Hackers are always on the lookout for vulnerabilities in IT systems, and enterprises need to be on guard. While there are many tools to help protect data and detect threats, there is one cloud security risk these tools can't always account for: the human factor.
End users and IT teams aren't perfect. They are susceptible to phishing attacks and can make other common mistakes, such as using confidential information off-site or improperly deploying security services. What's more, cloud security best practices are often in conflict with employees' desires to complete work as quickly and effectively as possible.
"Most employees want to follow security procedures, but security tools are not always intuitive and easy to use," said Jeremy Bergsman, practice leader at Gartner.
To address human risk factors in the cloud, organizations need to understand the limitations of their tools and create a security-conscious workforce.
Phishing attacks are designed to trick individuals into exposing sensitive information via website links and direct responses. In many cases, the software appears legitimate, causing employees to fall victim to the attack and compromise IT systems.
In addition, with the rise of mobile devices and cloud, a significant amount of enterprise data has also moved off-site. It's increasingly common for users to access confidential information from home, a local coffee shop or a hotel room -- where the networks might be more open to interception.
To keep information safe, use data leak protection services, which can identify documents that contain sensitive information -- like account numbers -- and alert employees to a potential cloud security risk. In some cases, these tools also prevent access to certain off-site data. Some vendors in this space include CA Technologies, Cisco, Digital Guardian, Veracode and Symantec.
IT teams are also prone to human error that can introduce a cloud security risk. For example, patch management has been a long-standing problem. IT teams are sometimes slow to roll out updates that remove security vulnerabilities because they have other pressing issues. In a public cloud environment, however, providers are responsible for these updates, which can minimize this risk.
But don't expect providers to hold all security responsibility for cloud environments; IT teams still need to guard against threats. Many companies, for example, now have citizen developers who cobble together cloud applications but have limited or no technical expertise. While security features might be available in the tools they use to build these applications, some novice developers might not turn them on, leaving applications vulnerable.
In general, the move to cloud means IT teams need to adjust their management processes. Not all legacy system best practices make sense in a cloud environment, according to Jim Reavis, CEO of Cloud Security Alliance. Companies need to change their mindset, deploy next-generation firewalls and use tools that operate as a service rather than as an appliance.
Jeremy BergsmanPractice leader, Gartner
Many organizations have security tools or services that monitor cloud deployments and system logs. Many of these tools automatically send out an alert if they detect a potential threat. While some of these alerts are legitimate, some aren't, which can overload security teams. With such large volumes of data, IT pros might ignore warnings of a potential cloud security risk and then discover, too late, that there was an attempt to compromise their system or an actual breach.
"The past few years have seen explosive growth in compute resources, well beyond anything that happened in the past," Reavis said. "Many companies are not scaling and increasing the number of security professionals needed to evaluate potential risks."
What's more, IT teams often deploy security controls in an ad-hoc manner that leads to problems down the road. Mergers and acquisitions exacerbate this problem because security tools often aren't standardized. This might require, for example, a cloud security team to manage multiple autonomous virtual private networks and potentially forget to make a required change to one, leaving the network open to attack.
Focus on the long run
Enterprises need to develop company policies, deploy standard tools and invest in training so end users and IT teams better understand their roles in cloud security. Avoid quick fixes; the best way to minimize human error is to invest in a long-term approach and fully follow cloud security best practices.
"Management needs to realize that there is not [just] one step that they can take that will reduce the risk problem by 90%," said Dan Blum, managing partner and principal consultant at Security Architects Partners.