Cloud computing is growing rapidly, with almost every business either currently using some form of cloud resources or actively planning to do so in the near future. However, many organizations are struggling to secure their cloud deployments, as demonstrated by the large number of cloud data breaches in recent years. The cloud offers multiple security challenges, but many of them can be overcome by deploying focused, cloud-based cybersecurity protections, such as a cloud-based web application firewall (WAF).
Challenges of Cloud Security
Organizations move to the cloud for a variety of different reasons, including the cost and scalability benefits that it offers. However, an increasing number of organizations are “unclouding” based upon their inability to achieve the benefits that they desired.
One of the biggest reasons that organizations cite for their move from the cloud to on-premises deployments is security. In fact, almost a quarter of businesses (24%) say that they were not able to adequately protect their applications and data in the cloud. Theoretically, the cloud is just as secure as an on-premises deployment, if not more so. Any infrastructure not under the direct control of the customer is managed and secured by their cloud service provider (CSP), which likely has a larger and more experienced security team.
However, securing the cloud can be challenging. Common issues include the location of the organization’s cloud deployment (outside the network perimeter), a lack of understanding of the cloud shared responsibility model, and the unfamiliarity of the cloud ecosystem.
Outside the Perimeter
Many organizations operate on a perimeter-based security model. This model assumes that everything within the organization’s network is legitimate and benign, and the goal of cybersecurity is to keep all potential threats from breaching the network perimeter. Since the enterprise network typically only has a single point of contact to the public Internet, this goal can be accomplished by deploying monitoring and defensive solutions at this point to block threats before they can enter.
While this model has a number of issues, one of the main ones when it comes to cloud computing is that the organization’s cloud deployment (which is “trusted”) is outside the network perimeter. Additionally, these cloud-based resources are accessible directly via the public Internet, meaning that traffic to and from them is not forced to pass through an organization’s existing cybersecurity infrastructure.
Protecting cloud-based resources requires a new security model, which is not reliant on a strong, impenetrable perimeter. Since many organizations are not prepared to operate using such a model, their cloud deployments are left insecure.
Shared Responsibility Model
The cloud shared responsibility model is a core component of securing cloud-based systems. This model is designed to inform cloud customers of their responsibilities in securing their cloud-based resources.
The need for this shared responsibility model arises from the fact that cloud customers do not own the infrastructure that their cloud deployment runs on. Instead, their CSP owns the infrastructure and invisibly provides services below a certain level (that varies based upon the type of deployment). Since neither the CSP nor the cloud customer have full control of the cloud infrastructure, they need to share responsibilities for securing and maintaining it.
The shared responsibility model is designed to tell a cloud customer where their CSP’s responsibilities for security stop and theirs begins. However, only 27% of security professionals claim that the shared responsibility model is “very clear”. The other 73% of security professionals are likely leaving security gaps that open up their organization’s cloud deployment to attack.
Many organizations try to “lift” their existing applications to the cloud with little or no modification. However, cloud deployments are very different than on-premises ones and require different approaches to management and security. One of the major differences between on-premises and cloud-based deployments is that the organization does not own their infrastructure in the cloud. In fact, many CSPs will not even allow an organization to audit their infrastructure and low-level security practices.
To secure their cloud-based deployments, security teams must rely upon a collection of configuration controls and application programming interfaces (APIs) provided by their CSP. While these tools are often well-documented, they are also unfamiliar and vary from CSP to CSP. Since many organizations have adopted multi-cloud infrastructures to meet their specific business needs, the learning curve for cloud security can be extremely steep, and a single mistake can leave an organization open to attack.
Security Built for the Cloud
For most organizations, attempting to secure their deployment infrastructure using CSP-provided tools is a losing proposition. Most organizations have adopted a multi-cloud deployment for business purposes, and the CSP-provided security controls for each individual deployment are siloed and non-integrated. As a result, security teams must manually configure and monitor a number of completely distinct security controls and environments, making it difficult to maintain visibility and enforce consistent security policies across the organization’s infrastructure. As a result, the organization is more likely to be vulnerable to attack and will respond more slowly to incidents, increasing the damage and cost to the organization.
In order to scale to secure multi-cloud environments, organizations must select security solutions that are built for the cloud and solve specific security problems. For example, a common use of cloud computing is to host an organization’s web applications. Deploying a WAF capable of operating on any major CSP’s platform and securing an organization’s web presence on that platform enables the organization to deploy consistent security regardless of the underlying infrastructure.