Ransomware, security threats, and fraud are an ever-present part of the technology landscape. The FBI has reported that hundreds of American hospitals are now targeted in elaborate, multimillion-dollar ransomware schemes. Security firm Cybersecurity Ventures predicts that global ransomware damage costs will hit the $20 billion mark in 2021, as businesses fall victim to a ransomware attack every 11 seconds. While it’s important to focus on ransomware, there are other pieces of the security threat puzzle: viruses, DDoS, and cryptojacking to name a few.
Cloud security means protecting all cloud computing environments, applications, and data from unauthorized access, hackers, malware, and other risks. Backup and recovery should also be important components of an organization’s data protection planning. However, as organizations define and refine their cloud strategies, so do threat actors. Since more workloads are on the cloud, threat actors work to manipulate cloud platforms for use as malicious infrastructure to enable data theft and fraud. As data moves to the cloud, risks associated with data loss and ransomware attacks increase. These risks, along with some institutional resistance, cause many enterprises to push the pause button on their cloud strategy plans. However, enterprises can advance their cloud strategies while being mindful of protecting and securing their data.
Before we discuss specific steps for mapping security with cloud innovation, let’s review the three primary types of cloud environments. Public cloud services are hosted by third-party cloud service providers, such as Amazon Web Services, Microsoft Azure, and Google Cloud. They are accessible via web browsers and APIs, so it’s important to focus on access control. Private clouds are tied to a single organization.
Meanwhile, hybrid clouds combine characteristics of public and private clouds. Organizations have some control over their own data, but can still tap into the scalability of the public cloud as needed. When adopting or updating their company’s cloud strategy, IT leaders must also contend with additional security-related factors. These include the potential for shadow IT, limited control of infrastructure when leasing a public cloud, and IT tool incompatibilities, such as on-premises software vs. cloud hosted offerings. IT leaders are tasked with developing a holistic cloud security program that outlines internal/external accountability as well as potential gaps in protection/compliance – and this plan must connect to the company’s overall business strategy. Also, IT leaders must remember that attackers (including insider threats) can exploit cloud vulnerabilities.
Here are the questions IT leaders should ask as they plan their cloud strategy:
- What does the team know about the cloud provider under consideration? Master the provider’s security offerings and their best practices in terms of access control, architecture, and design. Significant strides have been made in cloud GRC practices over the past few years. Align the team with these security practices. For example, does the responsibility for all data protection fall to the user?
- What’s the status of the company’s external security perimeter? How does the company currently protect its production workloads and production data center from outside attacks? Once the team secures the perimeter, it can plan to compartmentalize data for the cloud. Does the company have a set of internal firewalls protecting its databases? In the cloud, the team might have a database-as-a-service that would require a different means of protection. This information will help build this security “compartmentalization architecture.”
- How will the company authenticate and authorize access? If the company uses a third-party cloud service provider, how will it remotely access the multiple levels of privileges and authorization? How will the team connect the right level of access to the right level of authentication to allow remote access? The company must ensure its admins have the right access while, say, company accountants have access to the proper financial system of record – and nothing else.
- Once data goes to the cloud, how will the company back it up? How will the company adapt its business continuity and disaster recovery plan? As it stands, the company may have a plan that when the data center in Phoenix goes down, it recovers to the data center in Reno. How does this get translated to a cloud environment? This may involve multiple providers and geographic regions. The team must assess which workloads need back-up and where.
Finally, consider a path to implementation for an “all cloud” cloud strategy. Massive data growth and hybrid cloud architectures translate to challenges when it comes to designing, managing, and maintaining backup systems. Smart companies embrace the public cloud’s ability to scale, its flexible economics, and its inherent elasticity for data protection – in other words, a cloud-native enterprise backup strategy. If a hacker tries to encrypt, delete or disconnect a company’s servers, a cloud-based backup solution can mean the difference between a quick restore or expensive data loss.
These questions offer a starting point to help the company evaluate its existing IT and cloud-ready capabilities, as well as the organization’s operational readiness. From here, the team can develop a cloud-based, multi-layered security approach -- a plan that’s essential in the remote, distributed workplace.
Glenn Mulvaney, vice president, cloud security, Clumio