Better Cloud Security Means Getting Back to Basics

Written by David Kellerman, Field CTO at Cymulate

Cloud adoption has been fast and furious over the past five to 10 years. While businesses have raced to capitalize on the cloud’s IT and DevOps potential, security has lagged – not just in terms of technology but in state of mind. While organizations have had decades to grapple with the challenge of on-premises security, many lack a mature understanding of how to apply those same principles to the cloud. It can be tempting to blame technology, but the technology needed to secure the cloud already exists – and has for some time.

Instead, the problem often stems from a lack of understanding. By now, most organizations understand the advantages of the cloud, but issues like security are not always a top priority. The cloud functions under a shared security model, with the provider responsible for certain elements and the customer for others. This model means today’s organizations need to have effective cloud protections in place, or they risk putting themselves at significant risk. Fortunately, cloud security is not as dissimilar from on-premises security as it may seem – and while the specific strategies may differ, organizations should invest at least as much in cloud security as on-premises solutions. 

Related:7 Myths About Hybrid Cloud

Why Cloud Security Lags Behind

When a new piece of technology emerges, there is often a gap between the widespread adoption of that technology and the ability to secure it effectively. It takes time to understand how to use the technology, where its most pressing vulnerabilities lie, and how to limit the risks associated with its use. Today, many businesses still grapple with securing their cloud solutions effectively – but it’s easy to become distracted when exciting new tools like generative AI are already commanding so much attention. It’s easy to see how businesses can be captivated by new technology, but ignoring existing problems opens them up to unnecessary risk.

Securing the cloud isn’t rocket science – it just requires a little extra knowledge. While it’s tempting to think of the cloud as a new frontier in computing (and, in some ways, it is), cloud security solutions have been around for almost as long as the cloud itself. The trouble is that most organizations don’t know how they should think about cloud security in the first place. But the solution is surprisingly simple. The solutions to secure the cloud may differ, but the fundamental challenges are similar to securing on-premises environments.

Contrary to popular belief, organizations cannot proceed with the expectation that cloud providers will handle security. They must invest in their security capabilities like they would with on-premises data.

Related:What Is a Sovereign Cloud and Who Truly Benefits From It?

Implementing (and Validating) the Necessary Cloud Solutions

According to the shared responsibility model that most cloud providers adhere to, the provider is responsible for the security of the cloud itself; the customer is responsible for protecting what is in the cloud. That means that while the cloud provider is responsible for the safety and security of their infrastructure, customer still need to engage in good digital hygiene practices, secure their credentials, and avoid misconfigurations – just as they would when securing on-premises data. Attackers are always on the lookout for any way to access and exploit valuable data, and they don’t care whether that data lives in an on-premises server or a cloud environment. Security measures like a strong password policy, multifactor authentication (MFA), and data segmentation can significantly reduce the risk of attackers infiltrating cloud applications and accessing sensitive information.

A good starting point for many organizations is simply evaluating how effective their existing cloud security is. It isn’t enough to implement security solutions – even if they’re the right solutions. It’s also important to know that they are functioning as intended. Today’s organizations have more testing and validation tools at their fingertips than ever, and conducting breach and attack simulation, automated red teaming, and other exercises can lay bare where vulnerabilities and inefficiencies exist. Recent testing reveals that the basic security suites offered by the leading cloud providers are not enough to detect all – or even most – attack activity, highlighting the areas where organizations need to implement new protections and providing insight into what additional solutions may be necessary.

Related:Master AI Cybersecurity: Protect and Enhance Your Network

Having the right personnel with the right expertise is also important, and outlining where certain responsibilities lie is critical. Because cloud security remains relatively new, there isn’t a “standard” structure. In some organizations, the cloud engineering team is responsible for security. In others, it falls under the purview of the CISO’s office. In practice, the more involved the cloud engineers are, the more mature an organization’s security posture will likely be. This is because those regularly interacting directly with cloud applications have a better understanding of how those applications are used and where the potential for misconfiguration or misuse is highest. Engineers and security team members can help uplevel one another’s knowledge on the specific peculiarities of the cloud, helping businesses build a more cooperative and collaborative approach to cloud security that leverages their existing knowledge base more effectively.

Don’t Reinvent the Wheel

Too many organizations still mistakenly believe cloud providers will handle security or falsely assume that digital hygiene and credential protection require a different approach where cloud systems are concerned. But the truth is, there’s no need to reinvent the wheel. Organizations that want to improve their approach to cloud security can begin by applying the same principles they use for their on-premises environments and ensuring they are leveraging the appropriate solutions and expertise where they are needed most.