The migration to cloud computing has been one of the biggest computing revolutions this century. Allowing users to transition away from local storage and on-premises equipment to remote systems and tools that can be accessed from anywhere in the world, the cloud has been a game-changer. It has no shortage of benefits. Alongside the ease of access, there are advantages when it comes to flexibility, collaboration, disaster recovery and loss prevention, cost savings, and more.
But while all of these selling points are frequently highlighted, the cloud can pose problems as well — particularly when it comes to cloud security. Overall, security is viewed as a big selling point of the cloud, since cloud providers frequently offer up-to-date encryption technologies and similar. However, a recurring problem involves the security challenge of cloud misconfigurations.
A common cause of data breaches
Cloud misconfigurations are the most common cause for data breaches in the cloud. In the same way that many cyberattacks come from human error, as is the case with phishing, the biggest weakness of the cloud seems to involve user mistakes. For example, a 2019 breach of Capital One, the tenth largest bank in the United States as judged by assets, resulted in the compromising of personal data belonging to approximately 100 million Americans, and around 6 million Canadians.
The bank ultimately paid out $80 million in connection with the massive breach, while also suffering untold damage in its reputation among potential customers. The cause of the breach? While cyberattackers leveled an attack on the bank to exfiltrate data, they would not have been able to do so had a web application firewall (WAF) not been incorrectly configured by the Capital One. This act was akin to having your new car stolen because you can’t figure out how to lock it.
One reason for cloud misconfigurations may relate to the speed with which customers are currently rushing to the cloud. Today, use of the cloud is no longer a “nice to have” or a competitive advantage over rivals; it’s increasingly an expected norm. As organizations have rapidly migrated to the cloud, in some cases this has taken place without sufficient understanding of the underlying Infrastructure as a Service (IaaS) or Platform as a Service (PaaS) infrastructure they will be using in the cloud environment.
The fault of customers
Failing to properly understand some of the finer points of the cloud, which can vary depending on cloud provider, can lead to problems — such as assuming certain features like encryption are always enabled as default. This can become even more complex in multi cloud environments, in which customers may rely on multiple cloud providers, each with slightly (or, occasionally, radically) different policies.
In many cases, customers may fail to understand some of the most important aspects of cloud-based configurations and responsibility. It is not the responsibility of cloud providers to ensure the security of what their customers put in the cloud, but rather to ensure security of the cloud system. It’s a subtle distinction, but it means that customers must take charge when it comes to areas like application configuration, data sharing, and role-based access controls. Failing to consider these, and assuming that they will be taken care of by your cloud provider, is a major mistake.
Ultimately, cloud security settings can be complex, which is why users should make sure that they invest in the proper training and experts. For now, though, that doesn’t appear to be happening. Simply put, companies which use the cloud are failing to fix cloud configuration issues. According to an estimate by Gartner, by 2025 an overwhelming 99% of cloud security failures will be the fault of customers. Gartner recommends that organizations can avoid these errors by putting in place clear plans about cloud ownership, risk acceptance, and responsibility, and ensuring they have a solid management and monitoring plan in place.
Take cloud security seriously
It’s crucial that organizations take cloud security seriously. Fortunately, the tools are out there to help. To make sure that nothing happens on your cloud without you being aware of it, consider tools that will track access to data and applications that you have on the cloud, and rapidly respond if any threats are made that may adversely affect this data.
Cybersecurity experts can also help you achieve compliance with data-protection standards in an ever more complex cloud environment, thereby protecting against the threat of fines for failing to secure information. In addition, in multi cloud environments, consider adopting a system that’s able to provide a single pane of glass solution, making it easy to monitor your various cloud platforms. It is not the responsibility of cloud providers to ensure the security of what their customers put in the cloud, but rather to ensure security of the cloud system.
The cloud has plenty of transformative positives it can bring to the workplace. But it can also pose challenges. By taking the right steps you accentuate the positives, while eliminating the negatives. That’s a win-win for all involved.