Cloud-first strategies now the norm for most businesses, but in the rush to go cloud, mistakes were made. We look at the five biggest cloud mistakes, so you don’t repeat them.
The cloud is here to stay. The days are gone of senior managers seeing the cloud as a security-risky “someone else’s network” whose security and uptime can’t be relied upon. Even risk-averse markets such as banking are adopting cloud-first strategies. According to one source , cloud spend in the banking sector is destined to increase by around 16% in the next year or so, while a Palo Alto Networks blog author argues that almost three-quarters of organizations globally moved about a third of their workloads to the cloud in the year to March 2023.
This doesn’t mean that the cloud comes without risk, of course. Instead, it means that the world is now sufficiently comfortable with its understanding of cloud that it can take a mature, calm look at the risks associated with operating in the cloud, and can manage the risk rather than, as was the case in the early days, avoiding it altogether.
Bob West, chief security officer of the Prisma Cloud division at Palo Alto, is the author of the blog we just mentioned. In a November 2022 webinar , he discussed what he considers to be the top five cloud native risks, but begins by pointing out that the cloud isn’t entirely alien to those of us used to traditional on-premise technology. “And you know … protecting information in the cloud really isn't that different than protecting information in traditional infrastructure. Just from a philosophical perspective … you have to do things consistently; you have to use a consistent set of tools”.
Top Five Cloud Risks
Number one on the list of risks is application vulnerabilities. West places part of the problem squarely at the door of those teaching developers their trade: “When application developers are learning how to code in college, security historically has not been part of the curriculum. So, what's happened is, when people join the workforce, unless the organization is educating them on good security hygiene for coding, they're making a whole number of mistakes”.
The second risk identified by West is misconfiguration of cloud infrastructure. This should come as no surprise: although config errors in on-prem systems are common too, the internet-connectedness of cloud services makes the potential impact of technical finger trouble so much greater. Interestingly, West assigns an element of the problem in this respect to the very activity we all – hopefully – spend so much time doing in order to minimize vulnerability: patching. He points out that the patching process will sometimes change the configuration of a piece of software for the worse: “So when you think of Microsoft's Patch Tuesday, as an example, … there's latest patches to operating systems and applications. And sometimes what will happen is, while security issues might get fixed, the operating system or applications may go back to default settings, for example”. He also mentions that about 20% of scans on SaaS providers throw up vulnerabilities … which should prompt us to ask: are we scanning our SaaS providers?
Next on the agenda is the old favorite – and, again, something that isn’t unique to the cloud: malware. West notes that malware continues to evolve at “breakneck speed”, and also references a concept that we have written about before: the crypto-jacking of container-based environments to distribute malicious crypto-mining software, noting that of course “that’s just one aspect of cloud environments”.
Moving on, West comes to access over-provisioning – yet another example that has been happening on-premise for as long as many of us have been alive. The primary sin, in West’s eyes, is failing to deal properly with staff who change jobs over time – particularly to de-provision the access they no longer need in their new role, and hence give an attacker more power in the event a user’s account is compromised. “many times what happens is that all their permissions and access rights accumulate over time, which is not healthy”, says our master of understatement.
West’s fifth-of-five risk is the one that defies security by way of systems talking to other systems and solid defenses such as multi-factor authentication (MFA) being impossible: insecure application programmer interfaces (APIs). “One of the things that you need to understand is … who's using the APIs. Are they being updated on a periodic basis? As an organization, you need to make sure that you have a lot of structure around how you evaluate API security”.
Balancing Risk With Reward
As we said at the beginning, though, we are sufficiently mature in our attitude to cloud security that we are now comfortable with managing the risks it involves – and West talks in the webinar about various actions you can take in this risk management process. But there is one key point he makes that will ring true with many readers. “One of the things that people respond to very well is impacts to their raises, bonuses, and everything else that comes along with year-end reviews”, but West continues by saying that: “if in fact, you're doing a job as someone that's managing infrastructure, or architecture, or you're a developer, then then you should be getting used to getting a shiny prize along the way”.
As with most traditional risks in our businesses, then, the approach to managing your cloud risk is one of “carrot and stick”.