What do CIOs/CISOs need to know about cloud security to confidently navigate the complexities of their cloud environments and protect sensitive data? Three industry experts give us their views.
John Allison, Director of Public Sector, Checkmarx
Modern cloud environments are a double-edged sword when it comes to security, especially the protection of information. Security was much simpler when you could walk into your data center, and in front of you were rows and rows of hard drives with your data. The downside was that it was your data center, and you were responsible for everything, including security.
The first step in protecting sensitive data is agreeing on what sensitive data is. To quote the old saying, ‘if everything is a priority then nothing is a priority’. The same goes for protecting data. CIOs must work with the stakeholders to aggressively narrow what is defined as sensitive to that data, that if released will cause significant harm to the company, either reputationally or financially.
The next challenge is to agree on what the minimum security measures are required to protect that data. For some industries, there are compliance standards to support this, for others, this may fall under the ambiguous term of ‘best business practices’. Now comes perhaps the most difficult part of this journey, to find where the sensitive data is stored.
As the CIO finds the data, they can assess the security against the requirements.
From here, a CIO can start making risk-based decisions on the prioritisation of addressing the holistic data security posture to including the CIO’s cloud environments. It is likely that at this point, the data is scattered across the CIO’s development and production environments which are on top of one or more of the major cloud providers and scattered across multiple third-party cloud services.
For the third-party cloud vendors there is only so much a CIO can do. They will certainly go through their vendor risk management process, and perhaps be able to get additional data from the vendor. This feeds into the risk decision from the CIO and establishes if there is sufficient trust to share your data with this vendor.
If the sensitive data is stored within the CIO’s own applications, they have a wider range of tools available to meet the security requirements. Firstly, having a robust application security (AppSec) program and security architecture can reduce exploitable vulnerabilities. Going beyond traditional, must-have static application security testing (SAST) solutions, a mature AppSec platform that secures applications from code to cloud is critical. This, combined with robust logging and security analytics can provide robust data security in the CIO’s cloud environments.
A CIO often must accept the business they have, and that isn’t the business they wish they had. A CIO is a very busy person for any moderately sized organisation, so perhaps the most effective tool to protect sensitive data is simplicity. Minimise what is considered sensitive; make the security requirements clear, achievable and measurable; and establish a set of trusted vendors that you can rely on.
Underlying all of this, is ensuring that your organisation has a set of easy-to-understand policies around data security, and that your employees are trained. If everyone is on the same page, it makes this process much easier.
Trevor Dearing, Director of Critical Infrastructure at Illumio
As organisations continue to invest heavily in the cloud, the responsibility is falling on CISOs to make sure that their security posture is up to scratch. Research indicates that nearly half of all data breaches originate in the cloud, with the average organisation who suffered a cloud breach last year losing nearly US$4.1 million.
Beyond financial losses, the repercussions of cloud breaches extend to reputational damage, sensitive data loss, and decreased productivity, leading to an urgent need for robust security measures tailored to the cloud environment. With the majority of businesses today holding their most critical data and high-value applications in the cloud, there needs to be a fundamental shift from reactive measures of old to a more proactive approach to breach containment in the cloud.
Traditional security tools are increasingly falling short in addressing the dynamic and interconnected nature of the cloud. Organisations should take a strategic approach to integrating cloud security with existing approaches. While the security needs of the cloud itself are unique, the security of the data should be consistent across the hybrid infrastructure. Adopting a Zero Trust approach across the entire estate protects the data while adopting specific cloud security techniques.
It is easy to put faith into the shared responsibility model when it comes to cloud security, but the concept is frequently misunderstood. Security is not solely the cloud provider’s responsibility and risk cannot be outsourced. Cloud security providers (CSPs) are only responsible for their own systems which, in a multi cloud environment, means that there is an uneven handshake between businesses and providers. IT teams must therefore be more proactive in securing their own assets and embrace a uniform approach to security across all environments.
IT teams should prioritise security measures which support multiple cloud providers to prioritise uniformity, such as Zero Trust Segmentation (ZTS). Rooted in the Zero Trust principle of ‘never trust, always verify’, ZTS offers a granular and adaptable approach to security, providing organisations with enhanced visibility, control, and resilience across hybrid and multi-cloud environments.
With ZTS organisations can easily visualise their cloud workload connectivity, including traffic flows across managed and unmanaged workloads. It also allows proactive segmentation of the network which makes it easier to contain attacks and reduces the area needed to investigate in the response process.
Aside from investing in new tools, CISOs must ensure that teams are educated on effective cloud security measures. This avoids the common oversight of employees not being able to identify and rectify misconfigurations which can open the floodgates to a breach. Organisations should work to transform employees from potential security risks into active and informed participants within the security posture.
This is best achieved through regular training sessions and keeping staff updated with new trends in the threat landscape. A well-informed team can significantly mitigate an organisation’s risk and increase overall cyber-resilience, helping any CISO to sleep at night.
Stefan Schachinger, Senior Consulting Engineer, Network Security, Barracuda Networks
Cloud computing offers businesses the ability to implement IT activities faster, more efficiently, and at scale, without having to invest in and manage costly infrastructure. Today, cloud computing underpins business innovation, growth and agility, supporting communications, collaboration, application – and data – platforms, and as-a-service offerings, including AI tools. Gartner estimates that worldwide spending on public cloud services alone will increase by a fifth in 2024, to total US$678.8 billion.
Cloud environments are a growing target for cyberattack. There are number of reasons for this. The first is simple: attackers go where businesses go. In February 2024 the UK’s NCSC and the U.S. NSA jointly issued a warning that advanced threat actors were targeting intelligence hosted in cloud environments because a growing number of their targets store data in the cloud.
The second reason is related to the speed and nature of many cloud deployments. When IT teams are under pressure to implement cloud-hosted services quickly, looking for and addressing security gaps can take second place.
Further, cloud environments can be complex. Organisations often have private, public or hybrid clouds, and multi-cloud set ups involving different providers. Such environments are resource-intensive to manage and can limit overall visibility, making it is harder for defenders to detect and respond to a security alert or incident.
Any security oversight represents a potential access point for attackers. Weak access and authentication measures can allow attackers to break in using stolen or brute-forced credentials. Under-protected APIs, misconfigured cloud resources, open Internet-facing assets, unaddressed software vulnerabilities, insecure third-party resources, and system vulnerabilities can also all lead to unauthorised service access, data breaches and leaks.
CIOs need to understand and address the different and often interrelated risks facing their cloud environments. Data protection is critical. Cloud providers are responsible for securing the infrastructure, but customers are responsible for protecting their own data within the cloud. Robust access and authentication measures, including least-privilege access and restricted rights are key to preventing unauthorised access to data, and limiting the potential for lateral movement and extended impact. Multifactor authentication should be the minimum standard, and many organisations are moving towards a Zero Trust approach.
Zero Trust involves tools and processes that continuously verify both the user and their trusted devices and matches these with the assets the user is permitted to access. This means that only authorised individuals can access specific resources in the cloud. Data should always be encrypted.
These measures should sit within defence-in-depth security technologies that work seamlessly across on-premises, public, private and hybrid cloud implementations. Consider implementing immutable cloud-to-cloud back up to protect data from tampering and loss, and web application firewalls to protect APIs.
All of this should be underpinned by continuous employee awareness training and security assessments to identify and mitigate potential vulnerabilities, from misconfigurations to software bugs.
Reports show that in 2023, 48% of businesses stored their most important data in the cloud and the average employee now uses 36 cloud-based services every day. Cloud-based IT is business critical and deserves to be protected accordingly.