Get cloud security right

Johannesburg, 16 Apr 2020
Read time 4min 10sec
Richard Beckett, Public Cloud Senior Product Marketing Manager, Sophos.
Richard Beckett, Public Cloud Senior Product Marketing Manager, Sophos.

The adoption of cloud has long been in lockstep with security concerns. In the early years, the cloud was considered insecure. It has shed some of this reputation through an extensive focus on security challenges. But cloud's popularity then created new difficulties as attack surfaces and complexity grew. The advent of hybrid cloud and multi-cloud environments have only added to both situations.

"While organisations may manage aspects such as firewall and server host security well, they are struggling with the configuration of cloud resources," says Richard Beckett, Sophos Public Cloud Senior Product Marketing Manager. "They are making mistakes and misconfigurations that create vulnerabilities an attacker could exploit to gain access or run malicious code."

These mistakes are evident in surveys. Gartner has claimed that even by 2023, 99% of cloud security failures will stem from errors by customers. A considerable amount of these relate directly to end-user mistakes: in a Cybersecurity Insiders survey, 42% of respondents pointed to misuse of employee credentials and improper access controls as primary sources for breaches.

Clearing the confusion

But it doesn't need to be like this, Beckett explains. The burden of configuring cloud environments for security shouldn't be any more significant than for on-premises systems. But if you try to configure the former as the latter, you'll get nowhere.

"Organisations can now take advantage of tools they didn't have on-premises - tools that automatically map compliance and security best practices to cloud infrastructure. These tools allow organisations to avoid the time and energy spent defining policy and carrying out assessments, which are unlikely to top anyone's wish list!"

Using such tools, companies can avoid big-bang audits, and instead create a manageable task list embedded into standard workflows. They can continuously analyse compliance statuses using pre-built and customisable policies, and assign and track any actions to the relevant team.

Have a plan

Additionally, comprehensive security needs a good strategy. Beckett recommends seven steps to develop and guide a suitable security approach, detailed in a Sophos whitepaper:

  • Learn your responsibilities
  • Plan for multi-cloud
  • See everything
  • Integrate compliance into daily processes
  • Automate security controls
  • Secure all environments, including development and QA
  • Apply on-premises security experience

The whitepaper explores these points in more depth, but we can highlight several observations here.

Knowing your responsibilities is very important. It's a mistake to assume a cloud provider covers all security requirements. Though many public cloud providers use a shared responsibility model, not all customers realise this. And even if they do, they can often focus on the wrong things, says Beckett.

"The challenge is not so much one of shared responsibility, but awareness of new threats and attack planes. Customers are used to protecting their on-premises network in a traditional way, with all traffic going in and out through one defined ingress/egress point - all protected by the firewall. But in the cloud, customers need to think of their networks having multiple potential openings. They equal multiple potential access points for someone, or something, to get in and out."

It is crucial to appreciate that cloud security is decentralised security. This attribute speaks to several of the above steps, such as seeing everything, and looking for better integration and automation. These steps are essential because good security has to follow the workloads and environments they protect. An example of this is DevOps, where development is often faster than what any typical protection can handle. Such scenarios require new types of security.

"Customers should look for security solutions with APIs that can be integrated with existing DevOps build pipeline tools and processes. These are tools they are already familiar with in their build pipeline for creating new infrastructures - such as Github and Jenkins."

Don't disregard older security expertise. Even though the security game seems to have changed radically, many of the fundamentals still hold. Instead, it's the environment that has fundamentally shifted and requires a broader set of tools and plans to manage.

To help close the gap, security providers are instrumental partners. If you use them in short-term engagements, says Beckett, you can discover much of what you need to know.

"To find the model that best suits your needs, seek out vendors that offer a range of flexible consumption options. Look for options including 12-month term contracts, monthly billing of aggregate usage via managed service providers, and pay-as-you-go offered by vendors via the cloud provider marketplaces. These allow customers to start with complete flexibility."