Cloud computing has become a prevalent force, bringing economies of scale and breakthrough technological advances to modern organisations, but it is more than just a trend. Cloud computing has evolved at an incredible speed and, in many organisations, is now entwined with the complex technological landscape that supports critical daily operations.

This ever-expanding cloud environment gives rise to new types of risk. Business and security leaders already face many challenges in protecting their existing IT environment. They must now also find ways to securely use multiple cloud services, supported applications and underlying technical infrastructure.

The need to use cloud services securely

The surge in business processes supported by cloud services has been well evidenced by organisations using cloud services store confidential data in the cloud environment. But when using cloud services, organisations are still unsure whether to entrust cloud service providers (CSPs) with their data. CSPs generally provide a certain level of security as substantiated by multiple surveys, but cloud-related security incidents do occur.

CSPs cannot be solely responsible for the security of their customers’ critical information assets. Cloud security relies equally on the customer’s ability to implement the right level of information security controls. Nevertheless, the cloud environment is complex and diverse, which hinders a consistent approach to deploying and maintaining core security controls. It is vital that organisations are aware of and fulfill their share of the responsibility for securing cloud services to successfully address the cyber threats that increasingly target the cloud environment.

Key features of cloud services

Organisations have rapidly adopted cloud services, attracted by the ease of procurement, relatively low set-up cost and the opportunity to replace legacy technology that no longer meets business needs. Yet, managing security is no simple task due to the unique and varied features intrinsic to using multiple cloud services.

Cloud services cover a vast range of offerings such as business applications, document storage solutions, databases and virtual servers, which can all be purchased on-demand from a selection of CSPs through a public network, most commonly the internet.

As organisations move to cloud computing to enhance their business operations, they tend to favor the acquisition of cloud services over the expansion of conventional, on-premises IT data centers. Often described as a cloud-first policy, this approach has been adopted by countless organisations. For many organisations, this means that almost their entire IT Infrastructure will eventually be hosted in the cloud environment.

The rise of the multi-cloud environment

As organisations acquire new cloud services, they typically choose these from a selection of multiple CSPs and therefore need to deal with a multi-cloud environment, which is characterised using two or more CSPs.

Organisations favor a multi-cloud environment because it allows them to pick and choose their preferred cloud services across different CSPs (e.g. AWS, Microsoft Azure, Google Cloud, Salesforce). However, each individual CSP adopts its own jargon, its own specific technologies and approaches to security management. The cloud customer therefore needs to acquire a wide range of skills and knowledge to use different cloud services from multiple CSPs securely.

Organisations require a range of different users to securely access cloud services from within the organisation’s network perimeter through secure network connections (e.g. via a gateway). However, organisations also need their cloud services to be accessed from outside the internal perimeter by business partners and users travelling off-site or working remotely, all connecting through a selection of secure network connections as dictated by the organisation.

Overcoming cloud security challenges

While CSPs provide a certain level of security for their cloud services, organisations need to be aware of their security obligations and deploy the necessary security controls.  This requires organisations to understand and address the many security challenges presented by the complex and heterogeneous aspects of the cloud environment.

Our ISF members have identified several obstacles to operating securely in the cloud environment. The main challenges include:

• Identifying and maintaining the appropriate security controls
• Balancing the shared responsibility for security between the CSP and the cloud customer
• Meeting regulatory requirements to protect sensitive data in the cloud environment

The rapid explosion of cloud usage has accentuated these challenges and, in some instances, left organisations insufficiently prepared to tackle the security concerns associated with using cloud services.

Balancing the shared responsibility for security between the CSP and the cloud customer

Securing the use of cloud services is a shared responsibility between the CSP and the cloud customer. The security obligations incumbent on the CSP are to protect the multi-tenant cloud environment, including the backend services and physical infrastructure, as well as to prevent the commingling of data between different customers.

While the CSP maintains much of the underlying cloud infrastructure, the cloud customer is responsible for securing its data and user management. Whether the customer’s responsibility extends to performing security configurations for applications, operating systems and networking will depend on the cloud service model selected.

This shared responsibility for security can create confusion and lead to over-reliance on the CSP to mitigate threats and prevent security incidents. It is essential that the cloud customer does not depend wholly on the CSP to deploy the appropriate security measures, but clearly understands how responsibility for security is shared with each CSP in order to identify and deploy the requisite security controls to protect the cloud environment.

Meeting regulatory requirements to protect sensitive data in the cloud environment

An organisation using an on-premises IT data centre will know exactly where its critical and sensitive data resides and can exert full control over the movement of its data. This helps considerably when implementing security controls, whereas in the cloud environment, data moves in and out of an organisation’s perimeter more freely. This can obscure where critical and sensitive data is located, and how it can be protected, which can hinder an organisation’s ability to effectively enforce the requisite security controls across all of its cloud services in line with compliance requirements.

While it is the cloud customer’s responsibility to ensure the security of its data in the cloud environment, the customer’s control over its data is intrinsically limited since the data is stored by an external party – the CSP – in an off-site location, often in a different country. Moreover, the CSPs will often leverage several data centers in geographically distinct locations to ensure the organisation’s data is stored on more than one server for reasons of resilience.

This creates additional complexity in terms of managing data across borders, understanding where it is located at a given moment in time, determining the applicable legal jurisdiction and ensuring compliance with relevant laws and regulations – an obligation that rests fully with the cloud customer, not the CSP.

Maximise potential and take responsibility

Modern organisations must operate at a fast pace, delivering new products and services to stay ahead of the competition. Many are therefore choosing to move ever further towards cloud computing, as the elasticity and scalability offered by cloud services provide the desired flexibility needed to compete. For an organisation to have confidence that it can move to the cloud whilst ensuring that vital technological infrastructure is secure, a robust strategy is required.

The cloud environment has become an attractive target for cyber attackers, highlighting the pressing need for organisations to enhance their existing security practices. Yet consistently implementing the fundamentals of cloud security can be a complicated task due to the diverse and expanding nature of the cloud environment.

This is but one of many challenges that organisations need to overcome to use cloud services securely. Organisations cannot rely purely on CSPs to secure their critical information assets but must accept their own share of responsibility. This responsibility calls for a combination of good governance, deployment of core controls and adoption of effective security products and services. Controls that cover network security, access management, data protection, secure configuration and security monitoring are not new to information security practitioners, but they are critical to using cloud services securely.

Moving forward, organisations can select from a variety of trends and technologies that will enable them to use cloud services securely – from the adoption of new products to the embedding of improved processes, such as a focus on secure containers, where security is given greater emphasis during development.

Assuring that services are used securely will provide business leaders with the confidence they need to fully embrace the cloud, maximising its potential and driving the organisation forward into the future.

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

Over the next two years, cloud service providers will be systematically sabotaged by attackers aiming to disrupt critical national infrastructure (CNI) or cripple supply chains. Organisations dependent on cloud services will find their operations and supply chains undermined when key cloud services go down for extended periods of time.

Nation states that engage in a digital cold war will aim to disrupt economies and take down CNI by sabotaging cloud infrastructure through traditional physical attacks or by exploiting vulnerabilities across homogeneous technologies. Attacks on cloud providers will become more regular, resulting in significant damage to businesses which share those platforms.

Organisations with a just-in-time supply chain model will be particularly vulnerable to service outages and will struggle to know when services will be restored, as cloud providers scramble to prioritise customer recovery.

Further consolidation of the cloud services market will create a small number of distinct targets that underpin a significant number of business models, government services and critical infrastructure. A single act of sabotage will freeze operations across the globe.

What’s the justification for this threat?

According to Gartner, the cloud services market is expected to grow from $221 billion in 2019 to $303 billion by 2021. The five largest cloud providers account for 66% of the global cloud market, with further consolidation of the market expected. This will create an attractive target for attackers – from nation states aiming to disrupt CNI – to organised criminal groups seeking to steal data. These popular cloud providers will become a point of failure, posing significant risk to businesses which are operationally dependent on them or have supply chain partners with similar dependencies.

The two largest cloud providers (Amazon and Microsoft) account for nearly half of all cloud services. Microsoft, Google and Alibaba have all grown their market shares substantially, but this has not been at the expense of Amazon – it is the small-to-medium sized cloud providers who collectively have seen their market shares diminish. This has effectively consolidated the market, allowing attackers to focus on fewer, but richer targets.

The large cloud providers boast a plethora of high-profile customers, including government departments, organisations involved with CNI and a number of information security providers. If a cloud provider was to be systematically targeted via traditional DDoS, physical attacks or other means, there would be significant disruption to its services and dependent organisations. Some organisations also rely upon multiple cloud providers to underpin individual systems, but in doing so create multiple points of failure.

In order to optimise their services, cloud providers use common technologies, such as virtualisation. Vulnerabilities discovered in these homogeneous technologies will have wide-reaching impact across multiple cloud providers. Issues of this kind have been seen previously with the Spectre and Meltdown security vulnerabilities, which affected a significant number of organisations.

Several previous cloud outages have been caused by human errors or natural disasters. In February 2017 one of Amazon’s regions, US-East-1, was taken offline due to human error. This had a direct effect on IoT devices which use Amazon’s cloud services, such as the smart home app Hive. A number of high-profile websites were also taken completely offline, resulting in lost revenue. In July 2018 Google Cloud also experienced an outage, affecting users’ ability to access Snapchat and Spotify. These incidents exemplify the potential impact of cloud outages. Determined attackers are likely to develop skills and resources to deliberately compromise and exploit these cloud services over the coming years.

How can you prepare?

Organisations that are reliant on cloud providers for one or more critical system or service should prioritise preparation and planning activities to ensure future resilience.

Picture credit: "Icicles", by Eric Lumsden, used under CC BY ND 2.0

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.