CISOs Battle Rising Cloud Security Threats

The cloud, while offering immense benefits, also presents significant cybersecurity challenges.

Organizations adopt cloud computing to enhance scalability, reduce IT costs, improve collaboration and access advanced technologies.

In 2023, cybersecurity firm Rubrik observed that cloud architecture stored 13% of an organisation’s data, compared to only 9% in 2022. Comparatively, on-premises declined from 77% in 2022 to 70% in 2023.

Google Cloud, Microsoft Azure, and Amazon Web Services (AWS) are considered the established leaders in cloud services. Other smaller or niche cloud service providers (CSP) that offer cloud services include IBM, Alibaba, Oracle, Red Hat, DigitalOcean, and Rackspace. 

In this blog Infosecurity spoke to several cybersecurity, technology and cloud experts to explore some of the biggest cybersecurity challenges facing CISOs and cybersecurity teams when it comes to security of their cloud environments.

One of the core cybersecurity challenges in cloud environments is the shared responsibility model.

Oli Buckley, Professor in Cyber Security at Loughborough University, commented that the shared responsibility model is one of the main weaknesses in cloud security.

Essentially, CSPs offer strong infrastructure security however the responsibility of securing the data itself is with the organisations.

A misunderstanding of these roles can also lead to an increased risk of vulnerabilities, commented Oli Buckley, Professor in Cyber Security at Loughborough University. “The complexity of cloud environments also makes it difficult to maintain visibility and control, while reliance on third-party services introduces additional risks.”

The issue with the shared responsibility model is that it can lead to confusion and lapses in security practices among cybersecurity professionals as it is not always clear who is responsible for what.

Organisations must clearly understand their role in this model and take proactive steps to safeguard their data.

One innovative solution that organisations are increasingly adopting is the "Bring Your Own Security" (BYOS) concept.

Erfan Shadabi, cybersecurity expert at Comforte AG, explained: “Unlike traditional security models where the CSP is solely responsible for security, BYOS empowers organizations to implement their own security measures on top of the existing cloud infrastructure.”

“This approach allows businesses to tailor their security practices to meet specific needs and regulatory requirements, providing an additional layer of protection that complements the cloud provider's defences. This concept not only enhances security but also provides greater visibility and control over the organization's data,” Shadabi explained. 

The data held in cloud environments often includes data covered by regulatory or legal requirements, such as protected health information (PHI) and personally identifiable information (PII).

Rubrik’s research showed that around 25% of objects stored in the cloud contain such information.

“Compliance and legal risks are amplified in cloud environments, particularly as data is stored all across the world, and spans multiple jurisdictions,” Buckley said. 

“It can be difficult to ensure compliance with a host of regulations like GDPR and CCPA, raising issues of data sovereignty and requiring close collaboration with cloud providers.”

Staying abreast of industry standards and regulations is key for information security in the cloud. 

Cloud misconfigurations are security vulnerabilities that arise from incorrect configurations of cloud-based resources.

These errors can expose sensitive data, grant unauthorised access, and create attack vectors for malicious actors.

Luke Stevenson, Cyber Security Specialist at IT service provider Redcentric, explained: “In the early days, misconfiguration was a big problem, the unsecured AWS S3 bucket which exposed sensitive customer data to the web was a particularly prolific issue up until recently. Although it has largely been mitigated through education, it can and still does still create a few headaches for security teams, the CISO and the digital risk management teams.”

A lack of visibility of cloud environments can often lead to misconfiguration. Organizations ought to conduct regular audits for misconfigurations in cloud infrastructure. 

Cloud environments can be more difficult to monitor comprehensively compared with on-premise data centres.

Mark Lloyd, business unit manager at Axians UK, a technology service partner, said, “This lack of visibility can lead to undetected misconfigurations, vulnerabilities, and unauthorised access. To address this, organisations must implement robust cloud security posture management (CSPM) solutions to gain a comprehensive understanding of their cloud assets and configurations.”

In addition, many organisations are making use of multiple cloud platforms for a mix of reasons, including resilience, locality and access to specific tools and capabilities.

Darren Anstee, chief technology officer for security at Netscout, commented: “For an enterprise, trying to piece together different types of telemetry from different platforms, incorporating different metrics and data granularities, makes building a cohesive picture of ‘normal’ very difficult – which of course makes detecting ‘abnormal’ much harder.” 

Every business should prioritise obtaining a comprehensive and accurate view of its operations across all platforms.

“Security is all about visibility – the old adage of ‘you cannot protect what you cannot see’ is still very true in the cloud,” Anstee said.

Misconfigurations and a lack of cloud visibility can lead to unauthorized access to the data held in cloud environments.

Cloud infrastructure sits outside the perimeter of the organisation and because of this it can very quickly get out of control.

Access issues can be caused by developers failing to secure administrative passwords, posting them in open-source repositories for others to collaborate or generally failing to secure credentials when projects end.

Buckley said: “Unauthorised access to cloud-stored data can happen in a number of ways, but the result is usually the same – financial, reputational or regulatory issues. Things like encryption, strong access controls (like MFA) and effective monitoring of services can help mitigate the risks to some degree.”

Mayur Upadhyaya, CEO at APIContext, also noted that the overreliance on API keys as a primary authentication method poses a significant security risk in today's cloud-centric environment.

This is because API keys provide broad, often direct access, making them a prime target for attackers

Buckley added that properly securing an API involves implementing strong authentication, encrypting data, validating inputs, and monitoring for unusual activity to protect against these threats.

To mitigate the risks that API keys pose organizations should also consider prioritising the adoption of token-based authentication and access control mechanisms. 

ADVERTISEMENT

According to the ISC2 2023 Cybersecurity Workforce Study the total skills gap in the cybersecurity sector has reached four million. This means that there is often a lack of knowledge within orgnaization’s cybersecurity teams about cloud security specifically.

Organisations can turn to managed service providers and external organisations to support their cloud security, however selecting the right support within the budget allotted to cybersecurity can be a challenge.

Stevenson explained: “If you are unsure whether your team has the level of expertise needed to keep up with the implementation at the required pace and long-term expectation, it may be time to seek additional training and support.”

 “Organisations should audit activities regularly and place a significant amount of their cloud security effort on educating the workforce. Make sure your team is aware of the specific security environment and are fully supported by a robust yet flexible process and policy,” he said. 

While cloud providers offer robust infrastructure, the responsibility for securing data ultimately lies with organizations.

By understanding the key challenges and implementing appropriate safeguards, CISOs and cybersecurity professionals can mitigate risks and protect sensitive information.

As the cloud continues to expand, a proactive and adaptive approach to security will be essential for organizations to thrive in the digital age.

Enjoyed this article? Make sure to share it!

Looking for something else?