Skip to main content

Outsourcing to the cloud doesn’t mean outsourcing the responsibility for your data

(Image credit: Shutterstock / carlos castilla)

Chances are, if cloud technology wasn’t part of your thinking before the pandemic, it probably is now. According to a study by McKinsey, the pace of digital transformation accelerated by seven years in 2020, as the pandemic forced businesses large and small to scramble to support home working and remote collaboration. For many, this has meant a huge increase in the use of cloud technology, and according to Gartner’s Forecast: Public Cloud Services, Worldwide, 2019-2025, 2Q21 Update, worldwide public cloud services will grow an additional 26.2 percent in 2021. 

As companies had to move quickly to minimize disruption and losses in productivity, some security steps and diligence may have been overlooked. One of which has a direct impact on the ability to ensure confidential, sensitive information remains protected. Recent research from Rapid7 investigated significant misconfigurations within companies across 15 different industries, revealing how easy it is for organizations to expose themselves to both legal and security risk when implementing cloud deployments. 

Now, more than 18 months since the pandemic started, it’s time for organizations to take stock and revisit their cloud footprint to ensure they are taking the necessary steps to maintain security, compliance and proper governance. Adopting cloud technologies offers many efficiency and capability benefits to organizations, but it does not mean abdicating responsibility for security.  There is only so much time you can allow systems to remain unsecured before opportunistic cybercriminals start leveraging your data and external exposures to target your company. 

Outsourcing cloud, retaining responsibility

Embracing numerous cloud service providers certainly delivers businesses with a great deal of benefits when it comes to cost and efficiency. In theory, moving to the cloud enables you to outsource your technical IT challenges to experts who should be able to manage systems better than you arguably could. They take care of everything right?

Wrong. While cloud providers are hopefully operating multi-faceted defense-in-depth programs to help protect your data and the services they are offering, they do not take on sole responsibility for your data. The ultimate responsibility for the security of your data still remains with you. And that means legal responsibility — should your systems suffer a breach, exposing your data to a leak, you are just as responsible for that breach as your cloud provider, if not more so. This means regulatory fines and reputational damage are coming your way as well as the cloud provider’s.

Supply chain risk management

Cloud providers are as much a part of an organization’s supply chain as other regular partners, and should be included in any supply chain risk mitigation strategy. But cloud technologies offer their own unique challenges that organizations must address.

It goes without saying that securing multiple providers is more challenging than securing just one. To ensure you stay secure no matter how many cloud providers you use now or in the future, I would advise you look at three key areas.

1. Restrictive Access Controls

The first is access security. It’s vital to make sure that the right people and system components have the right kind of access to your applications, which helps to limit the attack surface should a cybercriminal manage to break into your systems. So many companies fail with this though. Numerous breaches in history have involved privileged login credentials belonging to system administrators. Often when a cybercriminal has initially stolen a low-level user’s credentials, they are eventually able to escalate their privileges to gain access to important systems. 

To address this issue, the first port of call is to implement strong policies. Multiple clouds come with multiple exposure points. Therefore, policies are incredibly important because they are a primary catalyst for ensuring security procedures for each cloud application. What kind of policies would you need? First, consider robust data governance policies, defining exactly how you manage and use data across your whole organization — while also outlining where you store authoritative data and who is allowed access.

Over the past couple of years cloud providers have released a number of preventative controls and analysis tools to help their customers. As an example, Google recently released Public Access Prevention for their Google Storage service to aid customers in preventing their employees from inadvertently exposing their data to the World. Amazon introduced an improvement to their IAM Access Analyzer which helps their customers lock down IAM policy documents to only the required permissions. While this is never an exact science, this type of improvement helps customers drive towards Least Privilege Access (LPA). Many of these features and capabilities are available to customers for free, and so there’s no reason not to leverage them as part of a company’s cloud security strategy.

2. Continuous Security Monitoring

The rate of change in a cloud-first world is unlike anything seen before. In my dealings with enterprises who have adopted cloud across the organization it’s been common to hear about millions of changes to the cloud landscape happening each month. While audit and tracking services exist across every service provider, the continuous monitoring and assessment for anomalous, risky configuration changes does not. Customers are often forced to roll their own solution in-house or adopt cloud-centric security services and stitch them together.

The limitation of these approaches for organizations is that they are forced to keep pace with the cloud innovations, and the security challenges that are associated with them. This can be a daunting task for even the most seasoned cloud security professionals. As such, businesses must budget appropriately not only to adequately staff, but maintain that staff in an era where cloud security professionals are in sharp demand.  organizations should consider augmenting the native security capabilities of each cloud provider with commercial tooling that covers environments and applies security controls consistently across all of your cloud providers.

Two areas of focus can help in this regard, Cloud Security Posture Management (CSPM) and Cloud Workload Protection (CWP). There are a number of vendors to choose from in these spaces which have a number of features and capabilities to explore. If electing to pursue this route, organizations should think long and hard about the breadth and depth of multi-cloud coverage as well as the ability to continuously monitor change in real-time. Reducing the mean time to detect (MTTD) security configuration challenges is paramount to success.  

3. Automation and Shifting Security Left Is Key

Another area of importance to address is how your security can keep pace with the business as it grows and as infrastructure and platform systems scale. Misconfigurations especially are a major source of headaches for security teams, in particular as the cloud footprint continues to grow. In Rapid7’s annual Cloud Misconfigurations Report, researchers investigated a variety of misconfigurations that exposed their owners to risk. One of the best ways to mitigate this risk is to shift your security processes to the left so you are focused more on prevention and mitigation than on incident response. Take time to ensure that posture management and vulnerability assessment is being done across all pipelines, as catching the mistakes there is far less costly than having them manifest in the wild.

In the event that misconfigurations go undetected in the development pipeline, having automation in place to protect the organization by remediating critical vulnerabilities and defects is important. Common mistakes such as public data sets, permissive firewalls/security groups and untrusted third-party access can go a long way to protecting critical data and workloads.

Planning, planning, planning

There is an old adage in security that a good security program will involve a mix of people, processes and technology. I would add planning and preparation to that mix. It’s vital to map out your current footprint before you can identify gaps and vulnerabilities. Only then can you create policies and procedures that will address what you need now and in the future.

With strong planning, user education on processes and policies, organizations can embrace the benefits of cloud services and technologies without exposing themselves to additional unmanaged risk.

Chris DeRamus is VP technology, Rapid7

Chris DeRamus is VP technology, Rapid7.