Cloud Security Alliance APAC
  • Home
  • About
    • About Us & Our Team
    • APAC Chapters
    • Newsletter
  • Press Release
  • Research
    • APAC Research Advisory Council (APRAC)
    • APAC Research Initiatives >
      • CCM-ABS Mapping WG
      • CCM – RBI Gopala Krishna Committee Report (GKCR) Mapping
      • Cloud Component Specifications
      • Cloud Incident Response
      • Cloud Security Services Management
      • High Performance Computing (HPC) Cloud Security
      • Hybrid Cloud Security Services
      • Industrial Control Systems (ICS) Security
      • Mobile Application Security Testing
      • SaaS Governance
      • Best Practices for Mitigating Risks in Virtualized Environments
    • Reports >
      • Mitigating Hybrid Clouds Risks
      • Cloud OS Security Specification v2.0 >
        • Hybrid Cloud and its Associated Risks
      • Survey Report on Security Practices in HPC & HPC Cloud
      • CCM Addendum (controls mapping with the ABS CCIG 2.0))
      • Cloud Incident Response Framework – A Quick Guide
      • Mobile Application Security Testing Landsacpe Overview
      • CSA CCM v3.0.1 Addendum - Cloud OS Security Specifications
      • CSA CCM v3.0.1 Addendum to the Reserve Bank of India (RBI)’s Gopala Krishna Committee (GKC) Report
      • CSA CCM v3.0.1 Addendum to the Guideline on Effectively Managing Security Service in the Cloud
      • Gap Analysis Report on Mapping CSA’s Cloud Controls Matrix to ‘Guideline on Effectively Managing Security Service in the Cloud’
      • Cloud OS Security Specification
      • Guideline on Effectively Managing Security Service in the Cloud
      • 2018 Cloud Adoption in the Malaysian FSI Sector: Survey Report
      • CSA CCM v3.0.1 Addendum to the Malaysia Personal Data Protection Standard 2015
      • 2017 State on Cloud Adoption and Security: APAC
      • 2016 Cloud Adoption and Security in India Survey Report
      • 2016 Cloud Adoption Practices and Priorities in the Chinese Financial Sector: Survey Report
    • C-STAR
  • Events
    • Upcoming Events
    • Past Events
    • CXO Roundtable Series
    • CCSK Training
  • CONTACT
    • Contact Us
    • Privacy Notice
  • Home
  • About
    • About Us & Our Team
    • APAC Chapters
    • Newsletter
  • Press Release
  • Research
    • APAC Research Advisory Council (APRAC)
    • APAC Research Initiatives >
      • CCM-ABS Mapping WG
      • CCM – RBI Gopala Krishna Committee Report (GKCR) Mapping
      • Cloud Component Specifications
      • Cloud Incident Response
      • Cloud Security Services Management
      • High Performance Computing (HPC) Cloud Security
      • Hybrid Cloud Security Services
      • Industrial Control Systems (ICS) Security
      • Mobile Application Security Testing
      • SaaS Governance
      • Best Practices for Mitigating Risks in Virtualized Environments
    • Reports >
      • Mitigating Hybrid Clouds Risks
      • Cloud OS Security Specification v2.0 >
        • Hybrid Cloud and its Associated Risks
      • Survey Report on Security Practices in HPC & HPC Cloud
      • CCM Addendum (controls mapping with the ABS CCIG 2.0))
      • Cloud Incident Response Framework – A Quick Guide
      • Mobile Application Security Testing Landsacpe Overview
      • CSA CCM v3.0.1 Addendum - Cloud OS Security Specifications
      • CSA CCM v3.0.1 Addendum to the Reserve Bank of India (RBI)’s Gopala Krishna Committee (GKC) Report
      • CSA CCM v3.0.1 Addendum to the Guideline on Effectively Managing Security Service in the Cloud
      • Gap Analysis Report on Mapping CSA’s Cloud Controls Matrix to ‘Guideline on Effectively Managing Security Service in the Cloud’
      • Cloud OS Security Specification
      • Guideline on Effectively Managing Security Service in the Cloud
      • 2018 Cloud Adoption in the Malaysian FSI Sector: Survey Report
      • CSA CCM v3.0.1 Addendum to the Malaysia Personal Data Protection Standard 2015
      • 2017 State on Cloud Adoption and Security: APAC
      • 2016 Cloud Adoption and Security in India Survey Report
      • 2016 Cloud Adoption Practices and Priorities in the Chinese Financial Sector: Survey Report
    • C-STAR
  • Events
    • Upcoming Events
    • Past Events
    • CXO Roundtable Series
    • CCSK Training
  • CONTACT
    • Contact Us
    • Privacy Notice

Cloud security concerns are shifting upwards: are you prepared for the change?

3/24/2020

 
Picture
Published on CybersecAsia
By Dr. Lee Hing Yan, EVP, CSA APAC
Just as clouds in the sky are not static, neither are the urgent security concerns of Cloud computing, this expert says.

​The adoption of cloud computing has come a long way. In 2018, for the first time in history, cloud IT infrastructure revenues surpassed that of traditional IT infrastructure reaching US$16.8 billion, according to IDC.

With the maturing of cloud services and the significant amount of resources cloud service providers (CSPs) have invested into securing their offerings, the Cloud Security Alliance (CSA) has witnessed an ‘upwards shift’ in the prominence of key cloud security issues.

According to a recent report on Top Threats for Cloud Computing, traditional cloud security that falls under the responsibility of CSPs has dropped in terms of importance. Concerns such as denial of service, shared technology vulnerabilities, CSP data loss and system vulnerabilities, all of which were featured in previous reports, are now rated so low that they were excluded from the updated list. Instead, there is a greater need to address security issues situated higher up the technology stack, which are the result of senior management decisions.
The top risks posed by cloud computingAt the top of the security watchlist now are
1. Data breaches
2. misconfiguration and inadequate change control
3. lack of cloud security architecture and strategy

Taking for an example the small city-state of Singapore, we know she is vulnerable to volatilities in its external environment. With digitization becoming more pervasive, organizations in Singapore must strengthen their cyber and data security capabilities in order to stay ahead of ever-evolving cyber threats, such as data breaches.

There are cases of data breaches going undetected until months after the compromise. In such incidents, the implications might not have been immediately apparent (e.g., IP theft). Such breaches had a dwell time of approximately one year in the United States Office of Personnel Management (OPM) and Sony Pictures breach.

On another front, misconfiguration of cloud resources is a leading cause of data breaches and could allow deletion or modification of resources and service interruption, while an absence of effective change control is a common cause of misconfiguration in a cloud environment.

Tackling the challenge of Cloud securityCloud environments and cloud computing methodologies differ from traditional information technology (IT) in ways that make changes more difficult to control. Traditional change processes involve multiple roles and approvals and could take days or weeks to reach the production phase. However, infrastructure elements that were static in the corporate data center are now extracted to software in the cloud—their entire lifecycle may only last a matter of minutes or seconds.

This dynamic environment requires an agile and proactive approach to change control, and companies should embrace automation and employ technologies that scan continuously for misconfigured resources and remediate problems in real-time.

Additionally, with increased workflows and applications across public and private clouds, organizations are migrating portions of their IT infrastructure to hybrid cloud environments. One of the biggest challenges during this transition is the implementation of appropriate security architecture to withstand cyberattacks.

Implementing an appropriate security architecture and developing a robust security strategy will provide organizations with a strong foundation to operate and conduct business activities in the cloud. Leveraging cloud-native tools to increase visibility in cloud environments will also minimize risk and cost. Such precautions, if taken, will significantly reduce the risk of compromise.

Recognizing the shared-responsibility modelWith the focus on cloud security shifting upwards, cloud users need to be clear about the shared responsibility model of the cloud and brush up security postures for whatever they have implemented in the user space of the technology stack.

Getting this accomplished is of utmost urgency but will take some time and a concerted effort by the enterprise. As such, expect to see a number of breaches and hacks in the cloud in 2020 that are a result of users’ misconfigurations and complacency.

The future will hold a combination of old threats made new, and new threats exploiting fast moving new technology. Cloud users and enterprises can supplement their efforts by increasing their cloud security competencies by tapping into a variety of free resources from organizations with a focus on cloud security.

For example, CSA makes available at no cost a wide variety of guidance documents and best practices on cloud security that are community-developed and peer-reviewed by security professionals around the world. The CSA will share more on this at their annual CSA APAC Summit to be co-located with ConnecTechAsia at the Singapore Expo this year in October, pandemic circumstances permitting.

Read the Byline here.
© COPYRIGHT 2021. Cloud Security Alliance. All Right Reserved