Head in the clouds
By David Cripps, CISO, SETL
In the last few years the “cloud” has transitioned from being cutting-edge into a standard business practice, one that is relied upon by millions of enterprises of all sizes.
With hundreds of cloud providers to choose from, it’s incredibly easy for any business to set a service up with a cloud provider. In fact, the cloud is so accessible that many firms don’t realise they are using cloud services or that they may have been making critical mistakes with their implementation – mistakes which would go unnoticed if implemented in-house, but are critically damaging when implemented on internet servers.
While threats from increasingly advanced cyber criminals will likely be a major focus at Cyber Security Connect UK this year, many organisations still lack fundamental skills and practices to keep their data safe from accidental breaches or simple attacks from criminals. For example, research from SkyHigh Networks found that seven percent of Amazon S3 buckets have been left open, with no access controls whatsoever, while a further 35 percent of S3 buckets are storing unencrypted data. IBM found human error in the cloud was a leading cause of data breaches, with nearly 70 percent of the compromised records were the result of fundamental mistakes such as misconfigured infrastructures.
Why is the cloud such a security challenge?
For the most part, the security mistakes we see in the cloud have always been made. However, a misconfigured database or weak security controls on an in-house server will only be a problem if a malicious insider or external attacker discovers it and takes advantage. Most companies have been able to get away with poor practice for many years simply because no one has noticed.
In the cloud, however, simple mistakes will swiftly be discovered and exploited. Automated “bots” are now commonly used to sniff out poorly secured cloud databases, which means it’s only a matter of time before bad cloud practices lead to security incidents. Many companies mistakenly think their cloud databases are invisible to the outside, but such unrestricted databases are frequently harvested, and poorly defended ones completely compromised.
How do we secure the cloud?
While there has been a constant stream of cloud-related data breaches in the last few years, it seems that many organisations failed to take them on board as a warning. We need to see a much greater level of awareness of the risks and consequences of poorly configured and secured clouds, starting with an understanding of the potential risks at board level.
The vast majority of cloud-based incidents can be prevented with basic security hygiene. There are many different frameworks available that provide guidance to companies unsure of where to begin, one introductory level framework is the NCSC’s Cyber Essentials. Cloud specific guidance is available from the likes of the Cloud Security Alliance (cloudsecurityalliance.org) or from the cloud providers own websites. The practices set out in these frameworks are very important for managing in-house infrastructure, but it is absolutely essential to have appropriate skills and processes in house before a company considers a migration to a cloud solution.
With better awareness of the risks and the right skills and process in place, companies can continue to reap the benefits of the cloud’s flexibility without accidently leaving their critical data exposed and vulnerable to compromise.
By David Cripps, CISO, SETL