Second, cloud providers are secretive, scheming Illuminati types that hide things from us. OK, I made up that second one, but it sometimes feels this way based on the paucity of control information they provide to us (for the record, a SOC2 report is NOT enough to satisfy most of us, cloud provider people). Third, when we try to map our existing control frameworks, compliance and security policies, and in-house tools to our cloud deployments, we often find…deficiencies. OK, OK. “Deficiencies” IS a bit of a generous term, I agree. In some cases, we find flat out incompatibilities, failures, or quizzical looks that chafe, and chafe deeply.
This is a huge problem, make no bones about it. If we can’t take our controls with us, and if the cloud providers or other leading vendors don’t provide equivalent controls, where does that leave us? For a few years now, I’ve authored a SANS study on cloud security that asks some pretty obvious questions, such as “Have you had incidents in the cloud?” and “What are the major security issues leading to incidents and breaches in the cloud?”
This year, across the board, most respondents indicated that their top fears were related to unauthorized access to cloud resources, both from outsiders and other tenants in the cloud provider environments they operated within. Vulnerabilities within the cloud environment and poor configurations of cloud assets were also major concerns for many. Get the full results.
In the past, we’ve lacked sound network security, logging, account management and control (including privileged user management), vulnerability management and monitoring, and more in the cloud…so where do we stand today?
Fortunately, the news is getting better all the time. As cloud services start to reach critical mass, cloud providers are adding more and more services and security capabilities all the time. More importantly, well-known vendors that we’ve come to rely on for our data center security have adapted their products to more readily function within cloud environments. We’ve seen a huge shift in the security vendor landscape to accommodate and integrate cloud provider APIs, create virtual machine images that are available as appliances within the providers’ marketplaces, and provide easy-to-use controls that can be automated and scale with highly dynamic cloud deployments.
Whew! It was dicey for a minute there, and we’re not out of the woods yet. Security and risk teams need to double down on evaluating solutions that are proven to mitigate major security risks in the cloud like privileged user account abuse or misuse, unpatched and poorly configured systems, and more. To be more successful at securing resources in the cloud, security teams need to come to the table with real solutions that can fulfill organizations’ internal policy needs, as well as regulatory and compliance requirements. Fortunately for us, there are more options than ever.
Thanks to Dave Shackleford of BeyondTrust for this insightful article on Cloud Security. We have to agree with the fact that cloud security isn’t going anywhere. Here at Secure Sense we have embraced the #cloud and established a Managed Service practice that’s both a cost effective solution and highly secure option for data protection. Should you be interested in learning more on our cloud solutions give us a call, we’d love to chat!
Connect with Secure Sense to protect data, your network, and systems 24/7, 365 days a year. If you have questions or want to learn more, please contact Secure Sense by calling 866-999-7506.