As many companies move towards deploying environments in the cloud to increase performance, scalability and redundancy, they have to wonder how do they protect these new frontiers. Traditional methods do not seem to fit into this new landscape.
Is the uncertainty of cloud security hindering the adoption of these new platforms?
In a press release, Gaurav Kumar CTO of cloud security company ReLock Inc said:
“In our analysis, cloud service providers such as Amazon, Microsoft and Google are trying to do their part, and none of the major breaches in 2017 was caused by their negligence. However, security is a shared responsibility: organizations of every stripe are fundamentally obligated to monitor their infrastructures for risky configurations, anomalous user activities, suspicious network traffic and host vulnerabilities. Without that, anything the providers do will never be enough.” and according to Gartner, “…through 2020, 95% of cloud security failures will be the customer’s fault.”
One can see in a report compiled by anti-virus vendor, Bitdefender, many high profile organizations leaked data due to poorly configured Amazon S3 buckets – a customer error, not a provider error.
Furthermore, Microsoft has a white paper on Shared Responsibilities for Cloud Computing which illustrates exactly where the responsibilities lie depending on the cloud model being adopted. This paper addresses Infrastructure as a Service (IaaS), where most of the security responsibilities are with the customer, to Software as a Service (SaaS), where most of the security responsibilities lie with the service provider.
At an IaaS level, structure and security measures predominantly still mirror their on-premise counterparts. However, as you move up the stack, the cloud becomes more and more accessible by a wider range of devices. Cloud services also stop being “yours” and no longer fit into private or hybrid cloud solutions like AWS, Azure or Google Compute. They become a service offered by 3rd parties such as Box, One Drive, Google Drive, Gsuite, Office365, Slack etc.
If configured correctly and used with the appropriate safeguards in place, cloud can be just as secure as on-premise.
In January 2018, McAfee acquired cloud security company Skyhigh Networks to help them extend their traditional security to the cloud. These products can provide extended visibility into cloud services and mitigate the threat of confidential data being exported through these new cloud services.
Cybefenders is a McAfee Managed Services Specialized Partner.