Imagine a safety deposit box, nestled inside a wall of identical repositories, stretching on for infinity. Inside this safe are all the documents confirming your banking arrangements, bills and your personal identity. The safety deposit box will only unlock with one type of key, copies of which not only reside with your person, but every single member of your family. There are, naturally, rules, explaining how, when and why the material in the safe needs to be accessed – but, of course, there’s no guarantee that your uncle, aunt, or cousin once-removed will adhere to them completely.
A similar dilemma is faced by all those businesses with a presence in the cloud. It’s never been more convenient or affordable for companies of all stripes to open an account with a hyperscale provider like Amazon’s AWS and Microsoft’s Azure to host their data and software applications. But as with any online venture, risks abound. Like the dreamer confronted by an endless wall of safety deposit boxes, there is no guarantee that your firm’s key to the cloud might not be stolen, or mislaid by colleagues, or that the architecture of the safe itself isn’t vulnerable to being cracked open by opportunistic thieves.
The consequences for businesses of any one of these scenarios happening can run from the mundane to the catastrophic. The personal data of some 530 million users, for example, was exposed in 2019 after Facebook suffered a major cloud security breach. Healthcare organisations, too, have suffered disproportionately from cyberattacks on their cloud holdings, with 61% of respondents in a recent survey saying that they had experienced such an attack in the past year. Then there are the more exotic phenomena, like the suborning of thousands of corporate cloud accounts to mine cryptocurrency – a trend that Canalys CEO Steve Brazier recently pronounced was the “biggest scandal growing in the industry this year”.
The pressures on businesses to maintain high levels of cloud security are only set to increase in the coming months, as inflation continues to bite down on profit margins and internal investment. There’s also a more fundamental problem, explains ESET’s global cybersecurity advisor Jake Moore, in how thousands of SMEs perceive their cloud security responsibilities, as opposed to those of hyperscalers. “They’ve got this misconception that… cloud service providers themselves are the ones that are responsible for cloud security,” says Moore. “I just wish more people would think about it and actually understand the risk that goes with it.”
At the business end of cloud security
The aftermath of a cloud security breach can be a nightmare to handle for any business, says Moore – not least because cloud forensics specialists are searching for clues that can’t be examined in stasis. “You can’t go and turn off these clouds, because they might need to continue,” he says. “So, you’re already changing evidence, which in the policing world is never allowed to occur.”
After that comes the inevitable process of revising internal security processes. This should begin with revisiting core company attitudes toward cloud security – which, in some of the cases Jim Reavis has witnessed, can be completely off-kilter. “There’s a lot of immaturity” when it comes to ideas among businesses about their level of responsibility for securing their data in the cloud, says Reavis, the president of the Cloud Security Alliance (CSA). “Some of it really comes down to the definition and understanding of what the cloud really is.”
There are, after all, multiple ways in which a business depends on the cloud. It might start with infrastructure-as-a-service (IaaS) or software-as-a-service (SaaS) options, wherein cloud servers are utilised to store customer data depending on how much responsibility the company wants to have for running operating systems, for example, or middleware, as opposed to a dedicated service provider. However, access to the business’s cloud holdings may also extend outward to various third-party applications. As such, while your typical hyperscale provider will supply a strong security regime that walls-off threats to your data and services from their end, “it ends up being, maybe, 20% of what a typical organisation needs” to fully secure themselves from attack, says Reavis.
Such distinctions, Moore argues, are sometimes lost on some companies that are new to cloud computing, including those who sign up with hyperscale providers. “They tend to win their business by talking about security,” he explains. “Yet, if you look in the fine print, it’s a two-way street.” The importance of this observation was underscored in a recent survey from the CSA, which found that all of the top threats to cloud security were not coming from vulnerabilities among hyperscalers, but leaders within the business, customers and third-party organisations.
Even so, experts like Avi Shua remain sanguine about the level of education among businesses about their cloud security responsibilities. If anything, says the chief executive of Orca Security, understanding among SMEs and larger businesses has matured in recent years. “I think we have come a long way since companies were saying, ‘I moved into the cloud and I don’t need to care about security, the hyperscalers are going to care about it for me,’” says Shua.
As such, says Shua, the shared responsibility model of cloud security is alive and well – although he still sees companies new to the cloud occasionally adopt this outdated attitude and maintain poor cyber hygiene or else make silly mistakes (“everyone knows that you shouldn’t put all of your data in a public S3 bucket,” says Shua). Another survey from the CSA, meanwhile, found that over half of businesses using cloud applications weren’t conducting regular risk assessments, instead waiting a year or longer to investigate software’s potential exposure to hackers.
Businesses that accept their fair share of responsibilities in cloud security, however, tend to be more secure than those who keep all of their data on-premises – and more efficient, too. “A decade ago, if someone wanted to create a new application, you had to speak to at least five people: the firewall person, the database person, the networking person, maybe the purchasing person, and security,” says Shua. “Today, it might be one person to change the necessary code, and that’s it.”
But this, adds Shua, creates its own challenges. “I think the number one issue is the speed at which the cloud moves,” he says. “You must understand that your devs are going to deploy a few times a day, they’re going to make changes, and you need to make sure that your security strategy works with that.”
At the same time, it’s important to realise – especially in cloud security – that some problems are more important than others. “In reality, you don’t have a million critical items,” says Shua. “It’s the equivalent of coming to your office and someone telling you, ‘You have locks that are easy to pick. Go and fix them,’ but then you go and see that these locks are on the cleaning supply cabinet. They’re easy to pick, but who cares?”
Macroeconomic headwinds
Security matters are also complicated by the domination of the public cloud market by a handful of companies – thanks, in part, to the vast sums it takes in building and running a trans-continental empire of data centres. While these hyperscale providers are capable of supplying superior amounts of compute at a lower price point relative to their smaller competitors, the number of services they now support can make whole swathes of the internet vulnerable to outages. There’s also an emerging cybersecurity danger, too, says Moore – though not necessarily from your common variety hacker.
“A cyberattack is not just about financial motivation,” explains the security researcher. “It’s also about disruption. And if you can disrupt a business or an organisation – which is much of what nation-state attackers are into – this is where they will put their pressures.”
Shua accepts that the sheer size and influence of hyperscalers does introduce some security risks into the cloud market. The threat of outages or targeted, state-sponsored cyberattacks, however, is largely one for major financial institutions to worry about, he argues, which constitute a smaller slice of the overall market than many assume. Even then, the cybersecurity record of players like Azure and AWS is still good - though not perfect.
“We found in the last year a handful of critical issues,” says Shua, who defines ‘critical’ as one customer being able to access the data of another. In the best-case scenario, he explains, AWS managed to fix one vulnerability in just 25 hours. “On the other end of the spectrum,” says Shua, “it took Microsoft five months to fix a critical item that we found in one of their services.”
Most financial institutions, he adds, are well aware of this problem and hedge against it by formulating hybrid cloud strategies and investing in their own data centres. The latter solution is unaffordable for the vast majority of other businesses, Shua explains – but they can rest assured that, so long as they take the proper precautions on their end, hackers are still unlikely to break into their data by compromising their cloud providers.
Even so, says Moore, this ability to adapt might soon be compromised by current economic headwinds. “You’ve got decision-makers – certainly in the C-suite – who are just wanting to save money, and they’re cutting costs across the board in the technology field,” he says. Those businesses that do wish to shore up their cybersecurity credentials in the cloud, meanwhile, have to contend with a huge global shortfall in trained personnel.
“With the shortage of IT skills and key assets, I do think that cyber attackers are going to make the most of this opportunity,” argues Moore. “They always do this. They are always one step ahead of anyone else, knowing where those weaknesses lie and they are definitely going to be preparing.”
For his part, Reavis remains sceptical that cloud security will deteriorate as businesses reprioritise their IT spending. “I think there’s going to be some of that but, frankly, not a lot,” he says. Shua agrees. “Everyone knows that the risk [of a breach] is simply too high,” he says. “There’s no CEO that wants to have their organisation on the front pages as a result of a data breach.”
Even if there is downward pressure on IT departments to cut staff, adds Shua, then that doesn’t necessarily have to translate into poorer cloud security. In such cases, he argues, the best approach is to prioritise the most important cybersecurity risks. He adds: “I do see people shifting from the mindset of, ‘We’ll fix everything’ to ‘Let’s fix the most important, interesting guardrails.’”
Going forward, Moore strongly recommends that companies invest greater resources into routine cloud-related penetration testing. “I think that’s a good way of having time on your side,” says the researcher, instead of relying on cloud forensics teams to look back on what mistakes were made on either side of the supplier-client divide. “If we’re working on something that’s already happened,” adds Moore, “then the horse has already bolted”.
Investment in basic cyber hygiene training among staff should also continue. “That is a tick-box exercise,” says Moore, “but it’s something that we need to continue to give to all staff, on all levels, because they’re all working in the cloud. They all need to understand what those risks [to the business] are.”
The ultimate backstop against cloud-related cyberattacks, adds Moore, is cyber insurance – though, he agrees, policy premiums are currently high enough to put this option out of reach for many SMEs. Whatever happens, says Reavis, businesses need to continue thinking very carefully about how best to manage their relationship with cloud providers. “Cloud is really becoming, more and more, the default IT,” he says. “And cloud security is becoming foundational to cybersecurity because of that.”