Cloud computing has come a long way in the past ten years to become one of the most disruptive forces driving digital transformation in organizations around the globe. But these days, a move to the cloud is much more than just cheap and abundant storage and compute capacity. Whether you are displacing traditional business models with cloud-enabled marketplaces, as Uber and Airbnb have done; leveraging big data and artificial intelligence (AI) to converge online and in-store customer experiences, like retail giant Walmart; or simply moving your DevOps workloads to the cloud for faster speed-to-delivery, your move to the cloud is likely much more about innovation and modernization than it is about simply moving IT resources offsite.
Many organizations are adopting cloud-first strategies, but not without some hesitation over security and privacy risks associated with moving critical applications and sensitive data to the cloud. According to a recent report from Cybersecurity Insiders, “nine out of ten cybersecurity professionals confirm they are concerned about cloud security.” The report further points to data loss (67 percent), and privacy (61 percent) as their leading concerns.
Organizations are right to have concerns. For the most part, public clouds like Amazon Web Services (AWS) and Microsoft Azure adhere to a shared security model. And while each cloud service provider has their own specific provisions, generally your service provider would be responsible for security “of” the cloud – including things such as computing resources, storage, networking elements and any associated physical infrastructure – while you are responsible for security “in” the cloud, including your data, applications and connected devices, along with identity and access management of your users. The Gartner Top Security and Risk Management Trends1 research note states: “Public cloud computing has proven to be a safe and secure foundation for computing, but it is a shared responsibility model and can easily be used in unsecure ways. Gartner estimates that at least 99% of cloud security failures will be the customer’s fault through 2023.”
To complicate matters, cloud computing is only getting bigger, faster and more complex, as agile DevOps practices continue to pump out new applications and capabilities at an increasingly rapid pace. So, what should organizations be doing to alleviate their fears and minimize their self-inflicted wounds? RSA recommends addressing cloud security in three key ways.
1. Increase Security Visibility in the Cloud
As organizations embark on their digital journeys, and shift workloads to the cloud, it’s imperative that they have a high degree of security visibility into their public, private and hybrid cloud environments. The previously cited Gartner research note1 includes among its recommendations: "Invest in security and governance tools that are built for cloud scale, and the rapid pace of development and innovation.”
To achieve security visibility in the cloud, consider solutions that provide comprehensive logging and monitoring of all cloud related activity, including the ability to provide real-time visibility into virtual servers and container instances. In addition to using the inherent capabilities within their security products, organizations will want to leverage security information via APIs that are native to their cloud platforms. For instance, AWS customers will want to ensure their security monitoring solutions are collecting data from CloudTrail, VPC and GuardDuty, so they can track AWS user activity and API usage, and detect threats within their public and private AWS instances.
In addition to having deep visibility into cloud resources and users, organizations should look for a solution that covers all their physical and virtual infrastructures, to better detect and understand attacks that may span across their entire compute surface.
2. Manage Access to Cloud Resources and Data
One of your organization’s critical responsibilities in a shared cloud-security model is providing identity and access management for your workforce and third parties. The aforementioned Gartner research note1 points out that, “On the demand side, IT organizations are moving to cloud-based applications, accessible by unmanaged devices, leaving authentication as the only security control.”
Knowing that users are who they claim to be is key to securing workloads in the cloud. But it’s no longer good enough to authenticate users based on a single credential or even, for that matter, on a “one-size fits all” multi-factor authentication solution. Today’s fast-moving workforce and fast-changing cloud environments require authentication solutions that provide both a high level of security and a high level of convenience for users. After all, you are moving to the cloud partly to make it easier for folks to do their jobs more efficiently. To do this requires you to, at a minimum, augment static-based identity rules with rules that are self-learning and based on context.
When it comes to authentication, organizations must go beyond simply using static markers of risk, such as a credential, a user’s role, or an IP address or location, and begin incorporating signals associated with user behavior, device reputation, threat intelligence and fraud patterns. This approach enables organizations to better guard against insider threats, thwart malicious attacks in progress, and adapt access controls based on ongoing changing workforce needs and actual behaviors.
However, verifying that users are who they claim to be is only one side of the cloud access coin. Understanding what cloud resources users (including privileged users) have access to and what they can do with their access is just as important. The Gartner research note1 states that “Security professionals have found that it can be impossible to effectively secure use of the public cloud without new classes of automated security tools.” When it comes to protecting access to the cloud, organizations must go further than simple provisioning tools that allow for quick onboarding of cloud users. Given the growing number and increased velocity of access requests, due in large part to the explosion of software-as-a-service (SaaS) applications, organizations should also look at using identity analytics – for deep visibility into user entitlements in the cloud and to understand how risks such as segregation-of-duties violations and over-privileges, can negatively impact their cloud security and compliance posture.
3. Use Frameworks to Measure Cloud Risk
Another complicating factor in managing digital risk in the cloud is today’s cybersecurity skills shortage. The Gartner research note1 states that “The security skills gap will persist, abetted by an ever-increasing complexity in IT systems and the security tools used to protect IT systems.”
While managed security service providers (MSSPs) and product vendor service offerings may help offset the skills gap by helping organizations “run” their security operations, organizations must first learn what they don’t know about their current cloud security capabilities. They should be able to answer critical questions like, “How well are we securing our cloud environments compared with industry guidelines and best practices?” and “Which cloud security investments should we make to best align with our current business objectives?”
Before making any new, large-scale investments in cloud security tools or managed security services, organizations will benefit from a cloud security “checkup.” It may be useful to have a trusted advisor with the cloud security expertise to benchmark an organization’s cloud security posture against industry guidelines and best practices. In addition, they’ll want an advisor who can help tailor a roadmap for maturing the organization’s cloud security model, based on business needs. This will not only provide a business-driven plan for cloud security, but also assist them in training staff and building an internal cloud security knowledge base.
Whether for modernizing IT infrastructure, connecting with customers on digital platforms or automating core workload processes, organizations are increasingly relying on a growing number of public, private and hybrid cloud services to meet their evolving business needs. However, without proper governance over these cloud resources and data, your digital dreams can quickly turn into your worst security and risk management nightmares. Having a clear picture of which cloud security investments are required to support your business needs, deep visibility into what’s happening in the cloud and self-learning, and risk-based controls for governing user access will go a long way toward ensuring a positive experience with one of the most disruptive forces driving digital transformation today.
1 Gartner Top Security and Risk Management Trends, Peter Firstbrook, Brian Reed, Sam Olyaei, Gorka Sadowski, David Mahdi, Prateek Bhajanka, Earl Perkins, Published 31 January 2019
# # #
For more perspectives on top trends in security and risk management, view a webcast hosted by Ben Desjardins, vice president of product marketing for RSA, in which a panel of expert guests present their perspectives on the Gartner Top Security and Risk Management Trends research note.
Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity
Author: Tony Karam
Category: RSA Fundamentals, Blog Post
Keywords: Cloud Security, Multi-Factor Authentication, MFA, RSA SecurID Access, RSA Identity Governance and Lifecycle, RSA NetWitness Platform, Identity Analytics, Risk-Based Authentication, UEBA, Continuous Monitoring