Your Role in Securing Data in Cloud Applications
The rapid and continuous adoption of Cloud applications has been pivotal for digital transformation initiatives and enabling global workforces. Their importance to an organisation, also makes Cloud applications primary targets of cyber criminals to gain illegitimate access to company data and networks.
With these applications and platforms becoming essential to modern business, securing them is critical. The challenge organisations are facing now – how do they secure a third-party platform?
We brought together a group of security directors, senior architects, and VPs of security to discuss their organisation’s approaches to securing data in the cloud and more about:
- The customer’s role in the ‘shared responsibility’ model of security
- The threat actors targeting the cloud
- How you can know if your security is sufficient, or if you’ve been compromised
Rela8 Group’s Technology Leaders Club roundtables are held under the Chatham House Rule. Names, organisations and some anecdotes have been withheld to protect privacy.
About WithSecure™
WithSecure™ is cyber security’s reliable partner. IT service providers, MSSPs and businesses – along with the largest financial institutions, manufacturers, and thousands of the world’s most advanced communications and technology providers – trust them for outcome-based cyber security that protects and enables their operations. Their AI-driven protection secures endpoints and cloud collaboration, and our intelligent detection and response are powered by experts who identify business risks by proactively hunting for threats and confronting live attacks.
WithSecure’s™ consultants partner with enterprises and tech challengers to build resilience through evidence-based security advice. With more than 30 years of experience in building technology that meets business objectives, WithSecure™ have built their portfolio to grow with their partners through flexible commercial models.
The move to the cloud
Cloud computing is nothing new. Businesses have been utilising and moving more and more of their operations into the Cloud for years. The Cloud offers speed, flexibility, scalability, and is widely accepted as a vital component of modern business. In spite of its ubiquity, securing the Cloud still remains a major hurdle for a lot of organisations, something cyber criminals are more than happy to take advantage of. Security in the Cloud is something that is often taken as a given, but at the end of the day, organisations can only influence third parties to a certain extent. Protecting your data in the Cloud starts at home.
Sharing responsibility
The shared responsibility model is something that all cloud applications subscribe to. Most contracts and SLA’s will reference it, so understanding what it means is vital for customers investing in Cloud services. Simply put, the Cloud provider is responsible for application-level controls, network security, storage security, security of the hosting infrastructure, and physical data centre security. What they aren’t responsible for is the security of the data the customers host, or the identity and access management of the platform.
It is this division of responsibility that opens businesses up to risk. Threat actors will quickly take advantage of customers who assume that the Cloud provider will manage security. The Cloud needs to be treated as an extension of on-prem environments and the same security standards must be implemented across both. Migrating to the Cloud is a long and costly journey and the risk inherent with the Cloud is resulting in more risk averse industries being reluctant to transition. These industries will soon find they aren’t able to compete without the scalability and flexibility of the Cloud, but fortunately for them, tools exist today that can help enable this transition securely.
While the shared responsibility model refers to the relationship between the customer and the Cloud provider, it is also important for organisations to internalise the idea of a shared responsibility for security. Security cannot be left to sit solely with IT or security teams, the entire business needs to understand and address their part in keeping the company safe.
A secure culture
Part of understanding shared responsibility is embracing an organisation wide culture change. Huge investment is required to secure the Cloud and getting the board on-side from the beginning will go a long way to helping. Start by making the board accountable for security. Explain to senior leadership the risks and ask them to either accept them or invest. Bring them into the conversation, contextualise the challenges and the risks, and change the language to be about business enablers and business risk. As for the wider business, the quickest time to value is awareness driven by effective cyber security training.
By and large, boards and executives do understand that security is important. Framing the discussion in a way that helps them understand the repercussions and the damage it can cost to the brand and the organisation’s bottom-line numbers is a good way of securing investment. However, it is still far to common that this support isn’t secured until after the business suffers a breach. Ultimately, an ounce of prevention will always be worth a pound of cure.
Stepping stones
When securing a Cloud environment, it’s important to understand that the Cloud itself is rarely ever the target. Threat actors aren’t looking to take out the Cloud, they want to use the Cloud to get access to your internal network. An unsecured Cloud allows threat actors to bypass security and deliver dangerous payloads directly into an organisation in a stepping stone attack.
Defending against these types of attacks revolves around strong identity access management as well as automated alerts designed to identify suspicious behaviour should a threat actor get inside. Zero Trust practices, multi-factor authentication, and cloud access security brokers are all vital to defending the identity perimeter. If someone does get inside, what then? If stepping stone behaviours such as trying to access local admin files send up alerts for security teams to investigate, very little movement is going to be afforded to malicious threat actors.
A business can and should always do everything in its power to protect from security risks. But what about the Cloud providers themselves? Third-party risk management is critical when vetting your partners. Run threat exposure and penetration tests on them, ask to run your authenticated scans. You can’t ever fully trust third parties, but you can do your best to evaluate the risk vs. the business need and ensure this risk is communicated and accepted.
Are you secure?
No one is 100% secure. The attack surface for modern organisations is massive and is constantly growing between hybrid cloud environments, remote devices, and APIs. That said, there are a number of steps businesses can take to frustrate attackers and ensure that when they get in, they can’t get out with anything.
Businesses should start by managing their vulnerability. Maybe legacy systems leave you vulnerable? Can they be migrated to the Cloud? Do they need to be? Not all legacy systems need to be migrated if in doing so they create more risk. If legacy systems are working where they are it’s OK to leave them be, just make sure they are secure. Strong data loss protection and access controls will provide a clear overview of your data flows and who is accessing what. If you don’t know what or where your data flows are, you can’t protect them. Again, driving a whole organisation approach to security accountability is crucial to ensuring that data flows are clean.
A secure Cloud
The first step for a more secure Cloud is understanding that the Cloud isn’t inherently secure. Businesses should be doing whatever they can to ensure that the same security measures they would have in place on-prem are enforced in the Cloud as well. There are myriad tools that businesses can deploy to protect themselves and their customers in the cloud such as CASB, effective DLP, and IAM.
The job isn’t done once these tools are in place. Securing the Cloud is about continuous monitoring. Test your security, test your Cloud partners security, test them again. There will always be a risk associated with third-party partners, a secure Cloud environment is one that understands this and puts every security in place to mitigate that risk.