Robust cloud security needs a risk-based approach
Organisations across the public and private sector in almost every industry vertical are taking advantage of cloud services. But those same services, that offer new ways to deliver services faster and more effectively are a new threat surface for malicious parties to attack. And while the cloud providers go to great lengths to protect systems and data from unauthorised access, there are still risks.
Gartner predicts that 99% of cloud security failures will be at the hand of the organisation due to misconfigurations and other potentially preventable errors. And the latest Data Breaches Investigation Report from Verizon reported that misconfigured cloud storage is a major source of data breaches.
Organisations need to rethink their security strategy as the assumptions they had for on-prem technology, no longer apply. The need to bake security into contractual agreements and leverage the expertise cloud providers and managed services partners provide is becoming more apparent.
“Threat actors are becoming smarter and more sophisticated. Organisations need to be prepared to prevent existing threats and keep an eye on the future when it comes to emerging attacks that may not be caught by their existing security programs. There’s an increase in threat actors leveraging existing vulnerabilities and then using that to travel through the supply chain to other third parties”, says Damien Luke the Head of Cyber Security at privately owned Australian ICT managed services provider AC3.
Part of the complexity, adds Luke, is that many companies are embracing a multi-cloud approach where services are spread across multiple cloud providers. This necessitates a connected approach to security that considers people, processes and systems. With each cloud service taking different approaches to security, working with a partner that understands the differences and can guide your organisation to make the best risk-based decisions is crucial. But this starts with taking a strategic approach to security.
“Organisations need to maintain an accurate asset register and configuration management database, so they know what and where their mission critical information assets are. They should regularly test security processes to ensure that they’re adhered to and effective. Security is everyone’s responsibility with many threats caused by human error. It’s important to ensure employees are regularly trained and understand their security responsibilities,” Luke adds.
The cloud offers myriad possibilities for organisations to improve their operations and reduce costs. But it’s also a new threat surface that needs to be managed.