The explosion of high-profile ransomware attacks has been dominating the news in the IT sector of late, but most of the time – and for years, not weeks or months – the subject of cloud computing has been front and centre. Everywhere you turn in the IT world, people are buzzing about the cloud this and the cloud that.
And no wonder. According to Gartner, by next year up to 60% of organisations will rely on a cloud-managed service offering – double the number as recently as 2018. And the growth is showing zero signs of slowing.
Time and again, we hear that cloud computing offers enterprises more reliability, scalability and flexibility, removing the hassle of maintaining and updating systems and thus giving companies more time to focus on core business strategies. It’s also commonly said that security in the cloud is better. On this point, however, a rethink is in order because this premise is at best questionable
The fact is, security in the cloud needs improvement. The problem is that cloud service providers treat cloud security as a shared responsibility with their customers. And while cloud purveyors typically hold up their end of the bargain, many customers do not. Human error among cloud customers is rampant. Gartner has said that at least 95% of cloud security failures will be the fault of customers starting next year.
Migrating IT infrastructure to the cloud means enterprises must evolve their approach to cybersecurity, companies must adopt a zero-trust mindset. This assumes the likelihood of multiple points of failure and helps confront it.
Cloud customers clearly need help, and the onus is on cloud purveyors to provide it. Says a Gartner report: “CIOs (and other IT pros) must change their line of questioning from “Is the cloud secure?” to “Am I using the cloud securely?’
Misconfigured cloud settings have caused multiple incidents of data exposures at Amazon Web Services, the biggest cloud purveyor. In addition, a misconfiguration error in Microsoft’s Azure cloud relatively last year exposed 250 million technical support accounts.
What can be done to fix such problems?
One answer is the adoption of more cryptography. Some public cloud purveyors offer some encryption as an option, sometimes by default, and hopefully, others will decide to do the same thing. Also likely to be helpful is new, cutting-edge encryption technology.
I’ll discuss the latter momentarily. First, however, let’s address the miscommunications issue. While Amazon, Microsoft and other cloud companies handle security for their data centres, it is customers who must actually implement the required defences. There is insufficient sharing of responsibility. If cloud customers don’t protect their own networks and applications – too often the case – cloud security is undermined.
Exacerbating the problem is the fact that enterprises are increasingly adopting multi-cloud environments and too often lack awareness of all the cloud services at their disposal, according to a study by McAfee. In short, they’re setting themselves up for accidents waiting to happen.
This is a management issue and should be fixable. The adoption of more cryptography, meanwhile, is a technology issue, and one that can’t be addressed as quickly. Inroads, however, are being made.
For now, here are some security tips for companies moving to public and even multi-cloud environments:
- Make sure none of the components of security fall through the cracks. Overseeing the performance of the respective responsibilities of both cloud purveyors and their customers is essential.
- Ensure that only authorised users can access data. This is critical to prevent tampering by anyone inside or outside the organisation.
- Insist that your cloud service provider conducts thorough background checks on employees. This is especially important if they have physical access to data center servers.
- Lastly, bear in mind that you’re tied tightly to any particular cloud provider, for better or worse. Switching is difficult. Do everything possible to choose the right one in the first place.
It’s important to recognise that many, if not most, of the security issues in cloud computing are a byproduct of the unchecked growth of the cloud. Providers, not customers, are liable for any breaches. If necessary, they should slow their growth for a while to prioritise the repair of festering problems. If security gets further out of control, there is no question that cloud growth will slow anyway.
Credit Robert Ackerman Jr – Data Tribe