The global pace at which technology is evolving and accelerating is incredible. People and companies are becoming less concerned with having “physical” assets or solutions. Tom Goodwin, Senior VP of Strategy and Innovation at Havas Media, said, “Uber, the world’s largest taxi company, owns no vehicles. Facebook, the world’s most popular media owner, creates no content. Alibaba, the most valuable retailer, has no inventory. And Airbnb, the world’s largest accommodation provider, owns no real estate. Something interesting is happening”.
This applies to cloud computing as well. During the pandemic, companies were forced to adapt to cloud solutions or face significant disruption in business or extinction. The cloud is appealing for many organizations. It is scalable in a way that companies may not be able to achieve with in-house solutions, it allows for flexibility in data storage and employee access, and it is less of an investment than traditional data center environments.
It’s easy to assume that because data isn’t centralized to a single system, it’s more secure. To the extent that is true, cloud solutions offer flexibility in the face of power outages. Every computer in the building doesn’t become a very fancy paperweight. Cloud solutions can mitigate this by ensuring financial ramifications aren’t widespread, and employee and customer trust isn’t completely broken.
In the cloud, data being stored in different environments can be a boon in the face of outages. But it also makes the information more siloed and inherently more difficult to manage and assess. A cloud system may seem appealing as it creates an “ecosystem” of different segments working in conjunction and complementing one another, but relying on a cloud ecosystem instead of an in-house “island” makes continuous monitoring and control nearly impossible.
There will be risks in traditional data environments and cloud computing environments. It’s impossible to escape security threats. But assessment and controls in conventional data environments has been tested and tried over decades. The same can’t be said for the cloud. Cloud security issues are relatively new monsters organizations are facing.
What are the security risks of cloud computing?
Risk #1: Decreased security protocols
When transferring data and services over cloud providers, organizations lose some of the visibility and control of those assets. Part of the responsibility of data security management is shifted to the cloud service provider (CSP), and it can be difficult to see where the gaps in security controls are.
It becomes challenging in cloud environments to gain a holistic view of security protocols. That is to say, there may be one aspect your CSP excels in monitoring and addressing/securing, but another area may fall short. It’s difficult to pinpoint where those gaps in security lay when using a hybrid cloud or multi-cloud solution. Being able to pinpoint and identify what the sensitive data is and where it resides is critical to managing confidential data.
There’s a third-party aspect to CSP that can be dangerous as well. Yes, your employees can gain access to the data they need, whenever they need it, but the CSP employees can also access that data. It’s possible they could abuse their authorized access to infiltrate critical systems. It would be more difficult for an organization to pinpoint the leak, as continuous control automation and automated risk assessment aren’t options for cloud solutions yet. Not having something that could integrate with both AWS and Google Cloud is also a hindrance.
There’s an enormous amount of trust being placed in CSPs that could come back to haunt an enterprise.
Risk #2: Overwhelmed security professionals
Cloud adoption introduces complexity into most IT operations. Managing and integrating data, employees, and systems across cloud applications can easily overwhelm and stress cybersecurity professionals who are already dealing with downsized teams and budgets. Learning a whole new system and integrating it with on-premises solutions may put the team overcapacity. The way old IT departments were constructed doesn’t translate well to cloud security teams. Figuring out new titles, new team structures, and new job requirements, add another element of mental tax on employees.
Staff must learn to integrate and manage cloud storage quickly, even at the cost of cutting corners in security protocols. Data is moved to the cloud without the full scope of the risk assessed and fully understanding what key management and encryption services are in a cloud-based space.
Tools required to monitor cloud servers vary between CSPs, making it more difficult for security teams if they have a multi-cloud solution, increasing the complexity of the whole operation and the likelihood of security gaps. There may also be emergent threats/risks in hybrid cloud implementations due to technology, policies, and implementation methods, which add complexity.
Risk #3: Compliance and regulatory issues
Lack of visibility into cloud operations limits an organization’s ability to monitor for compliance. Industries like healthcare, banking, or government all have stringent regulations they must adhere to. Where the data is stored, who has access to it, and how it is protected are all key in these highly regulated industries. Although storing this data in the cloud certainly increases the ease and ability of access, this also increases vulnerabilities and threats, especially since it puts the CSP partially in control of maintaining compliance. Data breaches in these sectors can be expensive and catastrophic.
If a company doesn’t put adequate protections in place, it could be legally liable or the recipient of significant fines or disciplinary action. Take the EU General Data Protection Regulation (GDPR). GDPR introduces extensive requirements for any organization doing business in Europe or storing data about EU residents. The consequences for non-compliance are steep, including fines up to 4% of global annual turnover/revenues or €20 million, whichever is higher.
To combat regulatory and compliance issues in cloud computing security, companies should have a high level of maturity and possibly leverage third-party automation tools like CyberStrong to monitor risk and improve their ability to meet compliance requirements.
Risk #4: Evolving technologies
Technology constantly evolves and at a rate that’s difficult to keep up with, even for tech companies. But in a cloud environment, sometimes it’s necessary to keep up with tech evolution or upgrades to keep using the CSP and to remain compliant. This means that security teams may have to restructure their systems more often to keep using their CSP. This can stress security teams and other employees and also introduces more risk factors because as technology evolves and systems get restructured, critical controls could be accidentally left out of the new configuration, or threats that weren’t prevalent before could take advantage of an unseen/untested weakness.
Administrative restrictions could also come into play here. Inevitably, only a few key employees will have access to the cloud settings and storage, meaning that if an issue pops up, there will be a bottleneck in who could solve it, thus increasing the amount of time it could take to respond to a security incident.
Companies need to make the necessary adjustments to retain skilled security teams that can mitigate risk in a responsible and timely fashion, all while balancing it with innovation factors that will put them ahead in the industry, but not too much innovation that the lack of knowledge or education will be a limiting factor throughout the company.
Although cloud and multi-cloud solutions certainly have their range of benefits for organizations, they don’t come without their drawbacks. Mainly being: the cloud is such a new solution that proper risk and assessment for it is still in its infancy.
Nonetheless, a risk-first approach to any level of data protection is critical in keeping up with evolving technologies, compliance, and regulatory issues, mitigating decreased security protocols, and ensuring security teams aren’t over-stressed.
To learn how CyberSaint can assist in helping you take a risk-based approach to cybersecurity, contact us.