detect errors.
To achieve this, organisations shouldn’t be afraid to seek specialist help with checking the suitability of current controls as well as implementing and managing new ones.