One commonly advertised benefit of cloud services is increased security. Cloud providers can offer security expertise and tooling that are otherwise inaccessible to organizations. This benefit is particularly appealing for small-to-medium businesses (SMBs), for whom enterprise-level security is too expensive.
Despite security benefits, there are continuous reports of attackers exploiting unsecured cloud resources and attacking cloud services. According to a 2019 survey by SANS, unauthorized access of cloud environments or assets by attackers has significantly increased. This survey found that reported incidents increased to 31% vs 19% in 2017.
This seemingly conflicting information makes it difficult to tell what the true state of cloud security is. This article aims to review the areas of cloud security that are improving and which are still lacking. This review can help you take advantage of advancements and prioritize security gaps in your cloud systems.
3 Areas of Improvement in Cloud Security
As cloud services have matured, security has started to improve within organizations. Security has also improved due to growth in cloud service markets. The following areas have seen the greatest improvement.
- Growth of Cloud Knowledge
With more organizations adopting cloud services, security teams are gaining experience in how to secure cloud systems. The previous lack of cloud expertise is being corrected with on-the-job experience and the widespread availability of certifications and training. As security teams become better acquainted with cloud services, they can more effectively apply tooling and manage configuration.
There has also been a growth in organizations focused on oversight and evaluation of cloud technologies. Examples include the Cloud Security Alliance (CSA) and the OWASP Cloud Security Project. These organizations aim to provide best practices for securing cloud services and help identify areas of improvement.
- Adoption of DevSecOps
Many organizations are adopting DevOps and DevSecOps practices. These practices shift security from the end of development processes to the beginning. By focusing on security earlier in projects, organizations can minimize vulnerabilities in software and deployments. This reduction increases organizations’ overall security position, including within cloud environments.
The automation that typically comes with DevOps practices has also increased security. Using automation when configuring services, users, etc., enables you to reduce the risk of misconfiguration. It also ensures consistency across your system.
- Tooling Improvements
The increased centralization of security data has made it easier for security teams to monitor, manage, and respond to incidents. Tools that provide centralization are especially important in hybrid systems and expanding cloud deployments. Centralization of data enables security teams to monitor systems more efficiently and reduces the chance of missed issues.
Two tools that are particularly useful are Security Orchestration, Automation, and Response (SOAR) solutions and Cloud Access Security Brokers (CASB).
- SOAR— solutions that enable teams to consistently implement security policies and responses across systems. Consistency increases security by reducing weak links in your system. It also limits vulnerabilities caused by poor monitoring or response.
- CASB— tools or services that interface on-premise and cloud infrastructure. These tools enable you to extend your on-premise security tools and policies to your cloud services. CASBs make it easier to secure and monitor traffic between on-premise devices and cloud services.
3 Ongoing Concerns in Cloud Security
Despite improvements, there are still some areas in which cloud security falls short.
- Issues Related to Migration
One of the largest issues organizations still face is the lack of a robust cloud migration strategy.
Issues caused during migration can stem from:
- Careless transfer of data—unencrypted data can be stolen in transit or corrupted during transfer. Undetected malware can be inadvertently included in data transfers.
- Misunderstanding shared security responsibilities—users misunderstand what aspects of shared security are their responsibility or take insufficient measures to secure their share. Responsibilities differ between service and provider.
- Misconfiguration—of permissions and access controls. For example, storage services are inadvertently left open to public access or users are provided with more permissions than needed.
- Data Privacy and Regulatory Compliance
Data privacy is of continued concern to consumers, organizations, and regulatory agencies. The number and type of compliance regulations are increasing, with stricter requirements and consequences.
While cloud providers typically include measures to meet the most common regulations they do not meet requirements for all regulations. This gap means that organizations are required to integrate policies and tools to fill this need. For some regulations, this may be easy. Others require costly, custom configuration.
Alternatively, you can retain regulated data on-premise and operate from a hybrid environment. This enables you to maintain full control over your regulated data while still using cloud services for lower priority workloads. However, hybrid systems present additional issues related to system complexity.
- System Complexity
Cloud systems, particularly hybrid systems, are often highly complex and difficult to secure. Your attack surface area grows as you adopt more services and integrations. Attack surface expands further when cloud services connect publicly to the Internet.
Here are two major concerns related to system complexity:
- Insecure APIs or interfaces—enable attackers to access data through external applications and services. These insecurities can also provide valuable information to attackers about system architecture or settings. For example, via error messages or by displaying information in URLs.
- Limited visibility—due to a lack of communication between IT and employees. Lack of communication becomes a problem when cloud services are used without permission or when users abuse access. It can also be an issue when third-party services are provided access to cloud systems.
Overall, it seems that cloud security is slowly improving for many organizations. Security teams have become more familiar with cloud security requirements and tooling continues to improve. However, there are still areas that can be improved, particularly as attack strategies evolve.
Hopefully, this article helped you gain a better understanding of the current state of security in the cloud. If you’re looking to improve your own cloud security, you can use the information provided here as a starting point. For specific recommendations, however, you should refer to the best practices documented by your specific cloud provider.
Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Samsung NEXT, NetApp and Imperva, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.