How to secure your cloud environment? Assume nothing
The weakest links in any business’s cloud environment are very often the misconceptions and assumptions that surround it.
That’s the view of Simon Martyn, Head of the Mint Group’s recently launched Managed Services Business. He expresses that the need to establish a secure cloud foundation for a business’s cloud environment has never been more important. This is given the fact that cyber crime is estimated to have mushroomed by 600% since the start of the COVID-19 pandemic.
According to Martyn, as lockdown continues to rapidly change the way in which business is conducted, cyber criminals are quick to exploit the vulnerabilities that arise as a result.
“It has been estimated that hacker attacks occur every 19 seconds around the world. Ransomware has taken on the proportions of a pandemic in its own right.”
Although 92% of malware is delivered by e-mail, attackers are also constantly on the lookout for other entry points to the business network. This is the point in which they traverse the entire environment in order to steal, destroy or take control of the business’s assets,” he says.
Supporting studies indicate that between 80% to 85% of businesses that move to the cloud are compromised through cyber attacks. However, Martyn dismisses the notion that this is because the cloud is more vulnerable to attack than on-premises infrastructure.
A bigger playfield
The cloud presents a much larger attack surface, despite a common assumption by its users that standard cloud services deliver all the security required.
Furthermore, a great number of businesses assume there is no need for operational oversight when they move to the cloud.
While the cloud offers an enormous amount of capability, Martyn estimates that many subscribers use only 60% or less of the services provided. While this might be a cost issue for some, it’s often because of an assumption that the service has already been applied.
People are the instruments to your security
“There is a widespread belief that moving to the cloud, or being in the cloud, does away with the need for an IT department because of the misconception that the cloud runs itself. However, operational oversight, security monitoring and health monitoring activities are needed, as is the tracking of all deployed services and checking that the services required are actually turned on,” he explains.
“In addition, the rapid pace at which security threats evolve demands constant configuration and customisation of the platform. Because there are not always wizards to assist with this, an advanced level of IT competence is required.”
Martyn states that businesses need a secure cloud foundation that is cyber resilient, operationally efficient and safe to run their applications, store their data and collaborate safely in the cloud.
He offers these six critical suggestions to ensure a secure cloud foundation:
1. Secure the identities of all users
This includes all personnel who have access to the company network infrastructure. This is achieved through the utilisation of multi-factor authentication and other advanced security controls. Thereafter, apply advanced management, auditing and control over those identities, with proactive visibility of all authentication factors and access across the entire environment.
2. Ensure appropriate company security policies are in place
This will need to be activated to control, manage and enforce the required security control. Subsequently, it also requires adoption and change management to encourage users to comply with the security requirements.
3. Utilise the cloud’s embedded instrumentation and monitoring capabilities
This will monitor the health, activity and security of the cloud foundation and any services deployed. This should then be extended for each additional service added after the initial deployment.
4. Enable and enforce the available policies and capabilities
This will protect all data and limit access to sensitive data repositories that are established in the cloud; providing holistic protection over data using the encryption and protection controls that are available in the cloud.
5. Utilise a holistic security and data protection strategy
This will ensure all services and solutions that are deployed on top of the cloud foundation are adequately secured, and that the data is effectively protected and backed up or mirrored between regions to provide additional layers of recoverability.
6. Ensure that all controls, services and solutions are managed
Make certain they are maintained throughout the cloud landscape in order to maintain the best possible security posture at all times. It’s important to remember that aspects of the environment that might be secure today, may not be tomorrow.
“The threat landscape is very broad and ever changing. It is vital to protect not only e-mail and electronic collaboration services, which are very common targets, but the entire infrastructure as cyber criminals constantly scan networks, looking for a weakness that will allow them to enter the network.
“Fortunately, cloud environments are better equipped than ever before in terms of security controls. They also contain far more security, governance, control and advanced security capabilities, as well as contacts of other services that would have been unaffordable for many organisations in the past. However, they must be enabled or configured to provide the benefits they promise,” Martyn concludes.