Pythian Blog: Technical Track

Cloud security: what you don't know will hurt you

If your organization isn’t doing business in the cloud today, it might have some catching up to do. A 2017 report by LogicMonitor suggests that 83% of enterprise workloads will be in the cloud by 2020. Yet the same study tells us that security will continue to be a major worry in the move. In fact, security was identified as the number one concern in cloud adoption for fully two-thirds of the IT professionals surveyed. The reasons for the concern are obvious. Disastrous data breaches are now depressingly commonplace, and they come with devastating costs. A UK study by CGI and Oxford Economics found that cybersecurity breaches caused long-term damage to the share values of the companies affected, with an average permanent drop of 1.8% in share price. (For investors in a typical FTSE 100 firm, that represents an overall average loss of £120 million.) In the most serious attacks, the report found, cyber breaches reduced a company’s value by as much as 15%. And keeping the bad news quiet is no longer an option: The strict rules of Europe’s new GDPR force companies to report these breaches, making it almost inevitable that financial markets will respond unfavourably. Since very few companies can afford the costs of a data breach, it’s essential that organizations take whatever steps are necessary to protect their cloud-based data, and with it, their reputations. Cloud computing represents a wonderful liberation. After all, it allows you to offload the headaches and costs of an ever-expanding on-premises data center to a reputable third party. But that liberation comes with a cost. As more and more businesses move to the cloud, those huge repositories of data become irresistible targets to hackers, many of whom are backed by organized crime and rogue states. In response to this growing threat, the Cloud Security Alliance has identified 12 security issues of critical importance. The issues, known as The Treacherous 12 , are ranked in order of severity (as determined by survey responses):
  1. Data breaches
  2. Weak identity, credential and access management
  3. Insecure Application Programming Interfaces (APIs)
  4. System and application vulnerabilities
  5. Account hijacking
  6. Malicious insiders
  7. Advanced Persistent Threats (APTs)
  8. Data loss
  9. Insufficient due diligence
  10. Abuse and nefarious use of cloud services
  11. Denial of service
  12. Shared technology issues
As we see, these threats come from a range of sources. Good cloud security responds in several ways, and in many places. It creates an ecosystem that blends people, process, policies and technology in order to protect data and applications that operate in the cloud. But, more importantly, a good cloud security plan fully accepts the notion that data security is a shared responsibility. The major cloud service providers all boast of their excellent security, and rightly so. But that doesn’t mean they can guard against the security lapses of their customers. For example, if a company puts an unpatched operating system on a public-facing IP address, that company won’t be helped by the fact that its site is hosted on Azure, AWS or GCP. An attack is certain to come within minutes, and the security provisions of Azure, AWS or GCP will be powerless to stop it. It’s important to know where your provider’s responsibilities end and where yours begin. While your cloud provider is accountable for securing its hardware and compute infrastructure, you’ll still be in charge of safeguarding your applications, account controls, deployment architecture, configuration management, and so on. In some ways, it will be as if your data never left your premises. So, if the responsibility for data security is still largely in-house, how do you manage it? This is where cloud security consultants can help. They can study how you process and store your data, and come back with a customized data-governance protocol that matches your needs. They can also handle security assessments and penetration testing to make sure compliance requirements are met and your data is protected. Today’s business requires the power and flexibility of the cloud. But it also needs a strong defense against the vulnerabilities inherent in that technology. By understanding your attackers and building intelligent strategies for thwarting them, you can embrace cloud computing while minimizing the risk to the security of your business. Learn how Pythian can help secure your data in the cloud.

No Comments Yet

Let us know what you think

Subscribe by email