Public Cloud Security Questions Your Workplace Is Probably Ignoring
Public clouds like those provided by AWS, Microsoft and Google are immensely popular, and it's easy to understand why. They're easy to implement, low cost and require no maintenance, among other benefits.
But it's important to know that if your organization has put its assets onto one or several public cloud services, your old on-premises security solutions and policies will no longer work.
Why Security Could Be Your Biggest Problem
Cloud services may be cheap — some are even free — but they're only effective if they're secure. Cloud services providers do provide layers of security, but the threat landscape is widening, and Kaspersky notes that no cloud or enterprise is entirely secure today.
In its predictions report for 2023, the Russian cybersecurity and anti-virus provider says vulnerabilities in publicly used applications, compromised credentials and emailed malicious links and attachments will be joined by activities and tools relating to cloud and virtualization technology.
Yet, while many businesses have already moved their information infrastructures to the cloud, they often pay little attention to information security and how providers are keeping up with emerging threats, despite the fact that the damage created by breaches is getting worse as cybercriminals widen the scope of their attacks, Kaspersky wrote in its report.
“Cybercriminals will tap dark websites more often in 2023 to purchase access to previously compromised organizations. Our investigations have revealed a clear trend: the number of attacks utilizing pre-compromised accounts posted on dark websites is on the rise,” the report reads.
Cyberattacks are so widespread now that, according to the report, there's been a rise in the number of Malware-as-a-Service offerings available for those who are prepared to use them.
Related Article: How Microsoft 365 Affects Digital Workplace Security
Multi-Cloud Deployment Initiatives
The more cloud services an organization uses, the greater the enterprise's vulnerability, leaving multi-cloud deployments wide open in many cases, said Patrick Kopins, COO of IT consultancy Accscient.
The fact is, just about everything in the enterprise today is built multi-cloud environments, Kopins said. And the way securing those multiplying clouds has evolved is via automation.
Kopins said there are a number of things organizations can also do to protect the company and its employees and partners.
In the cloud realm, automation starts with assessing your company's cloud use-case. Many remote workforces, for example, are highly distributed teams that live and die by their laptops. Internet proxy (or VPN or alternative) technologies also allow for better traffic management, site blocking and protection for laptops or devices on the broader internet connecting to cloud services, Kopins said.
Additionally, Cloud Security Access Broker (CASB) technologies provide additional layers of protection for scenarios like an unauthorized transfer from work cloud services to a personal share.
All of this comes down to a single problem, Kopins said: The largest pitfall or mistake, as multi-clouds increase, is not doing a proper risk assessment. “Everyone says they do a risk assessment, but understanding the specific use cases and threats is most important," he said.
“Even when heavily leveraging cloud services are being used, companies also need to understand to what extent data may be downloaded to laptops as a point of exposure for a laptop theft for instance.”
He also says that companies need to ensure authentication and access control to cloud services are consistently applied, ideally with multi-factor authentication and single-sign-on (SSO).
Related Article: What You Need to Build a Cloud Strategy for the Digital Workplace
Managing Cloud Security and New Work Models
Subbu Ponnuswamy, founder and chief technology officer at Hybrid Access-as-a-service (HAaaS) pioneer Cloudbrink, said the security problem with multi-cloud usage has been aggravated by the rise of new work models.
In the age of hybrid working, Ponnuswamy said, businesses face two challenges: their networks inevitably span multiple environments they do not control, from the data center to one or more clouds, and employees are increasingly dispersed.
The result is that old ideas about a hard security perimeter no longer apply. Policy enforcement is complex, and CIOs and CISOs face big operational headaches securing remote workplaces.
“When looking for a solution, security has to be foremost, but unfortunately, speed and ease of access for the end user are all too often forgotten or, at best, an afterthought,” Ponnuswamy said. “The impact of organizations not taking the user experience into account will lead to lower productivity and frustrated employees who are more likely to leave, which is ultimately bad for the business."
He believes one of the solutions to this problem is the deployment of technologies like Zero Trust Network Access (ZTNA), which can go some way to addressing the security issue.
ZTNA, also known as the software-defined perimeter (SDP), is a set of technologies and functionalities that enable secure access to internal applications for remote users. It operates on an adaptive trust model, where trust is never implicit, and access is granted on a need-to-know, least-privileged basis defined by granular policies.
However, in these cases, Ponnuswamy said unless you overcome issues of access, connectivity and end-to-end performance, you end up with secure but fragmented networks — and an unhappy and unproductive remote workforce.
“Technologies like ZTNA go some way to addressing the security issue,” he said. “Unless networks are designed from the ground up to address both the security, performance and multi-cloud access needs of the hybrid workplace, the result will be a two-tier workforce with remote workers at least a decade behind their office-based colleagues."
Related Article: Can You Trust Zero Trust Networks in the Remote Workplace?
Rethinking Tech and Business Alignment
All of this needs to be taken into consideration in the context of the wider digital workplace, and there is a number of issues that enterprise leaders need to consider in this respect.
How to Future-Proof Your Employee Experience Strategy in 2023
A framework to navigate through economic uncertainty
The Essential Role of Communicators in Fostering Wellbeing in the Digital Workplace
Join us for practical insights on how digital communicators can support employees to thrive in the digital workplace
Addressing Employee Needs and Wants with a Digital Workplace
The workplace is getting more and more digital – both in how we work and where we work
Maintaining a Human-Centered Approach During Digital Transformation
When it comes to digital transformation - people drive change, not technology
The Evolution of Employee Recognition
Leveraging the power of appreciation to improve the employee experience
How to Build a More Innovative and Resilient Workplace Culture
What would happen if every member of your team came to work focused on finding solutions and creating better results?
Vikrant Karnik, who leads cloud and technology services at Genpact, said the first thing organizations need to do is rethink the business and tech alignment. The question of business relevance, he said, is not one that tech leaders used to ask. In the past, business and tech alignment happened in one of two ways:
- Vertically: This is where different business areas — like marketing, sales and finance — are supported by their own dedicated IT teams.
- Horizontally: This is where IT teams are organized by skill — like custom development, business analysis and coding — and loosely serve all areas of the business.
But that model is changing, and in 2023, many tech leaders are building an almost diagonal model, something that takes the best of both approaches.
“Here, the cloud delivers the horizontal technology foundation — accessible by any employee at any time — and business-specific practices are built on top,” Karnik said.
This restructuring forces business and technology leaders to collaborate to create better ways of working across the enterprise.
Karnik also argues that enterprises need to think beyond cloud migration to modernization. In the past, companies have been content to replicate legacy technology in a cloud environment. But this only got them so far.
Today, cloud-native technologies are crucial to modernization. Their scalability and flexibility help leaders innovate much faster. In addition, cloud-native technologies make it easier to collect data across the business, which leads us to the next trend.
All of this, Karnik said, feeds into considerations about security and public cloud-driven environments. Security cannot be an afterthought. It must be at the heart of every technological decision.
Some leaders are getting proactive on the issue and have chosen to use cloud technologies to build digital twins of processes and applications, and then intentionally stress test them with a cyberattack.
Related Article: Where Information Management Fits in Hybrid and Digital Workplaces
How to Protect Your Public Cloud Infrastructure
Sandeep Chellingi, director of cloud innovation services at Orion Innovation, a digital transformation and product development services firm, said there's a lot more organizations could be doing to protect their public cloud and multi-cloud infrastructure. He offers five considerations:
1. Guardrails: Establish multi-cloud security policies, including the development and documentation of a comprehensive set of companywide security policies that govern the use of cloud services across the enterprise.
2. CASB: Consider implementing a cloud access security broker (CASB) or appropriate authentication and access controls. These are security policy enforcement points positioned between enterprise users and cloud service providers. Chellingi said organizations need to configure authentication methods, such as multi-factor authentication, that ensure only authorized personnel can access data stored in multi-cloud environments.
3. Data Lifecycle: Ensure your data is classified and that data in transit (and at rest) is encrypted. Also adopt secure protocols and encryption technologies to protect any personal or sensitive data moving between cloud services and on-premises systems.
4. Monitoring Multi-Cloud Environment: Security requires multi-cloud monitoring, and a monitoring plan should track cloud service access, cloud configuration changes and system performance. This data can detect anomalies or security vulnerabilities before they become major issues.
5. Automating Software Updates and Patching: Use native approach like Azure’s System Update Management, AWS’s Systems Manager or GCP’s Cloud Deployment Manager to keep your cloud services up to date with the latest patches and security fixes. This is essential to protect against known vulnerabilities and newly discovered threats. This native tool can also integrate security command center.
The bottom line is that organizations need to expect an attack and prepare for it.
“Have a plan for how you will respond to a security breach," said Brad Cole, enterprise software development director at Digi International. "No matter how good your security is, attackers will always find a way. Make sure you are not caught off guard."
Cole advises organizations to automate everything and ensure that commands they’ve executed in their staging environment will be executed identically in production. And look for industry-standard tools that are up-to-date on the latest security threats to aid in monitoring the environment and alert on potential vulnerabilities.
About the Author
David is a full-time journalist based in Ireland. A partisan of ‘green’ living and conservation, he is particularly interested in information management and how enterprise content management, analytics, big data and cloud computing impact on it.