Cloud computing was the lifeline that kept many companies running during the pandemic. But it was a classic case of medicine that comes with serious side effects.
Having anywhere, anytime access to data and apps gives companies tremendous flexibility in a fast-changing world, plus the means to scale and customize IT at will. The cloud is an asset or upgrade in almost every way.
With one glaring exception: cybersecurity.
The cloud promised to make companies more secure and security more straightforward. Yet over the same time period that the cloud took over computing, cyber attacks grew steadily worse while security teams felt increasingly overwhelmed.
We will explain shortly. For lean security teams, the more important question is how to make cloud security work, especially as the cloud footprint grows (a lot) faster than security resources. Will the cloud always cast a shadow on cybersecurity?
Not with the strategy outlined in a free ebook from Cynet called "The Lean IT Guide to Cloud Security". It explains how security teams with less than 20, 10, or even 5 members can make cloud security work from here forward.
Storms Brewing in the Cloud
The "cloud rush" prompted by the pandemic certainly caught hacker's attention. Attacks on cloud services rose 630% in 2020 and topped on-premises attacks for the first time. The sudden increase in cloud adoption explains some of that uptick – the cloud was a larger target than before. But this really had nothing to do with the pandemic.
It was only a matter of time before hackers started relentlessly targeting the cloud, now costing businesses $3.8 million on average with each successful breach.
Clouds look to hackers like prime targets, more appealing than almost any other.
On the one hand, clouds house huge stores of valuable data along with mission-critical applications. They are where the valuable targets live, so they're an obvious, even inevitable attack vector.
On the other hand, clouds either complicate or compromise many of the cyber defenses already in place, while coming with complicated defensive requirements of their own. Many cloud environments end up insecure, making them an easy attack vector as well.
As long as hackers continue to see clouds as equally vulnerable and valuable, the onslaught of attacks will only get worse. The damages will too.
Making Sense of the Shared-Responsibility Model
A big reason that cloud security gaps are so common (and so gaping) is because of the unique way we approach cloud cybersecurity.
Most cloud providers rely on the shared-responsibility model, where security responsibilities are split between the vendor and the customer.
Typically, customers handle data accountability, endpoint protection, and identity and access management. Vendors deal with application and network controls, host infrastructure, and physical server security (sharing agreements vary).
Research consistently shows that customers are confused about what is and isn't their responsibility. But even among those that aren't confused, the dividing line between responsibilities can (and has) lead to contentious disputes or security loopholes waiting for hackers to find them.
Problematic as the shared-responsibility model may be, it's standard practice. What's more, it can be a tremendous asset to learn security teams in particular provided they know their responsibilities...and pick the right partner.
Cloud Security Starts with Vendor Selection
For better or for worse, the shared-responsibility model obligates cloud customers to form security partnerships with their vendors. And some vendors are better than others.
Thoroughly vetting any cloud provider must be a prerequisite, but that takes time on the part of the evaluator and transparency on the part of the provider. Certifications like STAR Level 2 verify a provider's security credentials, but some companies go a step further and hire risk management services to evaluate a particular cloud. In any case, the goal is to get independent, objective proof the provider takes security seriously.
Upon selecting a vendor, following their security guidance (to the letter) could not be more important. Failure to do so has caused more than a few cloud attacks. Lean teams can make major improvements to cloud security, often at no cost whatsoever, by simply doing what the vendor says to do.
The Key Pieces for Lean Security Teams
Picking the right provider/partner solves a big part of the cloud security puzzle. That said, important and ongoing responsibilities still fall entirely on the security team. These can be the weak-points that open the door to cloud attacks – but the right tools address each of the key responsibilities facing cloud customers, and the right vendors integrate more of those tools onto platforms to consolidate cloud security in a manageable form.
In the free ebook "The Lean IT Guide to Cloud Security", Cynet describes what the optimal cloud security toolkit looks like, along with how lean security teams can take advantage of similar strengths without increasing staff or ballooning security spending.
The ebook offers an effective guide to cloud security to the many companies struggling to protect their most important IT. By design, however, it's also a practical and accessible framework designed to help security teams of any size secure cloud deployments of any size.
If cloud security falls on your shoulders, use the guidance from Cynet to make the maximum impact for the minimal investment.