Today’s columnist, Tim Erlin of Tripwire, says while Amazon may change some default security configurations now that Adam Selipsky has taken the top job at AWS, companies looking to boost cloud security need to align to industry standards, leverage automation to limit cloud misconfigurations and don't rely solely on cloud service providers for security. AlexDunne CreativeCommons CC BY-NC-ND 2.0

The pandemic has accelerated major corporate changes, like a shift to remote work and the adoption of digital workspaces, each introducing its own set of security challenges. For the most part, businesses have overcome these growing pains over the last year-or-so, but there are still larger organizational changes happening behind the scenes with even larger security implications.

For the first time, cloud spending has surpassed on-premise investment – a response to the growing business need to manage more data and have greater accessibility. Migration to the cloud has also accelerated in most cases, and instead of taking several months to plan, organizations are moving all their digital assets seemingly overnight, which can create a variety of cybersecurity issues.

It’s easier to understand the risks that come with storing our personal information on the cloud –  the simplest example being an iPhone backup, which many of us do involuntarily – but understanding risk for an organization is much more complex. Especially when considering that most require multi-cloud infrastructure. Here are three ways to ensure the company has set up its enterprise cloud environment for long-term success:

Align to cloud hardening standards: Organizations can choose from a wide variety of standards to harden their cloud environments against an attack, but the Center of Internet Security (CIS) Benchmarks are the best place to start. CIS Benchmarks are a mature set of standards that provide guidelines for multiple cloud providers, as well as operating systems and applications. While protecting cloud workloads may seem obvious, cloud accounts need protection too, and CIS can also help here. CIS offers benchmarks with prescriptive guidance for configuring the security options of organizations’ AWS, Azure, and Google accounts. They designed this set of best practices to protect organizations from risk the moment they set up their cloud accounts, ranging from how to inventory and control hardware and software assets, to managing administrative privileges and maintaining audit logs. 

Manage misconfigurations: Whether the company operates in a single or multi-cloud environment, addressing misconfigurations quickly can limit an attacker's access to sensitive information. Use automation to manage these kinds of misconfigurations, the tools are accessible to businesses of any size. Relying on automation helps with continuous monitoring of systems and detection of deviations from a specific standard, it also helps prioritize by severity of the issue. Prioritization lets the security team react more quickly to potential security issues before a breach occurs. Automation also takes some of the weight off individual administrators or security teams allowing them to dedicate time to other pressing needs.

Don’t rely solely on the cloud service provider: Cloud service providers (CSPs) offer a variety of default security configurations, but it’s mainly their job to deliver a platform and the tools to manage that platform, not secure the environment. Start by ensuring that the security team has been trained and properly resourced to support the intricacies of different cloud platforms. Second, introduce a third-party security platform that delivers a consolidated view of configurations across the entire cloud environment. This can help mitigate misconfiguration issues and offer real-time visibility into all of the company’s digital assets.

The ways in which we secure cloud environments will continue to evolve as organizations move more of their business to the cloud. We may also see changes to default security configurations as the AWS platform comes under new leadership and sets a precedent for other CSP’s. Regardless, aligning to industry standards, limiting misconfiguration through automation, and taking the onus off of the CSP to secure the organization’s environment are important steps to ensuring a solid foundation in the cloud.

Tim Erlin, vice president, product management and strategy, Tripwire