Your cloud infrastructure may not be as secure as you think it is

Cloud computing has utterly transformed the way many of us do business, placing rapidly scalable environments and new digital tools right at our fingertips. In fact, IDC predict that by 2025, 49% of the world’s data will be stored in public cloud environments.

However, because public and hybrid cloud environments hold crucial data outside the protection of the business’ internal systems, they can create a perfect entry point for cybercriminals.

After all, enabling your staff to access the business infrastructure from anywhere raises the risk that anyone can access it, at least if the right protections have not been put in place.

Cloud makes everyone an equal target, regardless of size.

Like any other variety of criminal, cyber attackers will always have to balance effort against reward. For instance, small businesses offer cybercriminals a low-effort, low-reward target. Due to size and budget priorities, smaller businesses will often have less advanced security measures in place, but there will be less to gain in terms of ransom, valuable data, or finances.

In the past, SMEs have always been a target, but cybercriminals wouldn’t necessarily invest the same level of effort that they would in attacking a larger business. Public cloud changes this.

Cloud providers invest heavily in logical and physical security to protect their cloud perimeter. But large numbers of businesses, big and small, all utilise the same handful of public clouds. This makes them the ultimate cash-cow: considerable effort, but extremely high reward. The choice for businesses is whether they trust their cloud provider’s security measures to hold fast, without additional help.

Cloud providers only protect the perimeter

With the vast resources at their disposal, public cloud providers do have a reasonable chance of keeping their perimeters secure. The only trouble is that their security measures are completely focused on the cloud infrastructure: compute, network and storage resources, and the physical hardware and facilities themselves.

Everything above the hypervisor level is the remit of customers and application owners, who are responsible for connecting and configuring their systems correctly and securely. Businesses that neglect this process could leave large blind spots in their security systems.

The problem is that many cloud customers are not fully aware of their responsibilities when it comes to securing data and applications in the cloud. According to a survey by the Cloud Security Alliance, 60% of executives, managers, and staff all believe that their cloud service provider is responsible for security breaches.

Unless stated, cloud providers do not guarantee complete system security or data backup procedures as standard. For example, the extent of Amazon’s liability in the event of an attack is solely to refund the cost of AWS service for a year. After the hack on CapitalOne (hosted on AWS) in July this year, the provider denied any further accountability. It’s important to have a full understanding of the SLA you have in place to ensure your cloud infrastructure has not been left unsecured.

The problem of too many clouds

Further complicating the cloud security issue is the fact that most businesses now rely on a mixed environment of several clouds. While there may be one primary cloud used for general hosting, the variety of cloud-based applications that businesses now operate means that many have data stored across more environments than they realise.

For example, most employees’ mailboxes are now hosted, stored, and managed in a public cloud environment. There is also a human risk here as many attackers will use email as a way into the business using phishing and social engineering attacks. This makes it vital to work with all staff in the business to ensure good password hygiene and email security diligence.

The proliferation of cloud environments has created a huge number of potentially exploitable endpoints for attackers to infiltrate the business’ internal infrastructure. They can then move from one environment to the next until they have gained access to your most valuable systems and data. For this reason alone, it is vital that businesses properly scrutinise the SLAs for each cloud to ensure it is effectively configured and secured – and if the provider doesn’t guarantee this, to do so independently.

Caution in the cloud

Cloud has revolutionised business and its impact cannot be overstated. But it has brought with it large and newly defined network perimeters, which, if not correctly secured, can expose myriad potential entry points to attackers.

Many cybersecurity partners offer Managed Cloud Hosting services to monitor and protect against these risks. And whether businesses leverage external expertise through these services, or handle cloud security in-house, it is vital to ensure every endpoint is protected.

For every part of the business infrastructure, you should be certain where responsibility for security lies, be that with yourself, the cloud partner, or a third-party provider. Ensure that each of these entry points is properly secured, and work with staff to ensure they are cognisant of the vulnerabilities posed by hosted email and other cloud services. Only then can you enjoy cloud to its full potential, without unnecessary risk.

To learn more about responding to the weaknesses of cloud and other threats that may be hiding in plain sight, check out our whitepaper: ‘Are you the weakest link?’