rvlsoft - Fotolia
Many UK firms ill-equipped to deal the cloud security risks
Many UK firms do not have the security tools, processes and skills required to ensure their cloud implementations are secure, a security researcher and advocate warns
Despite the accelerating adoption of cloud computing services, many organisations’ security capabilities have not kept pace, according to Javvad Malik, security advocate at AlienVault.
“While cloud offerings can benefit companies greatly, they do introduce different types of risks that need to be understood and effectively managed by enterprises,” he told Computer Weekly.
A July 2017 survey by AlienVault at Infosecurity Europe in London, revealed that 28% of more than 900 security professionals polled said the level of cloud security expertise in their organisation as either “novice” or “not very competent”.
Only 18% ranked their organisations as possessing “guru-level” or “very competent” skills, indicating a general lack of confidence in their expertise in cloud security.
“Not many organisations are confident they have the skills necessary to secure cloud environments or ensure that they are performing as they should in terms of keeping data secure,” said Malik.
Compounding the problem, is the fact that many organisations or unaware of just how much of their data is in the cloud already due to the use of cloud-based accounting, marketing and other services that may not have been approved centrally, and the fact that organisations tend to trust that big cloud services providers will take care of all the security requirements, said Malik.
“Many organisations that are buying cloud-based services from the likes of Amazon, Microsoft and Google are doing so through individual departments, and are failing to address the security issues that remain their responsibility,” he said.
While a cloud service provider will take care of many aspects of maintenance, uptime and development, Malik points out that organisations have responsibilities when it comes to the data they store, particularly related to classification, security, encryption, firewall configuration and access control.
“Many small to mid-sized enterprises venturing in the cloud will sign up for services and believe they are secure simply because they are using a large service provider, but the fact that these providers are secure does not mean that data is secure as it moves in and out of the cloud,” he said.
Another common problem is that security is often an afterthought when it comes to cloud services, particularly when trials are quickly transitioned into being permanent services without the involvement of information security teams and the necessary due diligence around data security.
“The beauty and the danger of cloud is that it is so easy to go from a trial to switching into a full production environment without making any changes,” said Malik.
Concerns around cloud security
The urgent need to address these issues is underlined by the latest report from cloud services monitoring firm Logic Monitor, which estimates that 83% of enterprise workloads will be in the cloud by 2020, despite remaining concerns around data security in the cloud, particular in the UK finance sector.
In just the past year alone, there have been several instances of cloud data being exposed because of misconfigurations by organisations, including Verizon, Accenture, and the Australian Broadcasting Corporation, indicating that organisations using cloud services do not have the necessary security skills.
To function effectively in the cloud while remaining compliant, Malik said enterprises require a significant level of in-house cloud expertise to ensure that all processes and systems are appropriately configured and used.
This includes instances where cloud services are procured through managed security service providers (MSSPs) or other third parties, which require assurances around how the data is being handled and secured, and where it is being stored, if it involves personal data of European Union (EU) citizens.
“Failure to configure systems as required by best practice is one of the most common failings we find, with organisations inadvertently selecting the ‘test environment’ option instead of the ‘production environment’ option or ‘public’ instead of ‘private’, which – although a small error – can make a big difference,” he said.
Other common failings relate to managing access control properly, monitoring cloud environments properly, failing to segregate sensitive data.
Many organisations still do not have adequate controls around who has access to cloud data; are not implementing two-factor authentication for access to sensitive data; are failing to identify and remove rogue and orphan accounts; are not analysing logs for suspicious, anomalous and malicious behaviour; and are not segregating personal and other sensitive data from other data with appropriate additional access controls.
Without enough skilled staff, or the right security monitoring tools, Malik said this could result in continued cloud-based data breaches and potentially huge fines under the EU’s General Data Protection Regulation (GDPR) and the UK’s planned new data protection laws.
Read more about cloud security
- Amazon CISO shares secrets to building secure cloud products.
- How Microsoft uses secure enclaves to improve cloud security.
- What cloud storage security looks like for small businesses.
- Challenges in cloud data security lead to a lack of confidence.
- The biggest cloud security threats, according to the CSA.
“Organisations should also guard against cloud providers’ claims of being ‘GDPR compliant’ without verifying where the data is stored and who has access to it,” he said.
Compounding the issue, 27% of information security professionals polled by AlienVault said their companies cut corners when it comes to cloud security, allowing colleagues to share cloud credentials or licenses to cut costs.
“While doing so may save some money in the short-term, the lack of accountability that results from sharing cloud services and credentials can cost companies a lot more in the long run,” said Malik.
He added that any company venturing into the cloud should have a fundamental understanding of the shared responsibility model, which dictates that consumers of cloud services remain responsible for securing their operating systems, applications and data running on cloud accounts.
For this reason, he said it is important for organisations to bear this in mind when selecting cloud providers, particularly in light of the GDPR. Organisations should also familiarise themselves with cloud security tools that are available to help them monitor their cloud infrastructure.
Malik recommended that organisations establish exactly how much of their critical data is in the cloud already, which may be more than they realise.
He also recommended that they work with their cloud service providers as partners to ensure that the correct data processing agreements are in place, and that there is a reasonable level of understanding of the security issues related to cloud in their organisation.
“There is value in belonging to security and cloud security specific forums to raise understanding and awareness of the key issues, as well as looking at the cloud-specific guidance around privacy and security that is available on the website of the Information Commissioner’s Office (ICO) and the National Cyber Security Centre (NCSC),” said Malik.
He added that organisations should ensure that, at the very least, they are able to show that they have good business use cases for their cloud implementations, and that they have taken reasonable steps to ensure that all data stored in the cloud is secure.