Why Your Cloud First Strategy Needs to be Cloud Security First

These numbers paint a staggering picture: more businesses than ever are moving to the cloud, at a pace faster than ever seen before, and most security professionals don’t feel confident that their existing tools are adequate to manage and protect sensitive cloud data. The cloud landscape grows in complexity each day due to exponential growth in “as-a-service” offerings, the majority of businesses using multi-cloud solutions, and decisions about cloud tools being made outside of IT’s purview. With increased complexity comes increased security vulnerabilities, and in 2020 and beyond, any organization with a “cloud first” strategy must make it “cloud security first” in order to hedge unnecessary risks and protect critical business data.

Coined by White House CIO Vivek Kundra in 2011, “cloud-first” refers to the strategy of creating applications and programs directly in the cloud, instead of building them on-premises and migrating some or all of them at a later date. The idea behind it is that you can develop faster with lower overhead costs if everything is hosted in the cloud right from the get-go.

The most obvious challenge to a cloud-first strategy is the fact that most organizations still rely heavily on legacy security protocols that were built and established in the pre-cloud or even pre-web days, and these legacy systems are difficult or even impossible to implement effectively in the cloud.

Furthermore, as more corporate data is moved to the cloud, CIOs are realizing that the built-in security capabilities of most out-of-the-box “as-a-service” products fall short of offering complete protection. Cloud vendors have a vested interest in keeping their platform secure, but most of their security protocols apply to large-scale security risks (such as DDOS attacks or SQL injection vulnerabilities), and have inadequate protections related to user behavior, compromised credentials, access to sensitive data, and compliance.

1. Visibility Gap: with the rise in as-a-service products, security teams aren’t always able to see how cloud services are provisioned and whether or not they are configured according to security best practices.

2. Insecure Containers: the portability of containers can lead to significant security gaps. Furthermore, it’s nearly impossible to monitor the processes run by all containers in a system at all times, and if one starts running malicious processes it can be very difficult to track down before the damage is done.

3. Privilege Management Gaps: because organizations use so many different and independently deployed cloud services, admins aren’t able to monitor privileges across all environments to prevent and detect malicious activity. More automation in deployments can also exacerbate the impact of compromised accounts.

4. Human Data Loss: according to ESG, 50% of organizations who store data on the cloud have experienced data loss, and many of those losses or breaches were human caused through credential misuse, insecure personal devices, or policy violations.

5. Third-Party Workflow Dangers: the increased use of productivity and collaboration tools that enable workflows between employees and third-party apps present a whole new host of security concerns. Many third-party companies have access to sensitive company data and relying on them to keep it secure is an unsafe gamble.

Foster Organizational Alignment: Securing cloud-native applications must be viewed as a shared responsibility across project teams and departments.

Secure the Application Lifecycle: Build security into the development and integration stages through practices such as code scanning and vulnerability remediation. Equally important is automatically applying runtime controls with integrations.

Deploy Web Protections: Use next-gen web application firewalls to monitor web request traffic and compare runtime analysis against known goodtime behavior to quickly identify anomalous activity.

Limit Privileges: Institute a policy of “least privilege” for most users and only provide more access as needed when needed. This will cut down dramatically on human caused perimeter data leaks.

Related posts:

Hana Kimura was a victim of cyberbullying. Unfortunately, cyberbullying is too common and it's a hard problem to fix. Who knows, you could be involved in cyberbullying without you knowing.