A consistent perception exists within many organizations that moving to the cloud expands the attack surface to malicious actors and therefore is less secure than storing data on premises. It’s time to debunk this myth — and others.
Dispelling cloud security myths has become even more pressing during the COVID-19 pandemic as organizations shift to enable access to applications and data through remote means. While it may be tempting for security leaders to revert back to their old security posture of storing data on premises behind a well-defined network perimeter, this isn’t the most effective method to secure mission-critical data.
Let’s unpack the myths related to cloud security today and explore how organizations should be thinking about cloud resourcing for the future.
Myth 1: Rush to a zero-trust security model
As more services migrate to the cloud, the thought of protecting this environment can quickly become overwhelming. With a bigger footprint — and end users accessing resources from distributed systems — the points of potential attack proliferate, and implementation of security controls is no longer centralized within a single network gateway.
A data-centric zero-trust security model is the right idea for these expanded boundaries. But this shift in philosophy requires a long-term strategy that cannot be implemented overnight. It takes time to discover and model an organization’s assets, perform data flow mapping, label data and modernize security controls for an effective zero-trust model. We’ve seen organizations rush to apply the most stringent measures and integrate modern cloud-based systems with legacy on-premises connection points, but often users end up getting locked out of critical systems and there’s a serious trade-off between risk and productivity. When that productivity affects our national security, for example, the opportunity cost of rolling back has consequences.
A shift in philosophy is needed to balance cloud security with end-user experience and the need for mission continuity. If we assume an organization will be breached — a likely scenario — the important response is how quickly threats can be detected, remediated and recovered from.
Myth 2: Only focus on advanced cloud capabilities
There are endless capabilities in cloud environments that drive enterprise IT investments. For example, the ability to integrate advanced machine learning and analytics are capabilities that weren’t possible to the same degree in on-premises software because of the vast computational power needed to support them. But what’s often overlooked is that staying ahead is irrelevant and costly if organizations don’t have basic cyber hygiene.
The growing proliferation of cyber attacks makes basic security hygiene more important than ever. In its 2020 Data Breach Investigations Report, Verizon found phishing remains a top driver of breaches, followed closely by misconfigurations.
Organizations will see the most significant ROI when it comes to cloud investments — namely visibility and transparency — if they can successfully prioritize and strengthen the following areas:
- email security systems that look for and block phishing attacks;
- strong centralized and distributed firewall controls to keep the bad guys out;
- multifactor authentication and strong access controls to let the right people in;
- automatic vulnerability scanning, patching and maintenance;
- the right automation tools to ensure consistent secure configurations; and
- cybersecurity strategies that identify and assess risk and prioritize critical assets.
Organizations should also prioritize investments that deliver complete and timely information on assets across all cloud environments, the vulnerabilities of these assets, log information and other security and health metrics.
Proactively sharpening visibility with advanced cybersecurity methodologies — such as threat hunting, which combs through endpoint data to identify malicious events dwelling in infrastructure — is also recommended. The strongest products and services combine the powers of automation, machine learning and AI with the insights of experienced human analysts to hunt adversaries who can lurk undetected in a victim’s network for an average of 200 days.
Myth 3: Directly manage all security in cloud environments
Organizations will have an edge if their cloud talent can continually upskill and focus on value-added activities. This involves outsourcing commoditized services to industry players to fully capitalize on emerging capabilities and services, and leaning on cloud service providers (CSPs) for innovations and scale in security and accountability.
CSPs today are widely adopting federal and industry standards to mitigate risk, including those from the Department of Defense, Homeland Security and FedRAMP. Within their services, CSPs are the experts when it comes to security controls; they dedicate far more resources to niche areas of security than any agency or corporation could on its own. Organizations should take advantage of the operational efficiencies and effectiveness of cloud services, especially when services such as hosting and network administration are not their core mission focus areas.
Cloud security requires a shared responsibility model. While inheriting the security benefits of outsourcing key elements of security operations to cloud providers, organizations must shift their focus on ensuring applications and platforms that sit around and above cloud services are fully secured and protected.
Myth 4: Controlling cloud environments is a technical exercise
Cloud environments should, in theory, be more visible because they heavily implement infrastructure as code and APIs. In practice, however, many organizations have better visibility into what happens on premises than in their cloud systems or in their supply chains, including both software and hardware, especially as they extend into multiple cloud environments with different technology platforms. That’s a problem.
An investment in unified visibility across the enterprise is money well spent. This visibility creates a critical foundation as organizations consider expanding their cloud environments through 5G and IoT and adopt innovations such as AI, machine learning and zero-trust applications.
It’s not just tools and technical investments that are critical. Policies and protocols also play an essential role in protecting the cloud environment. The argument should be made that governance is more important than ever as the cloud evolves. Governance sets up guardrails, so users and administrators clearly know what’s acceptable and what’s essential to stay productive and secure in the remote cloud environment. As this environment evolves, organizations should prioritize employee education, including training on downloading unauthorized content, accessing insecure networks, appropriate password management and handling lost or stolen devices. Education supplements and reinforces basic CSP protections and further strengthens the foundation for cloud innovation.
Moving forward with cloud security
There’s no single path for cloud security. Organizations — particularly those with critical missions to sustain — must balance mission and business priorities when creating protocols and solidifying their security model. Yes, with cloud environments, there are more opportunities and entry points for adversaries to poke holes, and there is potentially a much larger landscape of systems to keep track of and monitor. With that, however — and the proper governance over the cloud landscape — organizations will gain security automation, continuous monitoring and advanced disaster recovery options. Attacks will happen, but a strong cloud foundation shifts the philosophy to focus on being prepared for challenges and being confident in the ability to mitigate them rather than letting those concerns hold an enterprise back.
Jimmy Pham is a principal at Booz Allen Hamilton. He co-leads the firm’s Digital Platform capability. Pham has more than 15 years of experience designing and leading transformative, enterprise-level software and IT projects for commercial companies and federal agencies. Prior to joining Booz Allen, Jimmy worked at Akamai Technologies and cofounded neoSpin, a startup specializing in web development and application modernization. He has a B.S.E. in computer science from the University of Pennsylvania.
Brad Beaulieu is a principal at Booz Allen Hamilton. He has more than 10 years of experience in IT implementation across federal and commercial markets. Beaulieu has prior experience as a consultant at Hewlett-Packard and as an analyst at Computer Sciences Corporation. He has a B.S. in systems engineering from the University of Virginia.