Managing Risk: Cloud Security Today

According to a new study from the Ponemon Institute, over half (60%) of IT and security leaders are not confident they can secure access to their cloud deployments.

The Global Study on Zero Trust Security for the Cloud surveyed nearly 1,500 IT decision makers and security professionals worldwide to examine the pain points they experience in securing cloud environments and how Zero Trust security methods can enable digital transformation.

Enterprises face a multitude of barriers to securing diverse cloud environments, with the top challenges cited as network monitoring/visibility (48%), in-house expertise (45%), increased attack vectors (38%) and siloed security solutions (36%). In addition, 62% of respondents say traditional perimeter-based security solutions are no longer adequate to mitigate the risk of ransomware, distributed denial of service (DDoS) attacks, insider threats and man-in-the-middle attacks.  

“Organisations are at a crossroads, understanding that legacy security solutions aren’t cutting it in the cloud while facing a growing need to mitigate evolving risks,” said Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute. “This new global research proves that Zero Trust can help address these challenges, while also offering benefits beyond cloud security, particularly around increased productivity and efficiency for IT teams and end users alike.” 

And high levels of security are now vital for all enterprises: Research from Thales finds that enterprises are storing sensitive data in cloud providers, but not exclusively. Most respondents (66%) store 21-60% of their sensitive data in the cloud. Only 22% store more than half (61-100%) of their data in the cloud. This suggests that many enterprises still store a significant amount of sensitive data outside cloud environments, likely on-premises or privately hosted infrastructure. More than half (51%) of respondents agree that managing privacy and data protection in a cloud (multi-cloud or hybrid) environment is more complex than on-premises.

Speaking to Silicon UK, Bob Scalise, Managing Partner, TCS Risk & Cyber Strategy, advocates a multi-level approach to cloud security: “Organisations need a cloud security strategy with three key elements to secure the enterprise: in-built security, a data-centric and automation-first framework, and a holistic approach to unlocking the potential value of digitalisation.

“At TCS, we recommend a balanced and centralised approach to cloud security for enterprises to manage their various cloud environments, based on performance, risk, cost, and security, that can be easily configured through a single console. This should be infused with a risk-based approach to control collection, reporting, management, and governance of data, incorporating field-level encryption for financial data, PHI, and PII. In addition, there should be regular cybersecurity training for staff to help ensure their online activities are in line with time-tested security frameworks and procedures.”

Threat parameters

Integrating and flexible security becomes critical as multi-cloud becomes the norm. According to Thales, “There is a notable increase in the use of multiple IaaS providers. In the 2022 survey, 72% of respondents reported using multiple IaaS providers, compared with 57% the year before. More striking still, the number of respondents using three or more IaaS providers doubled to 20% from 10%. Enterprises surveyed reported using an average of 53 SaaS applications (weighted average).”

A clear issue for many businesses has been their tendency to adopt multiple cybersecurity applications and services, many of which are siloed. A more integrated approach to digital security is critical as threats evolve. Mal and ransomware are commonplace, as are phishing attacks, as the threat surface has expanded thanks to remote mass working.

And as the 2022 Cloud Security Report, Cybersecurity Insiders, concludes, ensuring security applications and services are configured correctly to deliver maximum protection is critical: “We asked cybersecurity professionals about the cloud security threats that most concern them. Misconfiguration of cloud security remains the biggest cloud security risk according to 62% of cybersecurity professionals in our survey. This is followed by insecure interfaces/APIs (54%), exfiltration of sensitive data (51%) and unauthorised access (50%).”

Learn more about the importance of correct configuration on the Silicon UK In Focus Podcast.

GCHQ advisor and cybersecurity veteran at SonicWall, Bill Conner, commented on the rise in attacks: “We are dealing with an escalating arms race. At the same time, threat actors have gotten better and more efficient in their attacks. They are now leveraging readily available cloud tools to reduce costs and expand their scope in targeting additional attack vectors. The good news is, that the cybersecurity industry has gotten more sophisticated in identifying and stopping new ransomware strains and protecting organisations.”

Conner continued: “There’s better cooperation between the public and private sectors, and greater transparency in many areas. New threat detection and remediation tools have emerged and there’s a greater public awareness of how prolific cyberattacks are. It’s a cyber-arms race that will likely never slow, so we can never slow in our efforts to protect organisations. Although our industry is faster, smarter, and more responsive than ever, the continued challenges to keep pace with changing tactics and behaviour of increasingly sophisticated bad actors, we need to continue building a unified front for the next phase of this conflict.”

 Hybrid and secure

An effective cloud security strategy is multifaceted to manage the evolving attacks business cloud deployments could come under. Having skilled staff to manage these strategies can also be a challenge.

“Virtually all organisations in our survey (93%) are moderately to extremely concerned about the massive skills shortage of qualified cybersecurity professionals,” The Cybersecurity Insiders report revealed. “Together, the Cybersecurity Workforce Estimate and Cybersecurity Workforce Gap suggest the global cybersecurity workforce needs to grow 65% to effectively defend organisations’ critical assets.”

Also, how data is protected when it is a rest and in motion must be carefully considered. “Enterprises see encryption and key management as important security controls in the cloud,” says Thales. “They are experiencing challenges with key management solution sprawl and have varying strategies to control encryption keys, which may indicate an opportunity to centralise and consolidate solutions. Enterprises are also embracing zero trust, especially for cloud access, and investing accordingly. The combination of these capabilities is helping enterprises to secure complex multi-cloud environments and enabling cloud transformation to support a remote or hybrid workforce in whatever conditions the future holds for them.”

TCS Risk & Cyber Strategy’s, Bob Scalise advises: “A fully integrated digital ecosystem of partners and suppliers, including third-party vendors and their suppliers, can expose a business to more cyber threats from a growing number of vulnerable areas in corporate IT systems, and a more complex threat landscape. However, from our research, it is clear that although enterprises increasingly rely on digital ecosystems for collaboration, ‘ecosystem partners’ was ranked in last place (10th), with only 16% viewing ‘digital ecosystems’ as a concern. Only 14% listed ecosystem risk as a top priority from board-level discussions. This shows that cyber executives may not be sufficiently prioritising threats beyond the immediate boundaries of their own organisations, such as vulnerabilities in their supply and value chains.

Ultimately, cloud security must form the bedrock of every enterprise. As the cloud reinforces its importance for efficient business processes, adequately protecting these assets is paramount.

Tom Ascroft, CISO, Unit4.

Tom joined Unit4 in February 2021 and is accountable for Unit4’s Cyber Security globally, identifying emerging security threats and developing strategies, policies, overarching controls and organizational security culture that are pivotal to mitigating them. Before joining Unit4, Tom was Chief Information Security Officer at the University of Surrey, where he transformed and re-shaped the cyber security offering with the IT Services department. Previously Tom held the Director of Information Security role across EMEA for Avanti Communications, followed by Head of Information Security Consulting for Legal & General PLC in the UK covering Information Security requests, third-party Cyber assurance, Penetration Testing, and Application Testing. Tom holds an MBA from Warwick Business School.

What are the current challenges facing businesses securing their cloud deployments? 

“Moving to the cloud is generally a more secure option for most businesses. This is for several reasons. First and foremost, most cloud organisations have far more extensive and more experienced security and IT operations teams which means all the basics are being covered. Also, the cloud providers are usually the ones that have written the application and, as such, are best placed to keep it secure.  

“The main challenge for most organisations is trusting the third party SaaS provider that they are moving their service to. The SaaS provider can gain this trust in several ways, including having the appropriate contracts, safeguards, people, processes, procedures, technologies and certifications in place. For example, Unit4 takes security exceptionally seriously, leveraging the Azure Security for cloud-native applications and securing key security standards certifications ISO27001, ISO270017, SOC1 and SOC2 for its cloud solutions infrastructure.”

How has the pandemic influenced how cloud security is now managed?

“The pandemic initially caused many organisations to de-restrict things to make them more accessible for their employees, but this also made it more accessible for malicious, resulting in many organisations being comprised. Consequently, the move to hybrid and remote working has made it necessary that endpoint security is managed well and that the right tools are in place to support remote staff.

“For example, Unit4 has fully implemented Microsoft Intune to manage its endpoint devices and Multifactor Authentication to ensure all devices are kept up-to-date while only authenticated people can access the systems.  Another key lesson from the pandemic with so many people working remotely is that companies ensure their staff are appropriately trained in Cyber Security and Privacy awareness and understand how their systems support business outcomes. Having the skills to be aware of the consequences of inadequate security habits and what it will mean for the business should keep employees alert to the dangers and motivated to avoid security breaches.

As multi-cloud adoption expands, how does this impact the security that businesses must also continually evolve?

“Identity is a key factor in ensuring that right people have the right access at the right time and this is removed when no longer needed especially in multi-cloud environments. Identity Access Management (IAM) solutions can assist organisations in ensuring this is kept up-to-date. For example, Unit4 is partnering with Okta to enhance its identity solutions and improve customer experiencing when accessing its portals. It is imperative that Identity is handled well by cloud providers to ensure that people can access what they need when they need to in an inhibited but secure way.”

What kind of attacks are businesses seeing on their deployed cloud services? How are these attacks being mitigated? 

“Cyber Security attacks are continuing to evolve, but the same basics attack mechanisms still remain. Access can be achieved through exploiting weaknesses in public facing systems or by unauthorised elevation of privileges within systems. The essentials of good user access management including joiners, movers and leavers processes are even more key when these systems can be accessed from anywhere.”

Is a lack of technical skills still a clear and present danger to businesses as they expand their multi-cloud estates?

“As things evolve it is sensible to ensure that core systems operational knowledge is well documented and retained. Lack of technical skills can lead to poor design choices that can be fundamentally insecure. It is sensible to ensure there is a core set of personnel that understand your technical estate end-to-end who can work with you SaaS provider to ensure the right business outcomes are achieved in a secure way.”

“Understanding your marketplace and the needs of your customers with a clear strategy to reach those customers to provide your service is critical to ensuring those services can be kept appropriately secure.  SaaS solutions can solve a wide range of problem for many businesses, but they also create other challenges. Having a core set of people who can work with your SaaS providers who understand this strategy and your marketplace is the best way to gain the benefits of SaaS.”