Security Think Tank: Is data more or less secure in the cloud?

In July 2019, financial services giant Capital One reported a mega data breach that involved more than 100 million customer data records stored in the cloud. But it was not the cloud service provider (CSP) that was at fault. Instead, the cause was attributed to a misconfigured firewall, which was the responsibility of Capital One.

Large data breaches, like this one, are widely commented on in the media and there is growing concern over incidents involving data stored in the cloud. Noticeably, CSPs are managing to stay away from bad publicity while further reinforcing their reputation for delivering secure cloud services.

There is a general agreement that CSPs, especially the larger ones, offer a good baseline of security by default. In a recent publication, an expert security company advised that in the first half of 2019, CSPs “maintained their sterling reputation for platform security as only a very small percentage of the incidents could be directly attributed to the providers”.

The scarcity of cloud-related security incidents involving CSPs further exemplifies the robustness of providers’ security posture. Crucially, however, secure cloud services intrinsically rely on a shared responsibility for security between the CSP and the cloud customer, and all to often the latter fails to deploy the requisite security controls.

Coupled with the inner complexities of cloud computing, the phenomenal rise of the multicloud environment has brought about a new set of security challenges that business leaders need to address. Concerns about the ability of their organisation to deploy the necessary security controls to operate in the heterogenous multicloud environment are causing what some refer to as a “cloud chaos”.

The unique features of cloud services and the realities of operating in a multicloud environment can create misperceptions or uncertainty as to what is required to secure the use of cloud services. Many organisations struggle to identify the relevant security controls and implement them consistently and yet, as customers of cloud services, organisations need to take full responsibility and deploy the right set of controls to secure their entire cloud environment.

For instance, securing the connections to cloud services is critical in the context of the disappearing trusted network. Typically, organisations need to deploy the right level of secure connectivity to their cloud environment, be that HTTPS for simple cloud applications or a fully WAN-enabled access into their most business-critical cloud services. They also need to deploy and configure firewalls on both ends of the network – on-premise to enable secure connections and at the cloud services end.

Another important control area is access management in order to authorise the right categories of users for cloud services – not everyone should be authorised by default and cloud system administrators should be tightly controlled.

Data encryption techniques can add an extra level of protection for sensitive data stored in the cloud environment, but encryption techniques need to be handled carefully and with full knowledge of all possible options. The default encryption offered by many CSPs may not be sufficient for organisations operating in a regulated industry, requiring them to add their own encryption key management systems.

Most security controls required for cloud services are not new to information security experts. Basic principles of access management, data encryption and network security should be deployed and applied to use cloud services effectively and securely. Armed with the right level of security controls and careful selection of CSPs, organisations should be in a better position to deter cloud-related data breaches from occurring.

The forthcoming ISF report Using cloud services securely gives practical guidance on the core security controls that an organisation should implement and maintain to secure its usage of cloud services.