How to Strengthen Cloud Security
Towards the end of last month, cybersecurity firm McAfee released new research titled Cloud-Native: The Infrastructure-as-a-Service Adoption and Risk. There’s a lot of interesting information there, but one of the most concerning statistics involved public cloud misconfigurations, particularly where Infrastructure-as-a-Service (IaaS) is concerned. According to the firm’s results, only one percent of IaaS issues are reported.
Of 1,000 IT professionals surveyed across 11 countries, 90 percent told the firm that they’d encountered security issues with IaaS, but only 26 percent could actually deal with misconfigurations.
“In the rush toward IaaS adoption, many organizations overlook the shared responsibility model for the cloud and assume that security is taken care of completely by the cloud provider," said Rajiv Gupta, McAfee’s Senior Vice President of Cloud Security. "However, the security of what customers put in the cloud, most importantly sensitive data, is their responsibility."
So what can you do?
First, incorporate the configuration process into your security policies if you’ve not already done so. You need to ensure that the cloud platforms you use are properly tested and configured. To that end, it’s important that every single employee involved with your cloud’s deployment understands the following details.
- The cloud provider’s security model.
- What security features the cloud platform includes, and how to configure them.
- How the cloud platform interacts and integrates with your existing infrastructure.
- The authentication process for employees using your cloud platform.
Second, you’ll want to have a process in place for detecting and mitigating misconfigurations when they do occur. Even if you think you’ve done everything right, misconfigurations can and do still happen. People make mistakes, even when they’re well-trained and well-informed.
That’s why it’s important to have some way of mitigating those mistakes. There are a number of third-party cloud security tools you can use to that end. We recommend Cloudsploit or Fugue, but they’re far from the only options.
Finally, when you bring in a third-party analyst to audit your cybersecurity posture, include your cloud infrastructure in that audit. This will ensure that even if there are misconfigurations that your security tools miss, you’ll have an additional layer of mitigation. And if you aren’t running third-party security audits, you need to be.
Maybe your business is just starting its cloud journey. Maybe you’re well along in your shift to cloud infrastructure. Regardless of how far you’ve come, it’s imperative that you account for the human element.
That you understand the risks posed by human error, both in the initial configuration and the day-to-day usage of your cloud. Move forward with that understanding, and you should be just fine.