Addressing the Biggest Challenges in Cloud Security

Binita Patel
Author: Binita Patel, GIAC GCLD, CompTIA Security+
Date Published: 5 April 2022

Gartner has predicted that by 2026 the public cloud expenditure will exceed 45 percent of all enterprise IT. Sustainability is another hot topic that is linked to cloud services and is predicted to cut down CO2 emissions. Cloud services, along with being sustainable and environment-friendly, help organizations maintain a digital infrastructure without having to put in as much effort as with a physical one, which improves efficiency, scalability and collaboration.

While some might argue that cloud is insecure and potentially opens the gates to severe breaches, if we were to implement security practices and procedures right from the start, we can build a more secure cloud environment.

So, what are the most common concerns relating to cloud environments, and how can they be overcome?

Not knowing what is in the cloud environment
Imagine noticing that your cloud expenses have skyrocketed. You’ll probably try to find out which resource in your cloud environment is causing this. Once you identify the cause , how would you know what its purpose is? Who owns it? If you shut it down, will it break any systems? Could your environment become compromised? These concerns over the lack of visibility into cloud workloads haunt organizations.

How can this be overcome?
Asset management is your answer. It goes a long way to keep an inventory of assets, helping to maintain these assets and identifying owners and the purpose of the systems. The cloud landscape keeps growing every day. Hence, to close the gaps in visibility, asset management is very important. Maintaining an inventory of the cloud workload is often a challenge because we do not have the bandwidth to maintain one as we are often short on budget or staff. However, not maintaining one increases the risk of unknown resources within the cloud environment. Asset management helps secure your most critical assets during an incident. Moreover, it enables businesses to make better decisions based on the criticality and risk of assets. Cloud Service Providers (CSPs) provide capabilities of tags and other native services for managing your assets.

Not knowing what and how to secure
With the increased utilization of cloud, there has been an increase in the number of security breaches. The world has seen massive security breaches just because someone forgot to secure their S3 bucket that stores sensitive information. It becomes a daunting task for smaller organizations to find the starting point on their journey to secure their cloud environment.

How can this be overcome?
Security controls protect against malicious attacks, which help to reduce the overall risk of being compromised. CSPs provide various security controls with default settings. These default settings are good to start with, but they must be tuned to ensure the default settings do not leave gaps. Further, there are industry standards like the CIS Benchmarks, NIST standards and more that businesses can utilize to start securing their cloud environments. Complementing all of these are various third-party vendors that provide various tools and technologies like Cloud Security Posture Management (CSPM), Cloud Access Security Broker (CASB), Cloud Workload Protection Platform (CWPP) and more that can be leveraged to continuously monitor and secure your cloud environments. 

Not having the skills and knowledge to operate in the cloud
People, being the most critical element of security, often lack sufficient cloud knowledge and skills. Cloud technologies evolve fast, making it challenging to keep up. Especially since the pandemic, companies have looked to move quickly toward cloud computing, which has widened the skills gap. This has added more challenges and unknowns.

How can this be overcome?
Organizations must aim to educate and provide professional development to employees that can boost their cloud skillsets. CSPs are providing training and certifications for their cloud technology. There are also various non-vendor specific training and certification courses, such as SANS Cloud Security courses, ISACA CET – Cloud Fundamentals, CSA Certificate of Cloud Security Knowledge (CCSK) and many more. Learning about the cloud and the related ever-evolving technology must be prioritized by practitioners. The cloud landscape needs responsible design, creation, maintenance and securing to be widely developed, and professionals must be trained according to their role in the cloud world. A jack of all trades will probably grow exhausted, so it might be better to have a team that can work together.

To build secure cloud environments, we need to develop a plan and come up with a timeline that will help us determine our milestones. This will help us compare our security posture over time. An added benefit is that you can present how secure your cloud environment is right now versus when the plan was laid out to your leadership team.