This month, the Computer Weekly Security Think Tank considers how CISOs and security practitioners should ensure that the business can make use of public cloud services safely and securely and avoid accidental or deliberate data leakage.
By
- Beji Jacob
Published: 12 Jun 2024
The public cloud is a cloud computing model that enables resources such as applications, data storage, and virtual machines to be accessed remotely and on demand. While largely a benefit, it also leaves organisations open to public cloud security risks, particularly when they allow users to access on-demand services from various locations using different devices.
Cloud security consists of technology and techniques engineered to prevent and mitigate threats to an organization’s cybersecurity. Companies must implement cloud computing security to support both digital transformations and the use of cloud-based tools to protect assets. Cloud security works by combining several technologies, all designed to tighten cyber defences for off-premises data and applications.
Here are some of the core elements that make cloud security work:
- Data Security: In a cloud context, data security consists of protecting and maintaining the integrity of an organisation’s cloud-based data. This data typically includes the following:
- Company data, including proprietary, sensitive information
- Intellectual property
- Employee data
- Customer data
- Data used by web applications
- Identity and Access Management (IAM): This involves making sure your employees can access the digital solutions they need to perform their duties. Using IAM, you can manage the applications to which users have access to ensure existing users have the privileges they need and former employees’ access is terminated, which helps control your attack surface.
- Governance: This involves enforcing internal policies to manage data in a way that protects and enables systems and safeguards sensitive information.
- Business Continuity (BC) and Data Retention (DR): This focuses on backing up data to restore critical systems in the event of a disaster, breach or system wipe.
- Legal Compliance: Legal compliance focuses on making sure an organisation’s data conforms to standards set forth in the laws of the country your company is in, as well as those it may do business with.
A few of the security risks associated with the public cloud are:
- Data Breaches: The amount of data stored on the public cloud is ever-increasing, making it a more appealing and lucrative target for hackers. Failing to protect data appropriately can lead to costly data breaches that can, in turn, result in fines, legal action, and even criminal charges against an organisation. Data breaches also cause expensive reputational damage and can lead to businesses failing to comply with increasingly stringent data privacy regulations.
- Weak Authentication: Protecting public cloud data is reliant on deploying robust authentication methods and processes, such as multi-factor authentication (MFA).
- Lack of Encryption: Encrypting data makes it unreadable to anyone that is not authorised to access it. Therefore, even if attackers can access a system, they will not be able to read encrypted data, making it useless to them. Encryption ensures data remains confidential and strengthens the integrity of cloud-based data.
- Insider Threats: These attacks are caused by people who work for an organisation (i.e., current or former employees) or have access to a company’s networks and systems. The motivation behind an insider attack is typically financial. They can also be a result of an employee seeking revenge on an organization or to steal intellectual property (IP). Additionally, insider threats can be caused by human error and gaps in public cloud security, such as an IT professional failing to revoke user access when an employee leaves an organisation or their job role changes.
- User Identity Theft: Without adequate security, attackers can eavesdrop and snoop on, modify, and steal data with relative ease. Cyber criminals are increasingly using sensitive data to commit identity theft. This includes the use of various attack vectors, such as credit card theft, data breaches, malware, and Distributed Denial-of-Service (DDoS) attacks to steal personal data.
Some of the ways to ensure businesses use public cloud services safely and securely include:
- Encryption: Use data encryption to keep sensitive data safe from unauthorised use.
- Backup plan: Implement a data backup plan to keep secure in the cloud.
- User access controls: Manage user access controls.
- Multi-factor authentication (MFA): Apply MFA.
- Train employees: An adequate amount of user (both end-user and administrator level) training should be provided to the workforce to help them understand their environment better.
- Firewalls: Use firewalls to help keep your business safe from cyber attacks and help comply with security standards.
- Vulnerability management: Use cloud vulnerability management to improve the security of the cloud platform, the apps that use it, and the data that is stored and delivered by them.
- Certificates management: Insist on strict compliance certificates.
- Cloud vulnerability and penetration testing: Use cloud penetration testing to identify any vulnerabilities in cloud-based systems.
Beji Jacob is a member of the ISACA Emerging Trends Working Group.