Before the Covid-19 pandemic, cloud adoption was high — businesses of all sizes and industry saw the benefits of adopting a virtual workload model for their services. But, cloud security was often treated as an afterthought.
Since global lockdowns were introduced, cloud adoption has intensified and increased, as organisation’s scrambled to empower their workforces and maintain a strong customer service.
A recent survey from Aptum found that over a third (38%) of companies have used cloud technology to scale infrastructure in order to meet demand and control costs since the start of the Covid-19 pandemic, while nearly half (48%) have adopted cloud solutions to provide critical services to end customers.
In addition, 76% of participants said that they have been using cloud services to facilitate remote working, while 92% expressed confidence in their company’s business continuity due to managed cloud services.
As cloud adoption rates increase and become even more critical to an organisation’s survival, businesses must ask how to ensure cloud security — it’s a challenge that now has to be taken more seriously by both vendors and end users.
Below, five experts discuss how to ensure cloud security in a remote working environment.
1. Cloud security in the remote working era
Nick McQuire, SVP and head of enterprise research at CCS Insight, argues that the most enduring trend to come out of the Covid-19 health crisis is the growing importance customers are now placing on cloud security.
He says: “The shift to remote work has meant by and large a wholesale shift to the cloud for most companies, particularly in the areas of productivity and collaboration.
“One area the crisis has exposed is the limitations of legacy security technology like VPNs, which companies will no longer use in earnest as they shift to these cloud tools. What we are seeing now is a deeper focus on security built into the platforms natively whether they be devices, software applications or cloud infrastructure, rather than a bolt on solution that it has been in the past.”
This means, according to McQuire, that cloud companies have become security companies by stealth over the past few years.
“The depth of security solutions on offer is intrinsically linked with the trust customers have in a cloud provider. Another enduring feature of the pandemic is the elevated importance customers now place on their trust in their cloud provider, which is why we have seen investment in cloud security skyrocket over the past five months,” he adds.
Cloud security: The latest thinking, a guide to implementing cloud securely
Cloud offers multiple benefits, including the ability to scale up and down quickly to meet demand. But some firms – especially in highly-regulated industries such as financial services – have been slow to adopt the technology due to concerns over cloud security. Kate O’Flaherty takes up the tale. Read here
2. A complete view
For organisation’s to achieve a “robust Tower of London-esque protection” when it comes to cloud security, Stuart Reed, UK Director at Orange Cyberdefense, suggests businesses should move away from perimeter security.
“Instead,” he says, “they must first gain a complete view of the network infrastructure making up their threat landscape, and use this as the starting point for any new cyber security strategy.”
Reed continues: “A large proportion of cloud breaches involve weak or stolen passwords or the misuse of credentials. It is therefore crucial to have a proper identity and access strategy that relies on multifactor authentication. In addition, organisations should be constantly monitoring the cloud for anomalies.
“Create visibility into who is accessing which applications and keep an overview of which data is sent to the applications or downloaded. You can monitor your cloud for anomalies through SIEM technology, cloud threat detection platforms and behavioural analytics, as well as through managed services.”
Former Bank of England CISO talks cloud security and his new role at METCloud
3. Automated visibility
He agrees that the increasing usage of multiple cloud services and platforms brings numerous challenges, with the key issue revolving around visibility.
“It’s difficult for security teams to stay on top of identifying assets, control coverage gaps and preventing unauthorised access in the cloud. Because it is so easy to spin up large infrastructures, at scale, organisations are increasing their attack surface at an unprecedented rate through automation mechanisms. This is compounded by a lack of uniformity — most organisations have a different blend of cloud, hybrid cloud, multi-cloud and on-premise environments, which are constantly evolving,” says Goonatilake.
To overcome visibility challenges many organisations are mining data via APIs and building inventories across the three common layers of cloud infrastructure; IaaS, PaaS and SaaS.
However, Goonatilake points out that manual processes are not only prone to error, they also require significant resource and time.
He adds that “this also means things can be missed, which is evidenced via a McAfee report, which states that that 99% of cloud incidents go unnoticed. The fact that almost all cloud incidents aren’t being identified signals a critical lack of visibility into cloud system security and awareness around responsibilities — the best way to address this is to invest in systems that provide automated visibility across all environments.”
“With so much data storage and such frequent network access performed off-premise, simply bordering applications and hardware using firewalls and the like is akin to protecting the crown jewels with a garden fence” — Reed
4. Education and awareness
As organisation’s increasingly move to the cloud, “the potential attack surface area becomes greater where cloud products aren’t built with security in mind,” says Amanda Grant, chief product officer at Advanced.
However, she suggests that not all clouds are created equal. Some, she says, are more secure than others — with the best cloud providers building their software with security in mind.
“This means there is less onus on businesses and more onus on software vendors,” states Grant.
According to Advanced’s latest Digital Business Report, though, only 35% say improved security that comes with the cloud has lived up to their expectations.
She continues: “More than ever, organisations should be working with their providers to find out what they are doing to help them get better at securing their assets. They should also look to the National Cyber Security Centre, as an invaluable but underused resource. Its frameworks, Cyber Essentials and 10 Steps to Cyber Security can should be used to spark conversations with cloud providers.”
However, Grant suggests that this doesn’t “negate the need to raise awareness among the board and the rest of the workforce. Security is a real mindset and culture. Any cyber-security strategy must start with educating people that a company’s data is sensitive — and this education must not stop.”
Florian Malecki, international product marketing senior director at StorageCraft, agrees with Grant in that it’s critical to have clear policies around who can access the data and then being able to report on those.
He also points out that “there are a number of areas to consider when optimising cloud security across an organisation’s storage systems. The first is to ensure data is backed up, whether it’s to another data centre or replicated offsite to safeguard against unexpected events, for example fires or power outages.”
StorageCraft research has shown that 47% of respondents foresee an inability to recover quickly enough in the event of a data outage, illustrating the need for a solid back up plan within any cloud security strategy.