Security

Cloud Security: What Every Business Needs to Know

This list of must-do security items is critical to starting safe, and staying that way, in the cloud.

Steve Gold is the vice president of cybersecurity solutions for the Center for Internet Security.

Cloud computing is fast becoming the new norm for organizations worldwide. It offers flexibility, simplified disaster recovery, the opportunity for increased collaboration and the ability for employees to literally work from anywhere — something businesses are finding more essential than ever in 2020.

It is also quite cost-efficient, reducing many equipment purchases while sometimes eliminating the need to operate data centers.

But these benefits don’t outweigh the potential for harm when companies dive into the cloud without thinking about security by design. The security processes companies should follow in the cloud are similar — but not the same — as those they follow with on-premises infrastructure. It’s vital to ensure that on-premises security best practices are retrofitted for the cloud and followed carefully.

Here’s why: The vast majority of breaches that occur in the cloud — about 95 percent, by Gartner’s estimate — are the customer’s fault. That’s because many organizations don’t realize that their cloud service providers are responsible only for securing the cloud itself, while businesses remain responsible for securing their own systems, services, applications and data.

The division of responsibilities between the cloud consumer and cloud provider is known as the shared responsibility model. All cloud providers follow this model.

Common Cybersecurity Problems for Businesses in the Cloud

Often, businesses simply set their cloud environments up incorrectly. For example, according to research by Palo Alto Networks, 60 percent of cloud storage services have logging disabled, meaning that threat actors can enter systems without anyone inside an organization ever knowing. It’s a function of organizations failing to properly configure their cloud environments when they set them up, leaving them vulnerable to easy attacks.

The vast majority of these misconfigurations seem to be going unnoticed: According to a survey of more than 1,000 IT professionals from McAfee, 99 percent of them are unreported. The survey also found that companies believe they average 37 misconfiguration issues per month when in reality this number can reach 3,500.

Another concern is that not all security solutions work in a hybrid environment; a business’s on-premises security solution is not guaranteed to work in the cloud. The four cloud as-a-service environments (infrastructure, platform, software and function) all have different security needs and responsibilities.

What the Top Priorities Should Be to Secure the Cloud

Under the cloud’s shared responsibility model, businesses are expected to implement appropriate access control guidelines to prevent unauthorized access. They should also complete a compliance plan for data loss prevention.

Fulfilling these expectations can be difficult for organizations and businesses with limited resources. Utilizing configuration best practices and security tools is vital.

What are these best practices? A good place to find out is the CIS Controls, a list of 20 high-priority, highly effective defensive actions that every enterprise seeking to improve its cyber defense should take. Available at no charge, the list provides a logical path to gradually improve an organization’s cybersecurity posture.

For example, the first two recommendations are to inventory and control all hardware and software assets on the network. That’s crucial because threat actors are particularly interested in devices that come and go on and off an organization’s network, especially mobile devices, whether personal or company-issued. Another is to continuously assess security systems and respond to vulnerabilities. Businesses that fail to do this are flying blind.

Taken together, the recommendations, developed by IT experts from a range of industries including retail, manufacturing, healthcare, education, government and others, form a foundation on which to build a defense-in-depth security posture.

Implementing foundational cybersecurity best practices can provide some peace of mind when moving to the cloud. More importantly, they ensure that organizations start and stay secure in any environment.

traffic_analyzer/Getty Images