The world is enthusiastically switching to cloud services, with AWS doubling its footprint in the UK over the last year. What’s driving this move? One factor is the desire to improve services and innovate at pace. Another is the chance to free businesses from the cost and constraints of legacy infrastructure. While another is the chance to use different services, such as data analytics, that organisations wouldn’t have had the expertise to set up.
While these are valuable benefits of adopting cloud, the switch can create security weaknesses if you don’t have suitable controls in place. And we all know that security weaknesses can be costly in terms of customer trust and regulatory fines (just look at the proposed £97 million Marriott International fine).
To avoid these risks, we’ve designed five steps you can take to improve your cloud security:
Vendors typically don’t assume any liability (and are clear about it) when it comes to how you configure and use their services. That means there’s no safety net, making you responsible for ensuring you don’t make any security mistakes, such as leaving AWS S3 buckets open to the world. Even though AWS, Google Cloud Platform and Azure all meet various regulations, like the Payment Card Industry Data Security Standard, you’re still responsible for service configurations, guest operating systems and other security controls to ensure compliance.
You’ll need a team with a background in architecture, in-depth cloud knowledge, the ability to script in languages such as Python and experience using analytics to drive policy enforcement automation. Typically, you need deeper knowledge for the vendor services and their interdependencies, as well as to foster continual learning, as the vendors quickly change and evolve what they offer.
With Agile being the go-to approach, there’s a need to match the security controls and architecture to support the safe release of value. At a minimum, a matching approach would look to provide safe technical and cost boundaries for teams to work within, proactive controls that kick-in outside of these boundaries and don’t rely on security review cycles, a way of capturing developer intent to guide remediation and risk assessments, and security principles training for the development teams.
Helping protect your organisation's most important assets against cyber threats
Vendors will have tools and services that help you continually check your security and configurations. One of the benefits of using cloud services is the ability to automate checks against policies and for vulnerabilities, and to automate remediation. This can help keep pace with the business’s use of the cloud.
As the adage goes, planning prevents poor performance. So, incident response plans should include scripts to deploy new configurations, alternative payment methods and dormant accounts to launch from. This will keep fines from regulatory bodies to a minimum, and keep a lid on costs caused by unauthorised expenditure on cloud services in the event of breach, such as when hackers used Tesla’s cloud to mine cryptocurrencies.
There are countless examples of companies adopting cloud and then being exploited. In nearly all cases, the reason for the exploitation was a failure of the company, not the cloud vendor. By following these five steps, you can start to make the most of the cloud effectively and safely.