You’ve been told time and again cloud is secure. And it is, but only if you treat it appropriately. Too many companies move their workloads to the cloud and think all the work is done. They often forget that their usual security measures don’t work in the cloud. The reality is that your cloud estate needs appropriate cloud security in place, then it needs constant monitoring and analysis to ensure it stays secure.
We’ve all heard of the infamous breaches that Yahoo, Alibaba, LinkedIn, Sino Weibo and Facebook have experienced in the past few years. But you’d be wrong to think it’s just the big boys under attack.
The 2021 Thales Global Cloud Security Study reported that 40% of organisations had experienced a cloud-based data breach in the past 12 months. Despite these incidents, the vast majority (83%) of businesses still fail to encrypt half of the sensitive data they store in the cloud. And in a recent study, Sysdig found 75% of companies running containers (in the cloud) have high or critical vulnerabilities which can be fixed with patches but aren’t.
I’m not surprised by any of this, nor are my cyber security colleagues, but if companies – even small ones – don’t sit up and listen, there is a 50/50 chance they will be next. If your cloud estate isn’t configured correctly, constantly monitored, and updated, it will likely leave your business open to attack.
So, how can you ensure your cloud estate is secure? Here are my top five tips.
1. Build a secure cloud infrastructure
If your IT infrastructure isn’t built and configured correctly, you leave yourself open to attack. But building a secure cloud infrastructure goes beyond the traditional IT infrastructure where it was all about a corporate network accessed in the office. Remote working and cloud technology mean every part of the network needs to be secure and protected – from the infrastructure, network, apps and data to endpoints.
Everyone will be using your cloud services, so when building out your cloud infrastructure, it’s key to involve all departments and understand how they will use the cloud and what impact this is likely to have on security. IT teams are used to managing and updating their on-premise IT infrastructure with anti-virus software and implementing the latest patches, but cloud security is different, and IT departments need to recognise this. How staff access the network and use their apps are key considerations when ensuring your infrastructure is secure.
I would recommend any company operating in the cloud or moving to it does an audit and assessment against industry best practice benchmarks to assess their cloud vulnerabilities. And working with a cloud consultant who understands all the possible security risks is a good way of informing this process.
2. Update security to make it cloud appropriate
A typical scenario is for a business to keep existing security solutions when they move to the cloud, layering it over the top as best as possible. This gives some form of protection, but visibility over the whole environment is reduced because the cloud works in a very different way to on-premise. For example, traditionally, the in-house IT team would do a true-up of that environment once a month or quarter. This works fine in an on-premise service, but when you are in the cloud scaling up and down quickly, you can end up creating a void if the true-ups only occur infrequently.
Having the right security that manages and monitors your entire cloud estate 24/7 is the only way to help prevent security breaches. There are now software solutions like MDR (Managed Endpoint Detection & Response) that continually monitor your endpoint devices beyond the scope of anti-virus software. It will continuously monitor for anomalies or suspicious activity across your cloud estate. If an incident is detected, it can act upon it for you 24/7, down to machine isolation or automated playbooks.
3. Test, monitor and analyse the estate continually
Things will slip through the net if you aren’t testing, monitoring, and analysing your cloud estate 24/7. It’s worth employing consultants to assess and test your cloud estate to help provide actionable insights to improve your security. This will allow you to align with industry best practices and help you understand your vulnerabilities, and potentially reduce your operating expenditure.
For example, one services company that did this found they could reduce costs by moving from four to two operational regions, orphaning services not in use, and downgrading their storage disks without loss of service quality. Their assessment has saved them £18,000 per year, representing a 30% saving against their annual cloud consumption. But most importantly, the review highlighted their VPN was in a ‘failed’ state, and their WordPress websites were not secure, so both needed immediate updating to prevent vulnerability to attack. The assessment led the business to implement more robust security policies and align better with ISO27001.
Once your estate has been assessed and tested for vulnerabilities and any immediate remedial action taken, it’s then a case of monitoring and analysing activity 24/7. There are some excellent cloud management platforms that will do that for a business and don’t cost the earth. These automated security and monitoring solutions are automatically applied to existing and new workloads. They scan the collected data and include proactive monitoring around security events to let you know what’s happened in clear-to-understand alerts and where action should be taken if needed, covering critical areas such as anti-malware.
4. Educate users
While you may have the best cloud infrastructure in place and all the right security and monitoring tools in place, with poorly educated users, that is irrelevant. Human error is still the leading cause of cyber security failures. Recently, researchers from Stanford University found that employee mistakes cause approximately 88 per cent of all data breaches.
It’s critical to have the right security policies in place – for remote access, mobile phone and BYOD, password use, and data transfer and disposal. Then you must continually educate, educate and re-educate all employees from the CEO down. Everyone needs to understand and buy into the concept that cyber security for your business is about shared responsibility – not just of the IT department or HR, but of all departments and all staff.
5. Have a disaster recovery plan in place
You’ve got the best infrastructure and monitoring and analysis tools, and your employees are regularly trained. But that still isn’t enough to guarantee 100% safety from cyber security breaches. It’s just not possible. To ensure your business can still operate at a time of breach or attack, you need to have proper disaster recovery (DR) plans in place and test them regularly. A remote date backup system is a must for all organisations. 80% of businesses affected by a major incident either never re-open or close within 18 months, partly because they don’t have an effective DR plan in place.
And yet, 41% of businesses haven’t tested their DR solution in the last six months or don’t know if it has ever been tested. But there are now autonomous DR solutions on the market that include security protection and non-disruptive testing of virtual machines. As this is built in the cloud, costs are significantly reduced compared to on-premises DR solutions as you pay for the services you use. If you haven’t got a good plan in place and it’s not tested regularly, make it an action today to find a company that can help you change this.
It’s hard for small and medium-sized enterprises to keep up to speed with all the latest regulatory requirements and potential vulnerabilities in their cloud estates and focus on cost optimisation. Working with a good cloud and security managed service provider will give you access to deep expertise to improve your cloud estate management, optimise your cloud costs, and ‘test’ how secure your estate is. Please don’t leave it too late, though, or you might become a statistic yourself.
James Hunnybourne, Cloud Solutions Director, Ultima