Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Managing Cloud Security in a Multicloud Environment (Part 2)

Published 01/09/2023

Managing Cloud Security in a Multicloud Environment (Part 2)

Written by Sandeep Shilawat, Cloud and IT Modernization Strategist, ManTech.

Originally published by Forbes.

As discussed in my last article, to date, most known security incidents in the cloud have been the fault of the customer rather than that of the cloud security provider (CSP). And yet, CSPs often have far more insight into the network configuration and data flows than do their customers. In hiding their security infrastructure behind proprietary configurations, CSPs have a disproportionate information advantage over their own customers.

Customers can help balance the security load with their CSPs by implementing a shared security model and/or implementing their own zero-trust model.

Continuing this thread, let's briefly review common threats to cloud networks. From there, I'll recommend solutions for mitigating these threats and improving your company’s security posture.

Common Threats

Among the most common root causes of cloud breaches for both government agencies and commercial companies is misconfiguration (or insufficient security settings).

Often, cloud misconfiguration simply means improper identity access management (IAM) role assignments for various cloud services. The most popular problem in this category has been leaky AWS S3 buckets. AWS is aware of this issue and has since taken measures to better educate its customers about proper S3 bucket configurations.

Another common security threat comes from the use of unsecure application programming interfaces (APIs). APIs can be used by customers to manage and export data from cloud services. However, since they are often built and provided by third-party vendors, they can be a target for potential hackers seeking to gain unauthorized access to a network.

Insider Threats

An additional cause of breaches is an insider threat, both intentional and unintentional.

Often, this is simply a matter of unskilled or negligent employees having cloud accounts without appropriate security controls, which could make accidental configuration errors very damaging. At the other end of insider threat spectrum is the extremely savvy insider who is intent on outsmarting the rest of the enterprise. Even cloud-savvy companies like Capital One have recently suffered due to a hacker posing as an insider intentionally misusing access to the enterprise cloud.

Another important category of common breaches is network misconfigurations on the cloud. Since the cloud largely democratizes the data center, enabling build-out and scaling with the click of a mouse, it comes with its own disadvantages.

It is not safe to assume that everyone handling cloud data has an equal understanding of the network infrastructure. Other common network issues range from exposed servers without secure shell (SSH) or keys and open ports leading to distributed denial of service (DDoS) attacks to misplaced rules on network security groups and misconfigured network access control lists (NACL).

Recommendations

Each cloud adoption model has its own positives and negatives. Even the shared security model can look complex to initiate and maintain in increasingly complex combinations of multicloud, hybrid cloud and open cloud environments.

These issues also present the addressable marketplace with incredible opportunities for new technologies and players.

In the meantime, to avoid costly changes in their risk posture, enterprises may employ a combination of the following four solutions:

1. Zero-Trust Security Approach

The “trust nobody” baseline applies naturally to cloud computing, as the cloud typically expands the network perimeter to customers’ doors.

Typically, enterprises end up accessing multiple clouds that lie outside the purview of traditional perimeter-based security. This is where concepts like zero trust come into play, with techniques including microsegmentation, TIC-like single access gateways and identity-aware proxies, and mandated verification of every access request without making identity or location assumptions.

This technology has the potential to reduce attack vectors for the cloud and bring significant transparency to activities in the cloud.

2. Cloud Access Security Brokers (CASBs)

The emergence of CASBs has been a positive sign for overall cloud security; however, the adoption of CASBs has not been very fast. According to the latest Gartner Hype Cycle, CASBs are just entering the “trough of disillusionment" (registration required).

In addition, many promising emerging CASBs have been acquired by larger security players and integrated into their product portfolios.

We do not yet know how the CASB market will evolve, but overall, the growth of CASBs has been slower than expected. In the meantime, a select number of cloud service providers, including Microsoft, have started making their own plays in the CASB market.

3. Workforce Training

Most enterprises choose their primary cloud vendor. However, many enterprises then neglect to include workforce retraining as an integral part of the cloud migration plan. While retraining, ensure your employees understand how to integrate and work with multiple cloud vendors rather than focusing on a single vendor.

4. Choosing The Right Partners

Finally, it’s imperative that companies choose the right partners. Experience matters, particularly in cloud computing, where the ecosystem is evolving rapidly.

Federal agencies seeking to outsource their cloud work should work with experienced cloud services providers and integrators that have broad-based cloud and security experience.

We are entering a brave new world in which enterprises dealing with multiple clouds and security issues are expected to dominate the conversation. To improve cloud security posture in the long run, CSPs should start clarifying and educating their customers about the risks in potential shared security models under the context of multiple vendors.

Share this content on your favorite social network today!