Want to try it for yourself?
It's all about the cloud. Choosing the cloud, and not local storage, has tremendous cost-saving benefits and comes with a ton of convenience at scale. The cloud can bring significant benefits over traditional data centers, including speed-to-market, cost savings, resilience, global reach, security, and innovation from cloud providers.
But it also comes with its unique cloud computing security issues and risks, which is an important concern for 99% of companies. Read on to learn more about cloud security issues, their unique challenges, and cloud security best practices to empower your organization to make measurable improvements to its security stance and keep cloud threats at bay.
What is Cloud Security?
Cloud security is all of the facets of information security — including software, policies, processes, staff, and infrastructure — designed specifically to be applied to the unique challenges and requirements of cloud architecture.
Cloud-hosted infrastructure introduces new security concerns into the threat model that differ significantly from those in the past. Cloud security necessarily asks organizations to form a deeper understanding of their security obligations in a shared responsibility model, as well as to be conscientious of the more complex and dynamic attack surface brought on by the increased usage of cloud-provisioned resources. Designing inherently secure cloud architecture is the key to secure cloud use and limits the attack surface and the potential blast radius of any successful initial penetration.
Although cloud security requires an updated approach, the core tenets of traditional information security still apply. Organizations are ultimately bound by a need for their critical information to retain confidentiality, integrity, and availability. Understanding the specific challenges of cloud security is key to achieving this triad.
Why is cloud security important?
Cloud security is about establishing and maintaining full knowledge of your environment—and denying attackers access to that knowledge. Protecting your sensitive cloud data means knowing where it is and the ways it can be accessed, and eliminating the gaps in cloud architecture that attackers exploit for discovery, movement, and data extraction.
Data is often referred to as the new oil. It's valuable. It may carry customer data, health data, business plans, financial information and a host of other private information. A privacy breach can cost you the trust of your customers, subject you to fines and lawsuits, and lead to other unexpected financial losses and headaches.
Organizations big and small have adopted some type of cloud computing, and are likely to expand their cloud services footprint as they grow. Because of this, it's important that organizations adopt a cloud security architecture to minimize cloud security threats such as misconfigurations. Cloud security concerns us all, and it's never too early, or too late, to begin implementing a security posture or enhance an existing one.
Let’s break down some of the top cloud security challenges for 2022.
Cloud security requires engineering teams to deploy cloud native security tooling with purpose-built policies and personnel to help support a cloud-focused architecture. Forcing legacy tools on top of your cloud infrastructure is ill advised, especially as traditional tools like network monitoring and firewalls aren’t typically compatible with the cloud. Your cloud environment will not be adequately secured, and would remain at a high risk of compromise.
That's because the lack of a true network boundary underscores the different threat model a cloud environment presents over a legacy environment. In legacy infrastructure, for example, firewalls and physical network topology make for a clear distinction between the inside and the outside of a network. Making interior resources available to external traffic typically requires explicit configuration to network devices—including the firewall—and depends on specific routing topology.
On the other hand, cloud resources can be configured to be publicly available, immediately upon provisioning. In order to maintain a secure posture, a zero-trust policy must be adopted. Engineering teams should assume any node is a potentially compromised target and enforce authentication and encryption on any communication attempts, regardless of their location in the network architecture. Assuming any node is potentially compromised also requires an assessment of the potential blast radius of such penetrations, since attackers use API keys on resources they’ve accessed to compromise the cloud control plane to discover knowledge, move laterally, and extract data without detection.
The type of applications and workloads that run in the cloud have evolved significantly from the days of workstations and bare-metal servers. Web applications are one of the preferred software distribution methods, and containers have become one of the most popular platforms for running them. Over 78% of production workloads are deployed as containers.
Beyond the containers themselves, container orchestration tools like Kubernetes give organizations powerful tools to scale their applications, but introduce additional complexity and security concerns.
Containers provide another example of the newer cloud security challenges that have no real parallel in legacy architectures. Containers such as those that run on the Docker engine are often built using base images sourced from third-party public repositories. Those base images may be out of date or actually compromised versions of legitimate images, uploaded by malicious actors.
These kinds of compromises highlight the need for security tools that work across the entire development life cycle and toolchain: Discovering a vulnerability like this in production means an organization may already have been compromised.
Data breaches always make the list of top security incidents. We read about them all of the time, and they can impact some of the most advanced cloud customers.
To avoid them, it's important to understand that data has value, and unwanted exposure of data can produce a wealth of consequences. So it's a good idea to always employ encryption and have an incident response plan that is heavily tested and strong. Deploying data input and output integrity routines is a must. To mitigate risks, organizations should prioritize their security controls and document them.
And like we said before, data breaches can wreak havoc on a company's reputation, which happened in the aftermath of Capital One's cloud misconfigurations. Breached companies may find themselves in high-profile litigation while at the same time attracting the unwanted eye of regulators. Thieves might even sell your organization's personally identifiable information and personal health information on the black market.
Every organization has the responsibility to know what data they are putting in the cloud, what principles—human and machine—have access to it, and what level of protection is applied both internally and by the cloud provider.
Let's face it, you may have adopted a legion-long list of security measures, but checklist security alone won’t keep your cloud data secure. Cloud environments are constantly changing, and misconfiguration can lead to data breaches because they leave organizations vulnerable to attacks that often require only minutes to execute. More than 56% of organizations surveyed suffered from a misconfiguration or known vulnerabilities incident.
To minimize risks of misconfigurations, it's advisable to stick to a strict change management system. This involves requesting, approving, validating, and logging changes to your systems. Ineffective change control is likely to produce cloud misconfigurations and breaches.
Policy as code is another method of preventing misconfigurations, it can be used for automated security checks, and it enables all stakeholders to operate under a single source of truth for security policy by eliminating differences in interpretation, evaluation, and enforcement. It also eliminates human error and time-consuming manual processes. Open Policy Agent has emerged as the open source standard for policy as code, used and supported by companies like Netflix, Pinterest, and CloudFlare.
Organizations often lack a cloud security architecture and strategy. It's best to understand the threats you are exposing your company to before jumping in the cloud, and make sure to have cloud security architecture expertise on your team, because cloud security is best addressed in the design of cloud environments. Proper migration techniques and strategies should be adopted before deployment. Engineering teams should also scrutinize the security programs of their cloud services to minimize public cloud security risks.
There should be third-party auditing with shared reports, and make sure to demand breach reporting terms to complement your cloud provider's technology solutions.
Strides being taken from a culture, process, package maintenance, and even developer tooling perspective are helping to move the needle on improving an overall security posture and maturity within the open source security ecosystem in the cloud. It's important to understand the risks when choosing to adopt open source tools, platforms, and code into your cloud systems. Because knowledge is power, understanding the key risks can help your organization stay more secure.
Some of the main risks associated with open source tools is that sometimes they don't have dedicated support to help with your tooling, and sometimes the support is unofficial and may not be adequate. In addition, vulnerabilities to open source components are often publicized by the open source community and oversight organizations. This may open up your organization to unwanted scrutinization, as well as to security attacks.
What's more, because enterprises may have hundreds or thousands of engineers, access should be doled out based on the role and needs of the employee. Put bluntly, when it comes to access control issues, apply the principles of least privilege and at the same time establish procedures and policies for secure disposal and removal of data.
All in all, it's best to continually audit, track, monitor and manage your cloud credentials to account for provisioning and deprovisioning issues, zombie accounts, excessive admin accounts and users bypassing identity and access management (IAM) controls.
IAM plays a central role in modern cloud breaches, and IAM risk involves a lot more than people and human access to things. IAM is essentially the network in the cloud, and cloud resources use IAM to interact with other cloud resources. Special focus is needed to assess IAM use in cloud environments to identify insecure IAM configurations that may not get flagged by compliance audits or many security tools, and developers should have policy as code checks that flag insecure IAM configurations when developing infrastructure as code.
It is recommended that organizations also employ two-factor authentication, adhere to strict IAM cloud controls, rotate API keys regularly, and sunset unused credentials.
As with cloud security measures, companies must know and articulate a division of responsibilities when it comes to regulatory compliance in the cloud, especially when dealing with healthcare and financial data. There are plenty of regulations, and they are constantly changing. So it's important that organizations make sure that their cloud service providers and applications are certified as compliant to handle sensitive data.
There are at least for data regulations organizations in the cloud should be mindful about:
HIPAA: A healthcare application that processes protected health information is subject to the privacy and security rules associated with the Health Insurance Portability and Accountability Act. HIPAA may require healthcare businesses to obtain assurances from cloud providers that they will safeguard this type of data.
PCI: The Payment Card Industry Data Security Standard (PCI DSS) is for companies that work with credit cards from the major card payment systems, including American Express, Discover, Mastercard and Visa. The standard is mandated by the credit card companies. It is overseen by the Payment Card Industry Security Standards Council, and was created to reduce credit-card fraud.
Personal data: This includes information that identifies consumers, employees, partners, and most any legal entity. To comply with laws about personal data, many data breach regulations require organizations to report on their compliance and announce any breaches that may have occurred.
GDPR: The General Data Protection Regulation (GDPR) was implemented to enhance data protection for people in the European Union. Data such as names, home addresses, photos, email addresses, bank details, social networking posts, medical information, and IP addresses must remain and be maintained on servers within the EU. Companies must notify individuals of any data breaches.
With cloud services comes APIs, or application programming interfaces. They usually are well documented for their customers. But a misconfiguration by your organization can open the door to security breaches. The documentation from the cloud service provider can also be used by cybercriminals to pinpoint and exploit vulnerabilities and steal sensitive data.
In addition, the API documentation designed for the customer can also be used by a cybercriminal to identify and exploit potential methods for accessing and exfiltrating sensitive data from an organization’s cloud environment.
So it's best to practice proper API hygiene and deploy standard, open API frameworks and avoid reusing API keys. Test APIs for security and so they adhere to applicable legal, statutory, and regulatory requirements.
This is not just limited to the cloud. But whether intentional or negligent — current and former employees, contractors and partners can be the causes of data breaches, downtime, and loss of consumer confidence.
Threats from insiders include leaked or stolen data, credential issues, human errors and cloud misconfigurations. To counter these, organizations should conduct security awareness training, fix misconfigured cloud servers, and practice strict access control to critical systems.
This is perhaps the largest, non-malicious insider threat facing organizations today, and this concept is the culmination of many of the topics we've already discussed in this article.
Remember, misconfiguration of your cloud platform and APIs opens the door to a host of data vulnerabilities. Failure to understand and comply with data regulations can subject your organization to the wrath of government authorities while sullying your reputation as well. A failure to adopt adequate and documented access control and change management practices will likely leave your organization vulnerable to insider and outsider threats, and may bring unwanted public attention and lawsuits as well.
While shifting to the cloud has been a growing trend, nearly 60% of organizations have increased security concerns since adopting a cloud native strategy.
Most major cloud attacks or breaches are a combination of application vulnerabilities that were exploited because of or compounded by misconfiguration. That's why it's important for today's development and security teams to understand the best practices for securing their cloud native applications.
Secure your apps the way cloud native experts do. Snyk’s developer security solutions enable modern applications to be built securely, empowering developers to own and build security for the whole application, from code and open source to containers and cloud infrastructure.
Next in the series
Cloud security posture management explained
When many companies move to the cloud, they assume the cloud provider – whether it’s Amazon Web Services (AWS), Google Cloud, Microsoft Azure or any other – is completely responsible for cloud security.Keep reading