 | Published on CybersecAsia By Dr. Lee Hing Yan, EVP, CSA APAC |
Just as clouds in the sky are not static, neither are the urgent security concerns of Cloud computing, this expert says.
The adoption of cloud computing has come a long way. In 2018, for the first time in history, cloud IT infrastructure revenues surpassed that of traditional IT infrastructure reaching US$16.8 billion, according to IDC.
With the maturing of cloud services and the significant amount of resources cloud service providers (CSPs) have invested into securing their offerings, the Cloud Security Alliance (CSA) has witnessed an ‘upwards shift’ in the prominence of key cloud security issues.
According to a recent report on Top Threats for Cloud Computing, traditional cloud security that falls under the responsibility of CSPs has dropped in terms of importance. Concerns such as denial of service, shared technology vulnerabilities, CSP data loss and system vulnerabilities, all of which were featured in previous reports, are now rated so low that they were excluded from the updated list. Instead, there is a greater need to address security issues situated higher up the technology stack, which are the result of senior management decisions.
The adoption of cloud computing has come a long way. In 2018, for the first time in history, cloud IT infrastructure revenues surpassed that of traditional IT infrastructure reaching US$16.8 billion, according to IDC.
With the maturing of cloud services and the significant amount of resources cloud service providers (CSPs) have invested into securing their offerings, the Cloud Security Alliance (CSA) has witnessed an ‘upwards shift’ in the prominence of key cloud security issues.
According to a recent report on Top Threats for Cloud Computing, traditional cloud security that falls under the responsibility of CSPs has dropped in terms of importance. Concerns such as denial of service, shared technology vulnerabilities, CSP data loss and system vulnerabilities, all of which were featured in previous reports, are now rated so low that they were excluded from the updated list. Instead, there is a greater need to address security issues situated higher up the technology stack, which are the result of senior management decisions.
The top risks posed by cloud computingAt the top of the security watchlist now are
1. Data breaches
2. misconfiguration and inadequate change control
3. lack of cloud security architecture and strategy
Taking for an example the small city-state of Singapore, we know she is vulnerable to volatilities in its external environment. With digitization becoming more pervasive, organizations in Singapore must strengthen their cyber and data security capabilities in order to stay ahead of ever-evolving cyber threats, such as data breaches.
There are cases of data breaches going undetected until months after the compromise. In such incidents, the implications might not have been immediately apparent (e.g., IP theft). Such breaches had a dwell time of approximately one year in the United States Office of Personnel Management (OPM) and Sony Pictures breach.
On another front, misconfiguration of cloud resources is a leading cause of data breaches and could allow deletion or modification of resources and service interruption, while an absence of effective change control is a common cause of misconfiguration in a cloud environment.
Tackling the challenge of Cloud securityCloud environments and cloud computing methodologies differ from traditional information technology (IT) in ways that make changes more difficult to control. Traditional change processes involve multiple roles and approvals and could take days or weeks to reach the production phase. However, infrastructure elements that were static in the corporate data center are now extracted to software in the cloud—their entire lifecycle may only last a matter of minutes or seconds.
This dynamic environment requires an agile and proactive approach to change control, and companies should embrace automation and employ technologies that scan continuously for misconfigured resources and remediate problems in real-time.
Additionally, with increased workflows and applications across public and private clouds, organizations are migrating portions of their IT infrastructure to hybrid cloud environments. One of the biggest challenges during this transition is the implementation of appropriate security architecture to withstand cyberattacks.
Implementing an appropriate security architecture and developing a robust security strategy will provide organizations with a strong foundation to operate and conduct business activities in the cloud. Leveraging cloud-native tools to increase visibility in cloud environments will also minimize risk and cost. Such precautions, if taken, will significantly reduce the risk of compromise.
Recognizing the shared-responsibility modelWith the focus on cloud security shifting upwards, cloud users need to be clear about the shared responsibility model of the cloud and brush up security postures for whatever they have implemented in the user space of the technology stack.
Getting this accomplished is of utmost urgency but will take some time and a concerted effort by the enterprise. As such, expect to see a number of breaches and hacks in the cloud in 2020 that are a result of users’ misconfigurations and complacency.
The future will hold a combination of old threats made new, and new threats exploiting fast moving new technology. Cloud users and enterprises can supplement their efforts by increasing their cloud security competencies by tapping into a variety of free resources from organizations with a focus on cloud security.
For example, CSA makes available at no cost a wide variety of guidance documents and best practices on cloud security that are community-developed and peer-reviewed by security professionals around the world. The CSA will share more on this at their annual CSA APAC Summit to be co-located with ConnecTechAsia at the Singapore Expo this year in October, pandemic circumstances permitting.
Read the Byline here.
1. Data breaches
2. misconfiguration and inadequate change control
3. lack of cloud security architecture and strategy
Taking for an example the small city-state of Singapore, we know she is vulnerable to volatilities in its external environment. With digitization becoming more pervasive, organizations in Singapore must strengthen their cyber and data security capabilities in order to stay ahead of ever-evolving cyber threats, such as data breaches.
There are cases of data breaches going undetected until months after the compromise. In such incidents, the implications might not have been immediately apparent (e.g., IP theft). Such breaches had a dwell time of approximately one year in the United States Office of Personnel Management (OPM) and Sony Pictures breach.
On another front, misconfiguration of cloud resources is a leading cause of data breaches and could allow deletion or modification of resources and service interruption, while an absence of effective change control is a common cause of misconfiguration in a cloud environment.
Tackling the challenge of Cloud securityCloud environments and cloud computing methodologies differ from traditional information technology (IT) in ways that make changes more difficult to control. Traditional change processes involve multiple roles and approvals and could take days or weeks to reach the production phase. However, infrastructure elements that were static in the corporate data center are now extracted to software in the cloud—their entire lifecycle may only last a matter of minutes or seconds.
This dynamic environment requires an agile and proactive approach to change control, and companies should embrace automation and employ technologies that scan continuously for misconfigured resources and remediate problems in real-time.
Additionally, with increased workflows and applications across public and private clouds, organizations are migrating portions of their IT infrastructure to hybrid cloud environments. One of the biggest challenges during this transition is the implementation of appropriate security architecture to withstand cyberattacks.
Implementing an appropriate security architecture and developing a robust security strategy will provide organizations with a strong foundation to operate and conduct business activities in the cloud. Leveraging cloud-native tools to increase visibility in cloud environments will also minimize risk and cost. Such precautions, if taken, will significantly reduce the risk of compromise.
Recognizing the shared-responsibility modelWith the focus on cloud security shifting upwards, cloud users need to be clear about the shared responsibility model of the cloud and brush up security postures for whatever they have implemented in the user space of the technology stack.
Getting this accomplished is of utmost urgency but will take some time and a concerted effort by the enterprise. As such, expect to see a number of breaches and hacks in the cloud in 2020 that are a result of users’ misconfigurations and complacency.
The future will hold a combination of old threats made new, and new threats exploiting fast moving new technology. Cloud users and enterprises can supplement their efforts by increasing their cloud security competencies by tapping into a variety of free resources from organizations with a focus on cloud security.
For example, CSA makes available at no cost a wide variety of guidance documents and best practices on cloud security that are community-developed and peer-reviewed by security professionals around the world. The CSA will share more on this at their annual CSA APAC Summit to be co-located with ConnecTechAsia at the Singapore Expo this year in October, pandemic circumstances permitting.
Read the Byline here.