There are mixed opinions about whether the cloud is more secure for many organizations.
The biggest difference between cloud security and traditional on-prem security is the shared responsibility model. Major cloud providers, such as AWS, Microsoft and Google, have made considerable investments to keep up with emerging security threats. They also provide an extensive identity and access management (IAM) infrastructure, but enterprises still need to do their part.
"Just because you're moving your application to the cloud doesn't mean you're shifting your cybersecurity responsibility to the cloud provider," said Steve Tcherchian, chief product officer for XYPRO Technology, a security software provider.
The same strategy, controls and monitoring need to be deployed to any cloud infrastructure to ensure everything is properly secured. However, it is still the responsibility of the enterprise to ensure cloud security best practices -- or it will be just as insecure as not securing an on-premises environment.
"Cloud providers are inherently more secure in several areas," said Richard Stiennon, chief research analyst at IT-Harvest and author of Secure Cloud Transformation: The CIO's Journey. These include distributed denial-of-service (DDoS) attacks, easier configuration management, automated security updates on SaaS services, and consolidated security logging and access management.
For example, it's much harder to conduct DDoS attacks against a server hosted on a cloud network, which often has hundreds of gigabits of capacity available and isn't easily overwhelmed. Cloud configurations are also more standardized than on-prem configurations -- a simplification that makes securing them easier. Stiennon believes the use of new security methodologies, like zero-trust networking, could end opportunistic attacks on the cloud.
In general, Stiennon believes cloud attacks are much less devastating than on-prem attacks. In cloud, attacks are typically limited to one misconfigured service, whereas on-prem attacks can take out entire infrastructures, as recent ransomware attacks have demonstrated. Most of the breaches in cloud reported to date have been improperly secured S3 buckets, which are often found by researchers, not attackers. That said, an exploit of a cloud provider's back end could expose billions of records, which proves the importance of layered defenses, Stiennon said.
The biggest security issues Stiennon has found were caused by enterprises not taking advantage of cloud providers' configuration, logging and security tools. Another challenge comes from implementing security piecemeal by hosting part of the infrastructure in the cloud but maintaining critical components in the legacy data center, such as DNS, encryption keys and Active Directory.
Cloud less secure in practice
Despite the security advantages of the public cloud, recent evidence suggests the cloud is actually slightly less secure in practice. A report from security vendor RiskRecon found 60% of organizations had a greater number of severe vulnerabilities in their cloud services than they had in their on-prem systems.
Steve TcherchianChief product officer, XYPRO Technology
However, the vulnerabilities were not evenly distributed. Enterprises that run workloads on AWS and Microsoft Azure had significantly less critical vulnerabilities in the cloud as they had on premises, according to the report.
Still, the major cloud providers have a lot more work to do to help customers build comprehensive security in the cloud, such as educating users and creating automated testing tools. They also must balance their security concerns against the demand to make their services more powerful and flexible. Nevertheless, cyberattacks are a crime of opportunity, so applications can be vulnerable regardless of where they reside, Tcherchian said.
Access to visibility
Enterprises need a way to see into their environment to keep it secure. The cloud can lower the barriers for enterprises to implement high-end tools, like security dashboards and trend analysis. There are many systems that can provide visibility for in-house enterprise systems, but the integrated nature of cloud-based products makes this easier and relatively cheaper, said Thomas Johnson, chief information security officer at ServerCentral Turing Group.
On-premises systems and infrastructure don't have the agility of cloud-based systems. For example, an enterprise can spin up technologies, such as AWS Shield Advanced, to get better visibility into attacks in minutes. In contrast, launching new on-prem solutions could consist of either new hardware or, at minimum, spinning up additional VMs to support a new product, Johnson said.
Build out IAM
The major cloud providers prominently feature IAM, governance, and other security tools and tutorials to help customers map their journey to the cloud, said Kris Lahiri, co-founder, vice president of operations and chief security officer at Egnyte, a content collaboration platform. "Many of these best practices, like managing encryption keys or continuous scanning of cloud resources, were previously a lot harder to get to," he said.
This is particularly important because the cloud requires a new security paradigm based on IAM to replace perimeter security tooling on premises, such as firewalls and VPNs. As companies move to the cloud, they must institute core organization policies via IAM rules in order to create a better security posture overall.
Conduct a mini-audit
It's important to assess the lifecycle of applications and data as they move to the cloud to identify any potential security vulnerabilities. Companies should conduct a mini-audit to fully understand the security related to cloud-related processes, said David McPherson, associate at Step5, a digital transformation consultancy. Important information to find out includes the following:
- Data location: Find out where the data is hosted, what services are being used and who is accountable for that data.
- Service additions: Identify who is adding and scaling services. Also, find out who is allowed to add services and check the terms of the additions.
- Leaving terms: Look at the leaving terms of services to see what happens when an enterprise decides to exit the cloud.
Reduce impact of human error
Human error is the biggest risk that contributes to making the cloud less secure, said Chun Cheng Liu, infrastructure lead at Umbo Computer Vision, an AI camera platform. On the business side, this means making sure that your employees are up to date on security procedures and receive necessary security training, regardless of the employee's role in the company. This reduces the likelihood of a careless mistake leading to a security breach.
For example, Umbo created a security portal that trains employees on security policies and practices when they are onboarded. "Every member of the Umbo team also receives security training during onboarding, as well as on an ongoing basis, so that no one is left behind when things change," Liu said.
Problems like misconfigured Amazon S3 buckets are often a function of lack of product knowledge, Johnson said. It can be hard for an individual to intrinsically know all the nuances of the various cloud providers with regard to security. It's wise to work with an expert with knowledge of the target platform, especially in the beginning of a cloud migration.