As cloud computing continues to strengthen its hold over enterprise IT services market, the concerns around organizational readiness to address the growing security challenges also keep on escalating. Invariably, the shared and on-demand nature of cloud services gives way to security risks. Whether it’s a general expansion in the exposed threat surface area, or some very specific cloud computing-related security issues – 2018 will definitely require that enterprise use the services of their CISOs to manage the growing risks. In this guide, we’ve covered the most pressing of these concerns for you to understand and plan your enterprise’s cloud security strategy around.
Lack of Understanding of Shared Security Responsibilities
One of the major problems that hit CISOs hard is the realization that their cloud service provider is not exactly 100% responsible for the complete security of the workload. Enterprises believe that since their workloads are being managed in the cloud, they can simply forget the security aspects of the same. The truth, however, is that cloud service providers are not responsible or under any obligation for ensuring the security of the workload beyond what the contract mentions. Data retention, backup, security, and resilience – all come in the purview of the enterprise’s responsibility for cloud security, and not that of the vendor. CISOs would do well to understand the cloud service vendor’s model of shared security responsibility. Almost always, companies need to implement extended and additional security measures to secure their cloud data.
Insiders with Malicious Intents
All it takes is a disgruntled employee to bring down the IT systems of an enterprise; that’s sad but true. Because the average enterprise has more than a few cloud computing service vendors, it also means your employees have that many cloud-based applications to manage their work around. Single sign-on is a practical option for companies. However, it also means that malicious insiders can use their position to access and mess up applications.
To make sure that their cloud apps remain secure, enterprises need to invest in access and identity management processes and capabilities. Also, they need to work with cloud vendors to implement behavior analysis based alert mechanisms. These mechanisms can identify suspicious user behavior and trigger alerts, apart from blocking access upon detection.
Failure in Due Diligence while Hiring and Onboarding New Cloud Service Vendors
More and more business applications are now being delivered via the cloud. This obviously means that IT managers will find themselves in boardrooms, being pitched dozens of cloud solutions.
Here, due diligence could be a deal maker or breaker as far as the success of the enterprise-vendor relationship goes. CISOs have a very clear role to play here and must be closely associated with the IT vendor onboarding process. Now is the perfect time to start working on building a thorough checklist of pre-requisites that vendors must meet to qualify for your company’s business. CISOs also must work along with their counterparts from active vendors to ensure the right fit among systems from both sides.
A missed step in the due diligence before signing off a contract with a cloud vendor could come back to haunt your company very soon.
Though enterprises strive to make their IT and business applications immune against user errors, the risks remain real. Also, users of cloud-based applications are always on the radar of cybercriminals. CISOs have to ask themselves – are the end users sufficiently secure against phishing and social engineering attacks?
To make sure that a naive employee doesn’t end up being the cause of an application outage, CISOs need to lead IT efforts towards improving the cybersecurity knowledge of end users.
Insecure Application Programmer Interfaces
Application programmer interfaces (APIs) are key enablers of integration of cloud services with all kinds of on-premise and third-party applications that a business uses. In the very recent past, there’s been a lot of focus on delivering advanced APIs to enterprises to enable them to self-service requests. APIs are also the system components where monitoring, management, and provisioning can be managed by users.
In 2018, it’s expected that the range and capabilities of APIs will expand, bringing more enterprise IT consultants and technicians within the purview of API relevant user groups. This, however, must be done with close oversight of the CISO or one of his/her close aides. The reason – APIs invariably become contribute to the threat surface area of enterprise cloud infrastructure. Companies need specific additional measures to prevent deliberate or accidental attempts to circumvent policies.
Though account hijacking is not something specifically associated with cloud computing, it’s certain that cloud computing does add a lot to the threat surface area. The reason is that cloud services are accessed via user accounts, and each new account becomes a risk variable in the cloud security equation. If hackers are able to hijack a user account, they can use the credentials to:
- Record transaction information
- Manipulate data
- Eavesdrop on business communications
- Redirect users to suspicious websites
- Execute advanced phishing attacks on hundreds of owners of similar accounts
- Access critical cloud computing settings and configurations
- Block legitimate access requests
- Return false information to data requests
Advanced Persistent Threats
Like a parasite, some cyber attacks persist for long duration, attempting to infiltrate target systems and establish a stronghold within the IT processes and workloads of the victim systems. The worse part of APT attacks is that they stealthily grow aware of evolving security measures and can alter their responses accordingly. Once APTs become a part of a system, they can move laterally and start stealing information from cloud workloads.
As more data and more applications move to the cloud, the role of the enterprise CISO in ensuring security becomes crucial. 2018 will throw all kind of security challenges at enterprises, particularly related to cloud infrastructure. The threats mentioned in this guide are the ones that warrant the CISO’s attention.