A 2019 report released by ESG found that 90% of security professionals regard their existing tools inadequate for securing critical cloud data. These days organizations are moving to the cloud faster than ever before, and cloud investments are forecasted to reach $331 billion USD by 2022 (Gartner). The global Covid 19 pandemic has only accelerated cloud adoption as workforces across industries migrate to work-from-home solutions, and according to a study done by Flexera, 59% of enterprises said that Covid 19 has “slightly” or “significantly” increased their planned cloud spend for 2020.
These numbers paint a staggering picture: more businesses than ever are moving to the cloud, at a pace faster than ever seen before, and most security professionals don’t feel confident that their existing tools are adequate to manage and protect sensitive cloud data. The cloud landscape grows in complexity each day due to exponential growth in “as-a-service” offerings, the majority of businesses using multi-cloud solutions, and decisions about cloud tools being made outside of IT’s purview. With increased complexity comes increased security vulnerabilities, and in 2020 and beyond, any organization with a “cloud first” strategy must make it “cloud security first” in order to hedge unnecessary risks and protect critical business data.
What is Cloud First Strategy?
Coined by White House CIO Vivek Kundra in 2011, “cloud-first” refers to the strategy of creating applications and programs directly in the cloud, instead of building them on-premises and migrating some or all of them at a later date. The idea behind it is that you can develop faster with lower overhead costs if everything is hosted in the cloud right from the get-go.
Cloud First Security Challenges
The most obvious challenge to a cloud-first strategy is the fact that most organizations still rely heavily on legacy security protocols that were built and established in the pre-cloud or even pre-web days, and these legacy systems are difficult or even impossible to implement effectively in the cloud.
Furthermore, as more corporate data is moved to the cloud, CIOs are realizing that the built-in security capabilities of most out-of-the-box “as-a-service” products fall short of offering complete protection. Cloud vendors have a vested interest in keeping their platform secure, but most of their security protocols apply to large-scale security risks (such as DDOS attacks or SQL injection vulnerabilities), and have inadequate protections related to user behavior, compromised credentials, access to sensitive data, and compliance.
The reality is, the shared security responsibility between the customer and the cloud service provider (CSP) can be confusing, and if not well outlined it can lead to security gaps. When securing cloud-first applications, CIOs often face the following challenges:
1. Visibility Gap: with the rise in as-a-service products, security teams aren’t always able to see how cloud services are provisioned and whether or not they are configured according to security best practices.
2. Insecure Containers: the portability of containers can lead to significant security gaps. Furthermore, it’s nearly impossible to monitor the processes run by all containers in a system at all times, and if one starts running malicious processes it can be very difficult to track down before the damage is done.
3. Privilege Management Gaps: because organizations use so many different and independently deployed cloud services, admins aren’t able to monitor privileges across all environments to prevent and detect malicious activity. More automation in deployments can also exacerbate the impact of compromised accounts.
4. Human Data Loss: according to ESG, 50% of organizations who store data on the cloud have experienced data loss, and many of those losses or breaches were human caused through credential misuse, insecure personal devices, or policy violations.
5. Third-Party Workflow Dangers: the increased use of productivity and collaboration tools that enable workflows between employees and third-party apps present a whole new host of security concerns. Many third-party companies have access to sensitive company data and relying on them to keep it secure is an unsafe gamble.
How to Build a Cloud Security-First Strategy
There are several steps your organization can take to ensure that your cloud-first strategy starts with cloud security. At the center of these solutions is a focus on DevSecOps, which is a method of merging development, security, and operations into one collaborative team to streamline efficiency and testing and shorten time-to-market. The following steps can help your organization secure critical data when embracing cloud first:
Foster Organizational Alignment: Securing cloud-native applications must be viewed as a shared responsibility across project teams and departments.
Secure the Application Lifecycle: Build security into the development and integration stages through practices such as code scanning and vulnerability remediation. Equally important is automatically applying runtime controls with integrations.
Deploy Web Protections: Use next-gen web application firewalls to monitor web request traffic and compare runtime analysis against known goodtime behavior to quickly identify anomalous activity.
Limit Privileges: Institute a policy of “least privilege” for most users and only provide more access as needed when needed. This will cut down dramatically on human caused perimeter data leaks.
Even considering the risks, cloud-first is the future of applications for several reasons. From improved scalability, lowered costs, better recovery abilities, and enhanced collaboration options, there’s no doubt that the benefits of cloud-first are compelling to organizations across industries. Ensuring a cloud security-first strategy will help your organization reap the rewards of the latest in cloud technology while resting assured that you’re safeguarded against threats. For more on cloud threats in 2020, download the free eBook Top 5 Cloud Security Risks and How to Avoid Them