Levi, Ray & Shoup, Inc.

Plan for security before deploying your cloud environment

4/1/2021 by Michael Gallagher

By Mike Gallagher

Two of the largest IT market research firms, Gartner and IDC, are forecasting continued growth in cloud adoption as we come out of the COVID-19 pandemic.

In 2020, many organizations cited security as one of the greatest areas of concern as they considered movement of their sensitive data and important applications to the cloud. Reports from multiple sources also state that many companies are blindly leaping to cloud, yet they lack the knowledge, understanding and the required controls to ensure their cloud deployments are secure. As a result, their valuable and sensitive data is at risk of exposure.

Cloud environments by design are made to make sharing data easier which fosters collaboration. This ease of data sharing, while an advantage, also generates serious concerns around how to secure your data.

As if having your cloud data stolen isn’t bad enough, data protection regulations like General Data Protection Regulation (GDPR), the Health Insurance Portability and Accessibility Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS) and others, carry hefty fines or other significant penalties should you experience a data breach. This makes breaches very costly.

As with many endeavors in IT, when considering tackling cloud security your best approach is to start with the end in mind! The cloud offers you new ways to apply technology to solve your business challenges. Cloud also offers you the opportunity to reimagine your security approach, versus just extending your on-premises security to the cloud.

Understanding some of the more common causes of data breaches in the cloud is a good way for any business to build awareness as they build a cloud security plan:

Misconfigurations

Misconfiguration of cloud security settings is one of the leading contributing factors to cloud data breaches today. There are many reasons for this. Often a client’s cloud security strategy is inadequate and doesn’t account for the unique requirements associated with protecting cloud-based infrastructure entail. Cloud infrastructure by design, is very easy to deploy, use, and fosters collaboration via the easy sharing of data. This makes it difficult for clients to be sure their data is accessible to only parties they authorize. Clients leveraging cloud-based infrastructure also typically lack the level of visibility and the control over their cloud infrastructure as they have with their on-premises environments. Cloud providers have their own security controls which you use to configure and secure your cloud deployments. Having disparate security controls by cloud provider further compounds the issue. Especially as you look to secure your data across multiple cloud providers environments. 

Insecure Interfaces and APIs

Insecure Interfaces and APIs provided by Cloud Service Providers can be another contributing factor in cloud data breaches. While typically well-documented and easy to use, interfaces and APIs can be overlooked by clients and not properly secured leading to exploitable access to sensitive data. Furthermore, the good documentation, originally designed for client use, can be easily exploited by cybercriminals to identify potential ways to access and steal sensitive data from your cloud environment.

Unauthorized access

Unlike an organization’s on-premises infrastructure, cloud-based deployments are outside of your network perimeter, existing security protocols, and are directly accessible from the public Internet. While this is a good thing for your employees and customers, it does make it easier for cyber criminals to gain unauthorized access. Improperly configured security or compromised credentials enable attackers’ direct access to your cloud deployments, often without client’s even knowing it. Whether accidental or as part of a phishing attempt, cloud applications and environments are big target for cyber criminals. As adoption of cloud-based email (G-Suite, Microsoft 365, etc.) and document sharing services (Google Drive, Dropbox, OneDrive) increase, cyber criminals are taking advantage of the use of emails with account credential verification links being sent to employees for the purpose of confirming their account credentials prior to providing them with access. By leveraging a familiar process, impostors can trick users into providing their login information.

Incident Response

Many organizations have strategies in place to respond to internal cybersecurity incidents. This is because in traditional, on-premises environments, you own the network infrastructure and have security resources on-site to lock things down should you experience a security issue. You also typically have the tooling in place and necessary, to identify the attack, determine the scope of an incident, and then perform the appropriate remediation actions. With cloud-based infrastructure, you only have partial visibility and no real ownership of the infrastructure. Often this makes traditional security processes and tools ineffective.

Legal & Regulatory Compliance

Data protection regulations (PCI DSS and HIPAA) require organizations to demonstrate they limit access to protected information (credit card data, healthcare patient records, etc.). This may even require that clients create physically or logically separated environments for their organization’s data or network. Doing so limits access to only those employees with proper authorization. When moving data protected by these and similar regulations to the cloud, achieving and demonstrating regulatory compliance can become more difficult. In the cloud, typically you only have visibility and control into some of the infrastructure layers. To complicate things further, most cloud providers have multiple, geographically distributed, data centers. This design while improving accessibility and performance adds complexity and risk associated with data sovereignty, residence, and the overall control of your data.

Regardless of where you are on your cloud adoption journey, security should be top-of-mind. Cloud migration discussions begin by developing your plan for securing your cloud environments. Cloud security is a team effort with responsibility for protecting cloud environments falling on both you and your cloud provider(s). LRS provides comprehensive security services designed to help you gain visibility and control over all aspects of your hybrid cloud security environment.

About the author

Mike Gallagher is the Practice Leader for Cloud and Managed Services for LRS IT Solutions. Mike’s experience spans traditional on-premises infrastructure engagements to complex cloud migrations and the deployment of managed services around them.