Moving to the cloud is the new norm in the business world.  According to the latest report ‘Building trust in a cloud sky’ from McAfee, the adoption of Hybrid cloud has grown 3X in the last year, increasing from 19% to 57% of organizations surveyed.  This shows the reach and depth of the cloud in the global business world. The report also covers the increasing cyber security issues in the cloud environment that many organizations are experiencing. It says that ‘the Cloud applications continue to be a vector for cyberattacks, and over half (52%) of the respondents indicate that they have definitively tracked a malware infection to a SaaS application’.
While ease of use, scalability, and cost are the major driving factors for moving into the cloud, the security in the cloud remains a major concern for many organizations. This concern strengthens in this age of raging Cyber wars using multiple attack vectors including of Denial of service attacks, ransomware threats like Petya and Wannacry, Man in the middle Cryptographic attacks and Advanced Persistent Threats (APT). Â All these points to the facts that adapting to cloud without fully understanding the environment and its associated risks may lead you into a pool of technical, security, compliance & financial issues.
Here is a list of few top loopholes which get ignored during the cloud migration & deployments and should be in your checklist necessarily for a smooth cloud transition.
- The urge to get into a cloud system too quickly and relying on Cloud service provider for Security
It is understood that the enterprises have the need to adopt cloud at the earliest and the fact that it is typically very easy to get cloud up and running; people rapidly ramp up their systems, add users, data, features, etc. While ramping up to cloud they often neglect the most basic security requirements such as maintaining proper user access controls, password management, etc. and most of them rely on Cloud service providers for the same. Though typically CSPs deploy security controls to protect their environments,  ultimately, it is the responsibility of the organizations to  protect their own data in the cloud. This task is procrastinated until it’s too late.
Enterprises should use multifactor authentication systems such as one-time passwords, phone-based authentication, and smartcards to protect their cloud services and should control the encryption process and keys on their own. In addition to this, a well-defined access control policy that segregates & grants minimum user access based on their job roles is necessary along with effective logging, monitoring, and auditing administrator activities to help against data breaches, etc.
- Maintaining Data Security & Integrity
A very common and an ignored aspect of cloud migration is understanding the data privacy laws of the country where servers are residing as well as of the country to which the user data belongs to.
There are scenarios where different privacy laws are applied for data storage in servers operating in one country, though the person to whom that data belongs may be in another country. Understanding this beforehand can help you against legal & compliance risks that you may run into. It is very significant to understand who can access your data & how.
Additionally, it’s time to look beyond devices and email for data security and take a dive into data loss prevention for cloud services as well. Though it not advised to block or encrypt every piece of data going to cloud service, it is required to implement a DLP process. A DLP process classifies and maps sensitive data movement against relevant internal policies and government regulations and has the flexibility to either alert, encrypt, or block that data inline or offline.Â
- Periodic Auditing
Another ignored but essential area is auditing in cloud security. Although data storage remains the primary responsibility of the CSP, enterprise IT security teams must secure, protect, and mitigate possible risks & threats on their end using effective and periodic auditing. They should verify compliance in accordance with the security policy and test & analyze the effectiveness of security controls through periodic penetration testing, vulnerability scans, etc.
Before signing a Service Level Agreement (SLA) with the CSP, it is required to check that they permit the usage of independent penetration testing and vulnerability scanning of cloud infrastructure.
- Disaster Recovery Planning & Preparing against DoS attacks
Adequate data backup measures are essential, as well as adhering to best practices in business continuity and disaster recovery. Daily data backup and off-site storage remain important with cloud environments. This is often ignored during the initial planning, but is very critical.
Another threat that continuously lingers over cloud services is Denial of Service Attack that though rarely affects confidentiality & integrity but clearly threatens availability security. To avoid this, it is important to identify vulnerabilities in system via periodic scans and use intrusion detection tools along with update patches & firewall rules to fortify your system.
- Integration with weak API services – API security
The security and availability of cloud services — from authentication and access control to encryption and activity monitoring — depend on the security of the API. Risk increases with third parties that rely on APIs and build on these interfaces, as organizations may need to expose more services and credentials.
Despite all the security concerns cloud is going to stay here and organizations should find a fine balance between the risks and the rewards and they should relook security in the cloud in a new way. Organizations should get a complete visibility in to the cloud environment and they need to ensure compliance by combining threat identification, analysis, data protection, cyber analytics and cyber threat intelligence sharing. Â Here comes the relevance of evolving solutions like Cloud Access Security Broker (CASB) which can be placed in between cloud service providers and cloud consumers to address the cloud security concerns.
Read our latest whitepaper: Every CISO’S Guide to Cyber Risk Protection – 2017 Edition
Associate Director, heads the Data Security & Privacy Practice at Happiest Minds Technologies and comes with over 13 years of experience in Enterprise Security domain. Her expertise spreads across Identity & Access Management, Access Management & Governance, Data Security & Global Privacy laws across multiple industry sectors. She comes with hands on experience across various tools in IDAM, Data Discovery & Classification, DLP & CASB and Data Encryption & Masking.
Shubhi’ s current work profile involves assessing & consulting the new age Digital Customers for their data protection landscape and recommending & planning the deployment of next-gen data security solutions for them.
She has been crucial in designing and implementing comprehensive data protection solutions along with leading GDPR & CCPA assessments for some of these enterprises as well.