(This is an excerpt from the upcoming SC Media eBook “5 challenges to securing public cloud infrastructure.”)

Public cloud infrastructure is vulnerable to data breaches and risk management is a necessity for expanding cloud services. Gartner’s latest forecast projects that worldwide end-user spending on public cloud will eclipse $490 billion in 2022, a 20.4% increase over the previous year’s totals. And according to a recent CyberRisk Alliance Business Intelligence survey, 55% of IT decision makers and influencers say their organizations now run up to 50 assets and workloads in the public cloud. 

However, keeping up with public cloud asset expansion can be a challenge for many companies more accustomed with defending traditional on-prem assets. Thirty-seven percent of respondents surveyed by CyberRisk Alliance said their organization experienced a cloud-based attack or breach in the last two years alone — amounting to an average of four attacks per victim since 2020. Nearly 3 in 4 IT professionals were also “very” or “extremely” concerned in their organization’s ability to secure an ever-expanding portfolio of cloud services and applications.

While there are many types of challenges that can crop up in an organization’s public cloud journey, several have proven particularly thorny. The ability to understand and prioritize risks that are unique to the public cloud is a systemic difficulty for companies steeped in a traditional security mindset. Insecure APIs and misconfigured settings are landmines waiting to detonate. Limited visibility is another challenge, undermining collaborative problem-solving between security teams, IT and developers. On top of this, companies are expected to secure an ever-widening attack surface, even as resources and cloud security expertise seem increasingly out of reach.

This ebook, sponsored by Qualys, elaborates on the challenges and identifies where common ground might exist for key cloud stakeholders — from security to IT to development — to solve them.

Covered in this eBook:

  • Most common cloud vulnerabilities: Vulnerable APIs and misconfigurations can unravel an organization’s cloud aspirations. “Rogue” APIs are estimated to afflict every 3 out of 4 businesses, comprising up to 50% of their entire API environment. Meanwhile, common misconfigurations have opened companies up to devastating data breaches – such as Log4j, Spring4Shell and the PAN-OS firewall CVE. Read more about how these threats take shape. 
  • Challenges to resourcing and visibility: 1 in 3 IT and security professionals believe their organization is insufficiently staffed to manage cloud environments. Another 79% of respondents reported staff-related issues to managing cloud deployments for the remote workforce. Meanwhile, organizations struggle to maintain visibility over cloud assets as they contend with microservices, segmented storage and different teams assuming different ownership of cloud properties.
  • Security recommendations: There are a handful of tactics and tools that organizations can call on to help secure their public cloud today. For example, we look at the rise of automated tools such as infrastructure-as-code, which reduces risk of misconfiguration. Cloud inventory platforms also have a role to play in centralizing cloud assets in one location for shared access and visibility. Finally, getting developers, IT operations, and security analysts on the same page can radically impact how an organization anticipates and responds to attacks on the cloud.  

Quotes:

These are the different levels of risk an organization is trying to identify, and they’re trying to do all of it in real time and on a continual basis. To resolve these risks, you have to work across multiple teams. The security analysts and IT teams have to coordinate in an effective way, and yet it often happens that each one has their own definition of what the riskiest assets are.

Scott Clinton, Vice President of Marketing at Qualys

Executive management needs to know what to care about, but on the other hand, we cannot constantly tell them that the sky is falling. Information security risk is just one of many risks facing the business, but for those of us in infosec this is what we eat, sleep and breathe—so we must keep our perspective when escalating issues.

Kenneth G. Hartman, Certified Instructor at SANS Institute