Cloud security threats are becoming increasingly complex, with new challenges emerging daily. The transition to a fully digital environment has brought with it added cybersecurity risks, which is why understanding the importance of cloud security is vital in keeping your organization safe.
From a security standpoint, it may help to consider that ‘cloud’ simply means that you do not own the computer that your business is using. However, the responsibility for the secure use of that processing power doesn’t disappear.
In this blog, we clear up some misconceptions about security in the cloud and how you can better manage your cloud security.
Cloud security is a shared responsibility
Migrating to the cloud will shift certain responsibilities onto your cloud service provider, but that doesn’t mean they’ll be responsible for everything. Security is a shared responsibility and certain elements will always remain with the customer, particularly when it comes to identity and access management (IAM).
As more of us live and work online, the number of digital identities we can claim has multiplied, along with the logins and passwords attached to them. Identity-based threats make up the bulk of cyber risk today, with more than eight out of 10 cybersecurity attacks now enabled by stolen or compromised credentials.
Gartner estimates that through 2025, 99% of security failures will be the customer’s fault, which is a sharp reminder of why you must clearly define responsibilities relating to identity and access in the cloud. We often see challenges around this ownership and other areas such as:
- Tech complexity and multi-cloud – a recent Gartner survey found that 78% of CISOs have 16 or more tools in their cybersecurity vendor portfolio; 12% have 46 or more. This complexity brings challenges in term of co-ordination and management for both employees and security professionals
- Balancing security and employees productivity – digital transformation and the adoption of cloud technologies has enabled businesses to increase flexibility and productivity, but it’s also made it more difficult for IT teams to keep track of who is accessing what data from where, and on which device. From a security perspective, this requires a total reboot of policies and tools to better mitigate risks
- Time-consuming audits – it takes an enormous amount of skill to know exactly what to look for (and where) in amongst applications and services that generate giga bytes of telemetry. Even worse, should you find yourself in the unfortunate position of having to investigate a breach, how do you access forensic data quickly to prevent further damage?
That’s why we recommend developing a clear IAM strategy that answers key questions such as who’s going to own approval of the onboarding and offboarding of new users, and who’s going to own the approval of the maintenance of the roles within the system.
Other areas you should consider include:
- Taking a zero-trust approach to building defenses at every layer of your architecture while keeping an eye on the balance between usability and security. That’s where true benefits can be uncovered
- Building a strong team or finding a managed services provider who understands your operational risks and will work with you to mitigate them. They’ll also be able to demonstrate expert knowledge in the security, data and logging models of your application
- Running a cloud security risk assessment to uncover the most significant threats and vulnerabilities facing your cloud ecosystem. Having multiple cloud accounts or subscriptions can lead to the less “important” workload lacking critical security controls, leaving you with major blind spots. Take access control, for example, how many new job roles have been created since your ERP launch day? Maybe it’s time to step back and assess your current environment
Understanding the scope of access control
We speak to a range of organizations that are in different stages of maturity when it comes to identity and access management. One common theme we see is that many are unaware that identity and access goes beyond the onboarding and offboarding of users and into more technical areas such as encryption of data and segregation of networks, for example.
Many people see the padlock on a page and assume it’s secure. However, your organization must strive for a deeper understanding to ensure well-managed user access. For example, do you know how data management in your solution works when sitting on cloud services? And does it align with your policies and expectations? The second question is particularly relevant to more mature organizations.
You need to manage your employee on and offboarding processes and general application access maintenance to ensure just in time and just enough access.
Other areas you should look into include:
- Designing and execution of user access audits and security reporting
- Granting/removing access for new starters of change of roles based on your approval process
- Transactional audit and logging to help spot unusual activity
Automation in identity and access management
Security gets a bad rap for being an unavoidable burden, but it represents as an opportunity to improve your business. For example, performing regular user access reviews can help you identify issues before they happen and function as a continuous improvement cycle. Another improvement opportunity we often see is automation of user access management processes.
By introducing automation, you can improve efficiency by reducing the risk of human error and creating repeatability and maturity of the approach. According to Gartner, organizations that automate their access management can benefit from:
- 60% reduction in manual access provisioning time
- 40% decrease in help desk calls related to access requests by automating access management processes in organizations
But remember, your automation process isn’t purely an IT matter – ownership of assets sits with business owners who must be ready to play their part in managing access, for risks to be reduced effectively.
Here are some other tips to get the best out of your automated approval process:
- Define your single source of identity - Identifying this ‘hub’ is one of the first steps to introducing an automated workflow
- Ensure ongoing support from business owners – once your automation solution has gone live, you’ll still need the support and ownership of the business to continue otherwise the process will stall
- Limit approvers – keep the number of approvers to a minimum, but you also need contingencies in case of emergencies or if people are out of the business
- Cater for exceptions – when something doesn’t look right, build in exceptions to cater for rejection and re-submission of requests
- Meeting segregation of duty challenges – automating the review of access entitlements to enterprise applications and data reduces administrative burden. Proactively engaging with your business application and data owners via automated access reviews ensures that permission creep is managed, and access hygiene stays in place. However, human intervention in reviewing and resolving possible conflicts should be built in and will likely remain a manual step
- Controlling privileged access – misconfiguration of services, whether unintentionally or intentionally is a leading cause of downtime when operating in the cloud, with 74% of data breaches beginning with the misuse of privileged credentials. Approved and time-based privileged access will help protect your key assets from malicious actors or well-meaning actors who may inadvertently impact a service
- Create a unified source of identity and access history – you need to combine event logs from applications with firewall, authentication and authorization logs. This task requires understanding which assets pose the highest risks in your business data
Turn identity and access management into a business enabler
Regardless of where you are on your cloud security journey, you’ll still need to remain vigilant to keep changing risks and complexity issues under control. And with proper planning and management, you can succeed.
At Columbus, we can offer advice on access and identity management across your key business-critical platforms, regardless of where you are on your IAM journey, from fit-gap analyses, and building the IAM program and organization, to the development of strategies, roadmaps, business cases, target operating models and procurement/supplier selection.