Cybersecurity must be considered at all points of a cloud migration
Misconfigurations are the primary cause of cloud security issues, according to Trend Micro’s research, which identifies 230 million misconfigurations on average each day, proving this risk is prevalent and widespread. The research on cloud security highlights human error and complex deployments open the door to a wide range of cyber threats.
According to Gartner, by 2021, over 75% of midsize and large organizations will have adopted multi-cloud or hybrid IT strategy. As cloud platforms become more prevalent, IT and DevOps teams face additional concerns and uncertainties related to securing their cloud instances.
“Cloud-based operations have become the rule rather than the exception, and cybercriminals have adapted to capitalize on misconfigured or mismanaged cloud environments,” said Greg Young, vice president of cybersecurity for Trend Micro. “We believe migrating to the cloud can be the best way to fix security problems by redefining the corporate IT perimeter and endpoints. However, that can only happen if organizations follow the shared responsibility model for cloud security. Taking ownership of cloud data is paramount to its protection, and we’re here to help businesses succeed in that process.”
The research found threats and security weaknesses in several key areas of cloud-based computing, which can put credentials and company secrets at risk. Criminals capitalizing on misconfigurations have targeted companies with ransomware, cryptomining, e-skimming and data exfiltration. Container technologies in the cloud, when exposed, also pose similar risks.
Misleading online tutorials compounded the risk for some businesses leading to mismanaged cloud credentials and certificates. IT teams can take advantage of cloud native tools to help mitigate these risks, but they should not rely solely on these tools, the report concludes.
Trend Micro recommends several best practices to help secure cloud deployments:
- Employ least privilege controls: Restricting access to only those who need it.
- Understand the Shared Responsibility Model: Although cloud providers have built-in security, customers are responsible for securing their own data.
- Monitor for misconfigured and exposed systems: Tools like Conformity can quickly and easily identify misconfigurations in your cloud environments.
- Integrate security into DevOps culture: Security should be built into the DevOps process from the start. DevOps practitioners should embrace the opportunity to programmatically create a secure cloud application with better security than a traditional in-house solution. In addition, security technology specifically aimed at the cloud will provide an even more comprehensive and multilayered security beyond what cloud providers already offer.
One reason why DevOps doesn’t embrace the full potential of cloud security is legacy. It is typically outside a developer’s comfort zone to take a server-based system and port it to be useable with all the appropriate cloud services utilizing the required security mechanisms to create a minimum permissions system. Instead organizations just take a set of servers and move their data and processes 1:1 to the cloud, forgetting that the cloud is a different type of deployment. With the rise of DevSecOps, organizations hope that cloud security by design will start to prevail.
Cloud solutions are not something inherently good or bad for an organization’s security. However, it requires organizations to understand the primary threats and challenges they face in a cloud environment, and perhaps more importantly, to change the way they think about cloud security: not as something that gets tacked on after the fact, but as an integral part of a well-designed cloud implementation.