It’s not uncommon today for an organization to have workloads spread among multiple clouds and on-premises environments. This makes the job of securing those workloads more complicated than ever before. IT professionals are doing their best to understand the risks and implement the right tools, but cyberthreats are a moving target, in-house cybersecurity skills are often lacking, and there is a vast and confusing selection of security detection and prevention tools to choose from.
These factors have prompted many organizations to move toward a cloud security services model, where a third-party provider protects assets in partnership with the business. All models of cloud security services are becoming more popular. IDG found that 22% of companies plan to evaluate or invest in cloud-based security services this year, while another report found that 83% of IT leaders with in-house security teams are considering outsourcing security efforts to a managed services provider (MSP) this year.
Cloud security services can take many forms. Some are fully managed services that encompass everything security-related, while others are cloud services focused on a specific type of security, such as application security, network security, secure email and web gateways, identity management and access control, user authentication/identity as a service (IDaaS), managed detection and response (MDR), or Security Information and Event Management (SIEM). Some are more customized, some combine consulting, some are fully automated, and some provide a combination of automation and actual cybersecurity specialists standing by and ready to step in.
Yet even with professional help, cloud workloads aren’t 100% safe. While it’s not common, failure can occur. Sometimes, it’s a disruption in service to a specific geographic area or availability zone. Other times, it’s human error or a new type of cyberattack nobody has encountered before. No matter the reason, the fact is this: The cloud simply isn’t a fully secure place. No organization or vendor can control for every factor.
These facts don’t make cloud security services irrelevant. In fact, they can go a long way toward improving cloud security. Just keep these recommendations in mind:
Identify exactly what you’re looking for. There are many pieces to the cybersecurity puzzle, and depending on your internal IT expertise, budget and appetite for risk, you may want to outsource some and keep others internally. If you can’t figure it out on your own, get some help from a consultant. Once you determine what you want to relegate to a cloud services provider, make sure you have the rest of your bases covered. On the prevention side, that might mean properly configured firewalls, antivirus software, a web application firewall and encryption. It’s also important to cover detection capabilities for all scenarios: before, during and after a breach. “Strategically think about your environment and how it all comes together. That’s the best way to ensure that the cloud security services provider you choose will meet your needs,” said Onkar Birk, CTO and COO of Alert Logic.
Check out potential vendors carefully. “Don’t be afraid to ask the hard questions,” said Sean Heide, a research analyst at Cloud Security Alliance. “Ask about their own security hardening, and gather audit reports and attestation reports. Then go over everything with a fine-toothed comb to be sure that it will meet the needs of your business, and that you’re not paying for something your business isn’t prepared to manage.”
Hammer out the details. In general, cloud security is a shared responsibility between providers and businesses, and this starts as early as the contract negotiation. “Think about where the line is drawn. Who is responsible for what? Where does your role stop and theirs start? Who is responsible for detection, patching, upgrades, responding to incidents? Who owns and has access to the data? What happens if a situation comes to blows over a jointly operated system or jointly owned system? Are there any penalties on the cloud provider for non-performance? It’s important to answer all of these questions,” said Bryan Sartin, former executive director of global security services at Verizon and now MDR firm eSentire’s chief services officer. “If you take the right steps in the contract phase around ownership, dispute resolution and non-performance, you’ll be better off.”
Re-examine your company’s attitude toward the cloud. The scope and reach of information security don’t extend fully to the cloud in some organizations, and that’s a problem, Sartin said. “Often, cloud workloads are really outside infosec’s attention span,” he noted. “Security policy enforcement and day-to-day basic security operations tend to cover corporate locations very thoroughly, but tend to skip cloud-related assets and moving parts up to and including cloud tenants.” A recent report backs up this assertion, noting that while decision-makers rank security as the most challenging aspect of cloud, it’s not among the top cloud investments this year.
Clouds and cloud services may be automated, but remember that there are actual people behind the scenes, and people make mistakes. Human error from both the cloud provider side and the customer side is a very real issue. And even small mistakes can have big impacts. One of the most common human errors leading to downtime or failure is misconfiguration. Misconfigurations are by far the leading cause of backdoor entry, Birk noted. Another human problem is shadow IT. Because cloud tends to be less regulated inside enterprises, it’s relatively easy for personnel to circumvent procedures and get their own cloud instances. Sartin recommends solving this issue through procurement by refusing to allow company purchases or provisioning of cloud without the express consent of the CISO’s office.
Resist the urge to blindly trust your cloud services provider. Even if you have vetted your provider carefully, it’s important to understand the available security controls, features and services available to them. “Cloud security should be embedded at every layer of your solution, from development to deployment to operational workflows and beyond. This education is fundamental to companies running effective and secure workloads in the cloud,” explained Stuart Scott, AWS content and security lead at Cloud Academy. “You can’t just hand over the keys and expect someone else to do it all for you. Both parties have responsibilities, even if it’s a managed service. You have to know what to look for if something doesn’t seem quite right. They can give you dashboards, but ultimately it’s your company and your company’s jewels.”
It comes down to this: No matter how much money or expertise you throw at cloud security, you’re really not in control. And downtime, however rare, will occur. It’s important to accept that, while making sure you have the right capabilities in place.