Maksim Kabakou - Fotolia

Cloud security challenges not just technological

The Computer Weekly Security Think Tank considers how CISOs and security practitioners should ensure that the business can make use of public cloud services safely and securely and avoid accidental or deliberate data leakage.

In the evolving IT landscape, cloud deployments have become deeply entrenched in business operations, presenting both unprecedented opportunities and significant challenges. The widespread adoption of cloud technologies has created a complex and dynamic environment, often spanning multiple providers and geographical regions, each with its own laws, regulations, and standards.

From fragmented environments to access control challenges, API vulnerabilities, interoperability issues, and challenging monitoring practices, today’s extensive cloud deployments can lead to gaps in security coverage and inconsistencies in data protection. In fact, these complexities have been the root cause of several IT security incidents over the years. Cloud usage and deployments have rapidly become crucial parts of business operations and, in some cases, the foundation of the business itself. We've seen a significant shift from on-premises to predominantly cloud-first strategies for many organisations.

I've had the privilege of being part of several of these transitions over the years. One notable instance involved a multinational financial services company whose risk management function had adopted multi-cloud and hybrid cloud strategies. While these strategies had their advantages, they also presented significant threats.

This particular organisation used a public cloud for advanced risk modelling and an on-premises private cloud for storing sensitive financial data to comply with regulatory requirements. However, the different technologies, security services, and implementations led to inconsistent security measures. During a routine audit, we discovered that sensitive financial data had been inadvertently exposed due to access control misconfigurations on the public cloud.

Several factors contributed to this. Firstly, the diversity and complexity of the cloud environment had allowed vast access through API calls and other technologies. Secondly, the skill set within the organisation was a constraint. The team managed various planes of technology with their security components but lacked the specialised skills to sustainably maintain high-level security across all these environments. The breach that occurred questioned the integrity of the risk model and posed a severe reputational risk to the organisation.

This incident is a great example of the vulnerabilities inherent in complex cloud environments and the critical challenges many organisations face.  Each cloud provider operates with unique tools, interfaces, and security implementations, leading to potential inconsistencies and vulnerabilities. Extensive cloud adoption creates a multifaceted environment that requires meticulous management and robust security measures to prevent against exposures.

Specific toolsets that help consolidate and gain visibility across diverse cloud deployments should be considered to address these challenges. One such toolset is a Managed Detection and Response (MDR) solution. Coupled with a robust 24x7 Security Operations Centre (SOC), this can centralise data from various sources, toolsets, technologies and cloud infrastructures across the organisation's IT landscape. This centralisation allows for experienced SOC eyes on those data streams, improving response times, reducing alert fatigue, and helping the organisation gain better visibility and understanding of its environment.

Security culture

But optimising the toolset and skillset alone is not sufficient. Without the proper mindset or culture established within an organisation, the impact of the improved toolset and skillset will be short-lived. Management plays a crucial role in this. Security and risk must be one of the primary drivers of the organisational culture, influencing how decisions and processes are made.

Establishing effective governance structures for data, security, compliance, and risk management is crucial. These should not be mere documents but practices that permeate the entire organisation. Basic systems like incident response and effective resilience programs should be in place and communicated. Identity and access management practices should also be taken seriously.

Addressing these challenges will not only improve the security posture of the organisation but also makes it easier to achieve primary business goals. It reduces the complexity and drawbacks of diverse technology implementations and mitigates the associated risks. As the complexity of cloud environments continues to grow, driven by advancements in AI and machine learning, the challenges organisations face are only set to intensify.

The dynamic nature of cloud environments, characterised by continuous resource provisioning and deprovisioning, introduces complexities that require advanced security solutions capable of adapting to these changes. Ensuring consistent security policies across diverse cloud platforms remains a significant challenge, necessitating solutions that can keep pace with the evolving landscape.

Temi Akinlade is vCISO advisor at cyber security specialist Armor, focusing in guiding customers through risk strategy development and infrastructure security. Now London-based, he came to the UK in 2023 after stints in risk and compliance at cyber consultancy Kumbie Technologies in Canada and South Africa. He holds a BS in informatics from the University of South Africa and also volunteers with the UK Cyber Security Council.

Read more on Cloud security