The Truth About Common Cloud Security Misconceptions

Shifting to the cloud? Multi-cloud environments enable organisations to expand their computing and storage capacities easily, but that comes with trade offs — top of the list: Cybersecurity.

22 dg 040 watch out 2022 top global cloud threats
CrowdStrike

What makes cloud computing appealing is also a reason to worry. It is easy to access your cloud environment anywhere with internet access, but that also means it’s easy for cybercriminals and digital adversaries to access it.

With the explosion of data over the past 10 years, the adoption of 5G, and the global nature of business, embracing a multi-cloud strategy is almost non-negotiable. But there’s an overlooked factor in this shift that a lot of organisations still underestimate today. And that’s cybersecurity.

Traditional security strategies and tools intended to protect on-premises networks simply don’t work when defending in the cloud. Instead, design and implement a comprehensive security solution that can protect against an expanding array of threats and increasingly sophisticated attacks targeting multi-cloud environments.

Unfortunately, since shifting to the cloud is a relatively new strategy, some organisations are unknowingly shifting into more risks as they continue to believe the common misconceptions listed below.

1. Your organisation’s cybersecurity strategy protects cloud assets

Unlike a traditional on-premises server that is often defended through a perimeter security model, anyone with an internet connection anywhere in the world can access the cloud.

This means organisations must rethink and redesign their security strategy and tools to include real-time, continuous monitoring,  compliance, continuous integration/continuous delivery (CI/ CD) security, and runtime protection capabilities specifically for the cloud.

And if a breach occurs, organisations can use protective measures such as micro-segmentation and encryption to minimise damage and contain the threat.

2. The cloud provider completely secures your cloud assets

Cloud security follows a “shared responsibility model” where two parties are involved in securing assets stored in the cloud. The cloud service provider (CSP), the business or entity that owns and operates the cloud, and the end-users, the individuals, and companies using the cloud services.

The CSP monitors and responds to security threats related to the cloud’s infrastructure while the users protect their data, cloud apps, and other assets in the cloud.  

This means that any organisation using public cloud services from Amazon Web Services (AWS), Google Cloud, Microsoft Azure, or other third-party providers must still maintain their own robust cybersecurity capabilities to protect their stored assets and maintain compliance. 

3. The organisation’s cloud environment is isolated (even in the public cloud)

The public cloud offers the ability to scale quickly with minimal investment and maintenance costs. But these gains in potential savings sometimes mean compromising privacy and control. That’s because of multitenancy.

With multitenancy, each cloud user operates alongside other businesses or individuals. Because the cloud is a shared resource, a breach with one “tenant” could spread to neighbours, or more widely, throughout the cloud. This means that the security of each user is dependent not only on its own security strategy and that of the CSP, but also on its fellow cloud users.  

So, ‌strive for total, holistic visibility of the threat landscape, as triggers within one segment of the cloud could predict potential avenues of attack elsewhere.

4. Multi-cloud means multi-layered security

Although multiple cloud providers may help improve reliability and availability, it often complicates security. First, not all cloud providers offer the same security features. Even when security controls are similar, their behaviour, configuration, and implementation can vary. This can create a very complex environment for the IT or information security team to manage.

In fact, recent research suggests that many DevSecOps teams are in the process of consolidating platforms to create more consistency within the cloud environment. Organisations should identify a cybersecurity partner that not only specialises in cloud security but also understands the unique challenges of a multi-cloud environment.

Combatting these misconceptions requires an end-to-end strategy

Because of how complex a multi-cloud environment is, companies can be at risk from various sources including vendors, partners, tenants, open-source code, or image repositories. In many cases, humans are the proverbial weak link within this network, as they lack in-depth knowledge of the cloud, which can lead to misconfiguration, insufficient protections, or lax policies that digital adversaries can exploit.

For example, a large financial services company with sophisticated cloud security capabilities suffered a breach involving its cloud infrastructure. Their weak link? An application flaw was exploited to pull a temporary station-to-station (STS) key from the underlying host’s EC2 (Amazon Elastic Compute Cloud) metadata service. 

The key was then used externally to access sensitive cloud resources, including Amazon Simple Storage Service (S3) buckets. This is a perfect example of a misconfiguration, as well as an image scanning issue that led to a sophisticated attack on an otherwise prepared organisation. 

Cloud-based security is complex and requires you to work with a partner who understands the need for a comprehensive, end-to-end strategy and solution.

Connect with the Author:

Gui Alvarenga

Sr. Product Marketing, Cloud Security

Connect with CrowdStrike here or contact our APJ Cloud Expert: Chris Hosking

Copyright © 2022 IDG Communications, Inc.