The top 6 cloud security challenges in 2021
Rachid Groeneveld, Security consultant
Cloud security challenges are in a whole class of their own. And they vary greatly depending on what type of cloud you're using. A public cloud, private cloud and hybrid cloud all have specific challenges. To keep it as simple as possible, we'll zoom out and stick to all cloud-related security challenges that organisations are likely to face.
Cloud security challenge #1: Managing complex environments
Today's modern enterprise IT infrastructure is usually a mix of multi-cloud or hybrid environments scattered around a few countries, especially in a global setting. Managing everything across the entire environment is not easy, especially when it comes to security.
it requires tools that can handle all these different environments safely, even spanning multiple continents in some cases. Many things can go wrong in such a setting, so it's crucial that you use tools from a provider that allows you to do all this safely.
Just a single misconfigured setting somewhere can cause a malicious actor to breach your defences. And they only have to breach it once. Your defence needs to be up 24/7, as every single error has the potential to be exploited. No pressure!
Cloud security challenge #2: Compliance with rules and regulations
In the US, there's HIPAA or The Health Insurance Portability and Accountability Act. In California, there's the CCPA or California Consumer Privacy Act. In the EU, there's the GDPR or General Data Protection Regulation.
Depending on the business itself, where you do business and, in addition to that, on the data you process, these are laws you have to comply with. Laws like these often make it mandatory to disclose data breaches and hold you responsible for storing data safely.
For example, for the GDPR, the fines can run as high as €20 million or up to 4% of your annual worldwide revenue. The HIPAA fines are pretty hefty, too, with a maximum of 25,000 USD per violation category, per calendar year. All in all, not something you want to risk. The internet famously doesn't forget, so the damage to your brand will linger on for years.
It’s therefore good to pick tools that allow you to gain absolute control of your environment, whether it's a single public cloud, single private cloud, multi-cloud or hybrid cloud environment.
Cloud security challenge #3: You're a sitting duck
In the fast-moving world of software, where 0-day exploits are sold for small fortunes and publicly known bugs will be used to hunt for software that isn't updated within days of being released, you’re a sitting duck.
No matter what type of cloud environment you operate, malicious actors will want access to your sensitive data to sell, gain notoriety or maybe even extort others. Whatever it is, they know where to look, have all the time in the world to try different angles, and they only have to succeed once.
They can try to gain a foothold with malware via phishing, whether it's through your employees or your suppliers. They can take over your accounts from employees who may use the same easy password for all their accounts, including making data from the latest hack public. Right now, some malicious actors go as far as making wide-ranging supply-chain attacks.
We know it's difficult. That's why you need the best tools out there to secure your cloud environment.
Cloud security challenge #4: Lack of visibility
We touched upon the immense task of keeping your cloud environment secure earlier on. And it's not as simple as just creating a less complex environment.
The larger and older the enterprise or organisation, the more you have to work with or around legacy software or a particular way of doing a specific process that doesn't translate 1:1 with the new cloud tools you're currently using for that process.
The environment can quickly become so overwhelmingly complex that you lose sight of both the big picture and the detailed insights.
That's where it all goes downhill because this lack of oversight and insight means you can't keep everything up-to-date and don't know what is and isn’t misconfigured.
To regain control, you need to have detailed insight into every asset within your cloud environment.
Cloud security challenge #5: Too many privileges for users
Roles and privileges are usually configured in a broad sense by software providers to make sure their product is easy to use. If you don't refine or reconfigure these wherever possible, specific users or roles likely have too many privileges.
You don't want inexperienced users to be able to do a lot of damage, like deleting database assets or having access to essential security controls.
It goes as far as the device level. You don't want to give a regular sales intern a user account on their laptop with administrator privileges, as this can cause a lot of damage.
Cloud security challenge #6: Insecure access
Speaking of regular users and their devices, this can be a reason for concern. What if the intern is on holiday in Thailand and logs in via a rogue access point they mistake for public airport WiFi? If there's no 2FA on that account, the operator of that rogue access point now has the same level of access to your company as that intern.
They may end up not doing anything with it, but nowadays, usernames and passwords are easily sold online to interested parties who may want to do harm.
Since we’re talking about passwords, they pose real security risks to organisations. According to the 2021 Data Breach Investigations Report by Verizon, more than 80% of breaches involve weak or stolen credentials. Therefore it is important to create strong passwords and preferable use multi-factor authentication (MFA). In this blog, I tell you more about the password problem and I'll give you some concrete advice on how to improve your passwords.