How to secure a multi-cloud architecture

rvlsoft - Fotolia

This article is part of our Essential Guide: How to fight cloud security threats effectively

Five cloud security threats to combat in 2018

In 2018, IT security teams will continue to fight to keep their cloud deployments safe. Watch out for these common risks associated with APIs, IoT and human error.

While the need to protect data isn't new, the changing landscape of enterprise cloud usage complicates traditional security models and poses new risks for both users and providers.

Review these five cloud security threats that will loom over businesses in 2018, along with best practices to guard against them.

1. A lack of responsibility

Some organizations falsely believe that, since their workloads are in the cloud, it's no longer their job to protect them. But, in fact, cloud providers have no obligation to protect user workloads or data beyond the services detailed in their service-level agreements. This means data retention, resilience and security are primarily the responsibility of the users -- not the providers.

Be sure to understand your provider's shared responsibility model and the steps you need to take to protect your cloud workloads.

In addition, mitigate the risk of data loss with redundant workloads and storage services that are distributed across two or more cloud regions. Implement further data protection practices, such as snapshots, backups and recovery. Use data encryption, and be sure to properly manage and protect encryption keys.

2. Insufficient security tools and tests

Public providers have an array of tools and services designed to improve cloud security, verify the security posture of cloud resources and mitigate attacks. For example, Amazon Web Services offers virtual private clouds, application firewalls, native Transport Layer Security-based encryption and dedicated connections to avoid the public internet. Take advantage of these tools, as well as monitoring tools, such as Google Stackdriver and Azure Monitor, to identify potential cloud security threats.

Conduct penetration tests to predict how a system will respond to an attack and to uncover vulnerabilities. These tests essentially authorize a simulated attack on a system to identify weaknesses. Cloud providers allow and assist with penetration testing for authorized resources.

It can be almost impossible for cloud users to deal with certain attacks, such as distributed denial-of-service (DDoS) attacks, in progress. That's because these types of attacks can render a cloud workload unresponsive. DDoS attacks can also rack up costs, as more cloud resources scale to meet the malicious traffic levels. Use providers' DDoS protection services to automatically spot and mitigate these cloud security threats.

3. Human error

The human element is still one of the weakest links in IT security.

The human element is still one of the weakest links in IT security. And in the cloud, the risk of human error multiplies because compromised or misappropriated credentials can wreak havoc across applications and data.

Phishing, fraud and other forms of social engineering enable hackers to steal credentials and potentially hijack cloud accounts. But remember that not all cloud security threats come from the outside -- protect against internal attacks as well.

Organizations also struggle with poorly implemented authentication, weak or absent password strength, improper identity and access management configuration and other security protocols. Weak defenses not only allow more attacks, but can lead employees to make costly mistakes or take improper actions.

There are many ways to guard against the cloud security threats that come from human error. Admins should offer security education and certifications to users, write clear, acceptable use policies and apply other security best practices. For example, a cloud account owner should never use or reveal root credentials; be sure to create and configure unique credentials for each user or group.

Cloud security certification
Boost your knowledge with these certifications

4. Vulnerable systems and APIs

APIs enable software to connect to outside services, including those from a cloud provider. For example, a business might develop an application that uses multiple APIs to access and exchange encrypted data with a cloud provider's storage resources. Flaws in these interfaces and APIs introduce new cloud security threats.

The best defense against software vulnerabilities is diligent and prompt corrective action by developers and operations staff. Crucial tasks, such as vulnerability scanning, reporting, patch management and configuration enforcement, can help find and mitigate software vulnerabilities in the cloud. Advanced development tactics might also enable complex threat modeling, detailed code security reviews and detailed penetration testing.

5. Unprotected IoT devices

In the next few years, internet of things (IoT) devices will add tens of billions of individual data collection sensors and actuators in the field. Each device is a network endpoint, complete with a configuration and IP address. Poor software design, configuration errors and other oversights can open up a device to malicious actions and expose the device's data.

IoT devices require heavy automation for setup, configuration and patching. A single error or oversight could unknowingly multiply through the use of automated IoT management tools and create thousands -- even millions -- of new attack vectors.

Threats don't just come from the sensors that collect data. There are countless IoT actuators, such as values, solenoids and switches, that respond to commands sent across the network, including from cloud-hosted workloads.

Make sure next-generation IoT devices have strong network security features. Additionally, regularly examine the setup and management of IoT devices to make sure they maintain the most secure device posture. Experience is critical, and tools must provide logging and alerting capabilities that document any changes that take place over time.

Dig Deeper on Cloud security tools