A series of high-profile breaches and leaks of sensitive data in recent months have shined a bright spotlight on cloud security and forced companies to re-evaluate their cloud readiness, architecture and security. With proper architecture, governance, monitoring and cyber hygiene, organizations can better prevent future cloud data leaks—and create a competitive advantage in the marketplace through increased trust.
Already this summer, hackers have accessed the personal information of millions of registered voters, infiltrated companies’ client records, and compromised thousands of files containing sensitive US military data. The incidents had several things in common. All occurred on a public cloud, where security configurations are sometimes complex, disjointed from on-premise standards and often misunderstood. All could have benefited from fine-tuned design and implementation of cloud infrastructure, business processes and security policies; and all suffered from a vaguely defined “shared responsibility model,” which created exploitable loopholes.
It doesn’t end there. In the broader market, there are many common pitfalls which are often left unaddressed. According to the Lloyd's Class of Business teams’ "Counting the costs Cyber exposure decoded" report, the average loss from a serious cloud service disruption could cost the global economy as much as $121.4 billion.
1. Catch me if you can: Some companies have limited visibility into what applications are running in their cloud, what data they have there, and who has access to the data and applications. This is further complicated by the fact that for most organizations “cloud” really means many different cloud providers.
Recommendation: There are existing technical solutions, like a Cloud Access Security Broker (CASB) that can help increase your visibility into cloud activities. They can provide visibility into user actions and resource activities, and more importantly, what services are running and what data is at risk. Companies can track who did what, from where, and when it happened. Companies should consider gaining a greater understanding of their cloud environment through the use of a cloud discovery tool; apply continuous monitoring and automation to discover the provisioning and de-provisioning of cloud resources; and locate where key assets are in the cloud and identify potential legal, compliance and privacy requirements.
2. Suboptimal cloud architecture and implementation: Most companies do not have policies and standards set for configuring cloud infrastructure. Their cloud architecture is often the result of ad-hoc efforts driven by developers using cloud as a rapid prototyping environment. Poorly configured systems can allow hackers to exploit vulnerabilities and lead to malicious intrusion.
Recommendation: Organizations should define standards for configuring existing and new cloud services. They should include robust security practices in that template to strengthen cloud services by design. Companies should design comprehensive security architecture that includes a complete security stack, including identity and access management and governance, data protection and encryption, data loss prevention, and security monitoring and operations. They then should track industry-leading practices and the latest trends and update the template as necessary.
3. Lagging governance: Business processes, policies and standards are yet to be designed to support the rapidly growing cloud landscape, taking into consideration the myriad industry, data privacy, and other requirements. The European Union’s General Data Protection Regulation (GDPR), for example, introduces many new and significant requirements such as 72-hour breach notification. Various data privacy regulations also require data localization or restrict data transfer to certain jurisdictions.
Recommendation: Security and its operating model should grow at the speed of business. The nature of the cloud dictates that each platform has to be treated differently to enable effective security and doing so effectively and at scale across multiple cloud providers. Cloud service provider-specific processes and policies should be built and the corresponding implementation and operations patterns should be defined. Companies should implement a strategic, enterprise-wide approach to overseeing, managing and securing vital data and how to do so in a multi-cloud environment.
4. Whose responsibility is it?: In some cases, a “shared responsibility model” is not defined between companies and partners in their cloud ecosystems, causing loopholes in business processes that eventually lead to security incidents in the cloud.
Recommendation: Companies should develop a shared responsibility model with their vendors and acknowledge that security is a collaborative effort. All partners in the ecosystem succeed or fail together. To build a shared responsibility model, organizations and vendors must clearly define each entity’s responsibilities, work together to establish—and constantly update—business processes to minimize loopholes, and create mechanisms to help quickly identify and respond to cloud-related incidents in a collaborative way.
5. Siloed security operations in a hybrid environment: In many cases, cloud security still lags compared to traditional on-premises capabilities.
Recommendation: Companies should extend their on-premise security capabilities to the cloud and build upon those capabilities. Some examples include tracking data flow from on-premise systems to the cloud, and providing consistent protection throughout the data flow. Companies should also correlate on-premise and cloud incidents to help ensure threats are identified before they spread across environments. In addition, companies should create consistent identity and access management policies, processes and standards to help ensure consistent protection and minimize management overhead.
6. The raise of the machine: The above issues are further compounded by the lack of security processes, automation in the cloud and cloud DevOps, creating an environment in which more human errors can occur. Given the speed and elasticity of cloud operations, it is no longer possible to manually secure the cloud separately from DevOps.
Recommendation: Automate or die—companies should automate the deployment and operations aspects of the cloud, especially DevOps, by automating core security tasks, including: secure orchestration and provisioning, vulnerability management, patch management, continuous integration and deployment, the security helpdesk, and security metrics generation and reporting.
Companies should have a cloud architecture that is designed with security in mind. Robust processes focused on protecting data loss are also vital. Further, safeguarding cloud-based data from attacks requires not only strong security capabilities, but also routine monitoring and updating. Companies should consistently review their cloud architecture and supporting cybersecurity programs and protocols, and diagnose potential problems before they occur. Proactively establishing and implementing industry-leading architecture principles and standards, technology design patterns and accompanying operational processes is key.
Strong data and access governance is essential for thriving in the digital economy. Leadership should allocate adequate time and resources to truly address cloud security, and ensure it is a priority as part of the overall transformation to cloud. That requires board-level buy-in and responsibilities distributed throughout the enterprise. Companies should realize the cloud is unique, a place where distributed data dictates a new way of thinking about security. Increased visibility—knowing where your data is, and who has access to it—is critical.
It is also increasingly important for companies to embrace automation of the cloud and especially security automation. When combined with the principles outlined above, automation can greatly reduce the risk of human error while keeping pace with the velocity and elasticity of the cloud. With these steps, organizations can not only improve their cloud security, but help create a more resilient data system that can create competitive advantages in an increasingly digital world.
Download Cloud Security: How to manage six common pitfalls
Principal, Cybersecurity and Privacy, PwC US
Partner, Cybersecurity and Privacy, PwC US