According to IBM, 98 percent of companies will be using multiple hybrid cloud environments by 2021. This trend isn’t surprising. There are many benefits to operating in the cloud such as improved productivity, an increase in elasticity and huge cost-savings, to name a few. However, we keep seeing a range of issues when it comes to cloud security. From open S3 buckets to a lack of identity access management, why are large organizations struggling to implement an efficient cloud security strategy?
To try and answer that, we asked a range of cloud security experts to share their thoughts on some of the key cloud security challenges and provide advice on how organizations can implement a cloud security strategy that will keep them secure.
Here are their answers.
So, you’re joining the stampede to the cloud but are struggling not to be trampled. This phase is about survival, not elegance. Use your limited resources strategically. I would recommend three broad courses of action:
1) Triage – What are the key assets moving into the cloud that the company can’t afford to lose? Give them the resources first. Let the low value asset owners know that they are at risk.
2) Focus on ROI – The first five of CIS’s top 20 controls block 85% of all attacks. The other 15 controls give you only 12% more coverage. Spend your time on controls that give you return.
3) Recruit the Masses – According to IBM, two-thirds of records lost were the result of human error, not state-sponsored hacking. You won’t stop issues like misconfigurations via education, but you will slow the leak.
It would also be useful to create a five-minute video that describes the top three cloud configuration errors in business manager language (i.e. small words, short sentences, color pictures). You can then point business managers toward self-help data for the technical detail.
A great start for any organization wondering how to create an efficient cloud security strategy would be to tap into the wealth of free and vendor agonistic information offered by the Cloud Security Alliance (CSA).
The CSA is a not-for-profit, collaborative organization with over 80,000 members & practitioners offering a wide range of industry expertise. Its mission is to “promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing.”
One of the best documents to begin with is the CSA’s ‘Security Guidance for Critical Areas of Focus in Cloud Computing.’ This guide provides a great overview of the cloud itself and of essential high-level security considerations.
Then take a look at their Cloud Controls Matrix (CCM), a baseline set of security controls to help enterprises assess the risks associated with a cloud computing provider.
For those who wish to take matters more seriously and seek professional training and certification, the CSA has also partnered with (ISC)² to establish the CCSP (Certified Cloud Security Professional.) Effectively, CISSP applied to the cloud!
There are two key challenges we see organizations struggling with: crafting policy and enforcing policy.
Both are challenging because consistency is a key constraint on both. Because there can be technical challenges to consistently creating and enforcing policies, organizations end up with mismatched security capabilities. They basically implement what they can in each environment even though it may be different from the desired state.
This usually happens because orgs adopt systems and services in the cloud that are different from what they use on-premises. Alternatively, they might be forced to adopt different systems and services across cloud providers.
One way that organizations can overcome this challenge is to try to use the same systems/services across cloud environments.
