Six Steps to Better Cloud Security

The recently published 2019 Cost of a Data Breach Report by IBM Security and Ponemon Institute revealed some eye-opening findings on IT security: 

• The average total cost of a data breach in the US is $8.2 million (worldwide, the average is $3.92 million)
• The average cost per lost or stolen record in the US is $242
• The average global probability of a material breach in the next 24 months is 27.9%
• Organizations that lost less than 1% of their customers due to a data breach saw an average total cost of $2.8 million. Exceed 4%, and that number jumps to $5.7 million.
• The mean time to identify a breach incident was 206 days. Plus, another 73 days to contain it. 

These findings point to a worrying trend: data breaches are getting more costly and severe by the year. Last year, the Marriott hotel chain disclosed the mega breach of 500 million accounts, which so far has cost the company as much as $72 million. First American Financial’s data leak in May exposed 885 million sensitive documents online and could represent over $12 billion in losses to businesses. Capital One’s legal headaches are just beginning with its recent mega-breach of over 106 million credit card customers across North America.

Unsurprisingly, data breaches remain the number one security threat on the Cloud Security Alliance’s Top Threats list.

So, how can you bolster cloud security and mitigate risks? 

Six steps to better cloud security

The following list is by no means exhaustive, but it does cover some of the most common and preventable mistakes that are often overlooked:

1. Evaluate security control requirements

Determine what security controls your IaaS/PaaS program needs and what controls are available to you. What does access look like? Who has permission to access from an admin role perspective? Know where your data is and where it moves. 

2. Understand security roles and responsibilities

It is imperative for your organization to understand the security posture that is provided by the cloud vendor “out of the box.” Unless you negotiate for additional control coverage, any gap will need to be covered by your security team. This needs to be performed prior to the commitment of any data to the cloud instance.

3. Check your firewall settings for every instance

Ensure you have the right types of firewall in place and that their settings are right. What ports do you have open or closed? Who has access to change the firewall settings? Make sure you start from zero trust and open up only what is needed for the work to get done.

4. Eliminate insecure or misconfigured APIs

Application programming interfaces (API) provide us with quality integration points into our cloud environments. First and foremost, if the API is not needed, disable it. Further, work with your cloud provider to understand what APIs are available for your environment and how they are configured. Ask your cloud provider for a review of the set of APIs that are included with your cloud deployment, providing the latest in security and vulnerability testing that has been performed on each.

5. Bolster cloud identity and access management (IDAM)

Single factor authentication is too low of a barrier for threat actors. It is time to move to two-factor authentication (2FA) for all your cloud identity and access. At a minimum, your administrative personnel with elevated access to your cloud environment should always employ 2FA. Extend this to your user base, dependent on the workloads and sensitivity of the data in your cloud environment.

6. Monitor data movement East and West, as well as North and South

It is common for data movement monitoring to take place on ingress and egress of an environment (North and South). Key to a cloud environment, due to its inherent shared hardware and software profile, is monitoring data movement across the environment. This has added importance to the tenet of understanding critical data flows, allowing for identifying anomalous behavior.

The right approach to cloud security

If there is one rule to cloud security, it is this: never trust anyone to run security for you. You may not have direct control of your data, but that does not relieve you of your responsibility and accountability when it comes to its security. This is especially true with SaaS vendors where the perception is that little can be done to improve security.

Your challenge, then, is to ensure the right security controls are in place. Become an auditor to your vendors and know everything about your data—what it is, where it sits, how it moves. Get access to all relevant logs and reports for every application. Take the lead on security by demanding contractual and configuration requirements at the negotiation stage with vendors.

Approaching providers with an auditor’s mindset is the first step to better cloud security. It is your responsibility to verify, audit, and maintain control of a cloud instance at all times.