When you add more cloud services to your organization, you are adding more flexibility and more risk. At first, the security risk may seem small. Changing from the on-premise version of Microsoft Office to the cloud version is not a significant change. Once you have a dozen or a hundred cloud services in use, it is a very different story. What kind of security problems does the cloud expose you to?
The Top Cloud Security Risks: APIs, DOS Attacks, and Identity Management Shortcomings
“The average cost of a DDoS attack now exceeds $2.5 million in lost revenue.”
– Average DDoS Attack Size Surged in Q1 2017
The exact cloud security risks you face will vary depending on the type of cloud services you use. Here are some of the most common problems:
- Misunderstanding the cloud provider’s security. This is the number one security risk. Yes, Amazon, Microsoft, and Google have robust security to protect their data centers. However, do not assume that you can skip applying your security processes.
- Application programming interfaces (APIs). As a link between services, APIs are powerful. If this link is weak, your organization’s data will be at risk. Ask yourself if you have adequate controls to detect data breaches.
- Abuse of cloud services. This catch-all category covers both misuses of existing cloud services (e.g., using them for personal data storage) and using unauthorized new services.
- Denial of service attacks. When your cloud service provider is attacked and suffers a setback, your ability to get work done may suffer. Keep in mind that DOS attacks become easier each year due to botnets and criminal services on the dark web.
- Insufficient identity and access management. Many cloud services originally emphasized flexibility and ease of use rather than security. Your existing identity management processes may not keep up with cloud providers.
Resource: Visit the Cloud Security Alliance for additional analysis and research on cloud security risks. The organization’s certification program is worth considering if your organization is exposed to significant cloud security risks. The Alliance also has dedicated groups that look at security issues such as blockchain, Big Data, SaaS governance, and virtualization.
In a few cases, a cloud provider’s security may be so terrible that you must change to a new provider. The majority of the time, switching providers is not a practical solution. You may have contracts with expensive termination processes. Alternatively, you may be technically dependent on some aspect of a cloud product. Whatever the reason, you need other ways to improve security.
Seven Ways To Improve Cloud Security in the Next 30 Days
Improving cloud security in 2018 and beyond involves a combination of security fundamentals, using the right tools and staying sharp on risk management.
- Assess Your Environment. Before you can evaluate the details of cloud security, you need to create an inventory of all cloud services and products used by your staff. If you already have such a list, refresh it if you have been away for more than a year. You may find out that some departments are using a cloud service that has not been evaluated by IT.
- Launch a New Training Session. If you designed your cybersecurity training years ago, it is time to create a supplement to cloud security. We have seen good results in using game mechanics to stimulate participation in this type of training. Review “Tips for Gamifying Your Cybersecurity Education and Awareness Programs” for further inspiration on this front.
- Testing Your Cloud Services Management. How do you know if your security framework and training programs work? One solution: ask an outside expert to verify your defenses. Hint: if employees can quickly set up new services without approval or controls, your organization will be exposed to heightened security risks.
- Improve Identity and Access Management. Here’s the secret that few people want to reveal: most identity management programs are not well suited to handle cloud services. If you are currently relying on manual reporting and tracking, you need a better solution. Take a look at Avatier’s Identity Anywhere to improve your governance.
- Explore Your Encryption Options. Many cloud services include encryption options. However, they may require end-user configuration to get the most benefit. Schedule an hour to review your high-risk cloud services and determine whether you can decrease your security risks through encryption. When in doubt, prioritize protecting sensitive data such as customer records.
- Review Your Cloud Service Provider Contracts. When was the last time you read the fine print in your cloud contracts? Take some time to review these contracts and identify your oversight opportunities. If you lack the opportunity to carry out an audit, make a note to negotiate for that option in your next contract renewal.
- Revisit Your Business Case Approval Process. Unlike the other suggestions, this change will deliver long-term benefits, but they are well worth the effort. Read “How Much Time Should You Spend On Your Password Management Business Case?” for ideas on how you can improve your business case process. The key is to strike a balance between security and the need for innovation.
None of these improvements require you to cancel your arrangement with a cloud provider. That does not mean that change will never be necessary. If a cloud provider fails and makes futile recovery efforts, you need to be ready to switch to an alternative. The traditional principles of business continuity and disaster recovery must apply to your cloud management.
Resource: Your former employees may also create a gap in cloud security. Sure, you might have turned off their main employee access IDs, but what about their access to cloud services like Salesforce or AWS? To manage offboarding risk, read “Reduce Employee Fraud Risk: 5 Ways to Improve Offboarding.”
How Can You Allocate Limited Resources To Improve Cloud Security?
When a critical cloud provider suffers a security incident, you cannot avoid taking responsibility. At the same time, we recognize that you have limited resources to spend on security. That is why regular security risk assessments are the best way to calibrate your security efforts. Then you will be confident in your budget and management decisions.