Over the past two decades, the tech industry has witnessed a marked shift from traditional enterprise networks and collocation data centers to cloud computing. Cloud computing allows users to access servers, storage, and applications over the internet. In contrast to conventional enterprise networks that are typically built onsite and require a significant investment in hardware, software, and personnel to operate and maintain, cloud computing requires no on-premises infrastructure. Cloud service providers (CSPs), such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud, offer automated services that allow customers to provision new systems and applications quickly and efficiently and scale their environments on demand. Despite its numerous advantages, cloud computing introduces several challenges that IT departments, security teams, and application developers must consider when securing their cloud environments.
Advantages of Cloud Computing
Cloud computing offers several advantages over traditional computing, including scalability, flexibility, and cost-effectiveness. With cloud computing, you can quickly scale your computing resources up or down as your needs change without purchasing and managing additional hardware. Large regional data centers and global-scale networks provide instant scalability and redundancy, and cloud APIs provide automation that enables organizations to deploy infrastructure quickly and consistently.
With cloud computing, you can access your applications and data from anywhere with an internet connection, which can be particularly useful for remote workers or businesses with multiple locations. Additionally, cloud computing offers various deployment options, including public, private, and hybrid clouds, which organizations can tailor to meet their unique needs.
Cloud computing can be more cost-effective than maintaining on-premises IT infrastructure, eliminating costly hardware, software, and maintenance expenses. This is due in large part to virtualization, which allows for better utilization of hardware resources. Additionally, cloud computing providers often offer pay-as-you-go pricing models, which can help you save money by only paying for the resources you use.
Security in the Cloud
The technological shift brought about by cloud computing necessitates a new approach to security. Traditional enterprise networks typically rely on a perimeter-based security model, which involves securing the network edge with firewalls, intrusion detection/prevention systems, and other network-based security measures. In contrast, cloud computing promotes a data-centric approach to security, focusing on protecting data wherever it resides. Many of the qualities that make cloud computing appealing to businesses also present new security challenges, which have contributed to the growth of attacks in the cloud in recent years.
The following list summarizes many of these challenges:
- Customer data resides in the cloud and not within the confines of an enterprise network.
- Cloud applications, services, and APIs are often accessible from anywhere on the internet.
- Computing resources are shared across multiple customers.
- Lack of traditional network boundaries complicates access management.
- Rapid innovation and growth in the complexity of cloud services frequently result in misconfiguration and human error.
- Confusion over the customer’s responsibilities and those of the CSP leads to security oversight.
- Adoption of cloud services by groups outside of IT contributes to unmanaged attack surface.
- Lack of security visibility across cloud environments increases difficulty in detecting and responding to security events.
- The emergence of new cloud-specific threats and vulnerabilities confronts IT departments.
We’ll discuss these challenges in more detail in the following sections.
Challenge 1 – Data Resides in the Cloud
Cloud applications require access to data, and CSPs offer a variety of storage options, including relational databases, key-value databases, object stores, in-memory caches, and large-scale data warehouses. Consequently, vast amounts of sensitive data reside with third-party service providers. Misconfigured data stores can immediately expose confidential information to malicious users. Such a breach can have severe and lasting consequences.
Challenge 2 – Direct Access from the Internet
Ubiquitous access is one of the main benefits of cloud computing but also one of its more significant challenges. Applications, APIs, and data may be exposed directly to the internet, making them more vulnerable to unauthorized access and denial-of-service (DoS) attacks. Without automated incident detection and response, attacks may go unnoticed for long periods, giving attackers ample time to uncover and exploit vulnerabilities.
Challenge 3 – Shared Computing Resources
A primary advantage of cloud computing is cost-effectiveness. Sharing computing resources across multiple customers makes better use of available CPU, memory, and bandwidth, reducing costs for each customer. However, a single customer breach may result in the compromise of data belonging to numerous other customers. Additionally, a DoS attack against one customer’s environment may spread to other customers using the same underlying hardware and networks.
Challenge 4 – Lack of Network Boundaries
In contrast to conventional enterprise networks, network boundaries are less well-defined in the cloud. The customer is responsible for configuring firewall rules, network access control lists, and security groups to control access to their hosts, applications, and data. Some CSPs are beginning to require customers to deploy computing resources to dedicated virtual networks, also called virtual private circuits. These networks allow organizations to separate their resources from those belonging to other customers. However, configuring access can be complex and error-prone.
Challenge 5 – Misconfiguration and Human Error
Cloud computing has undergone rapid innovation, growth, and adoption in the last decade. The variety and combination of available cloud services enable businesses to offer new and exciting products to their customers; however, the complexity of modern-day cloud environments frequently leads to human error and security misconfiguration. Industry research firm Gartner reported that 99% of all cloud security failures stem from human error.
Challenge 6 – Confusion Over Responsibilities
In all cloud environments, the CSP and the customer share responsibility for security, and the duties of the customer vary depending on the type of cloud service. For a SaaS application where the provider handles nearly every aspect of security, the customer’s responsibilities may end with user management. With infrastructure as a service (IaaS), on the other hand, the customer may be responsible for everything beyond physical data center access and the security of the underlying network and virtualization software. This variability causes frequent confusion over the responsibilities of the CSP and those of the customer and can lead to oversight and omission. We discuss this issue further in Shared Responsibility Model below.
Challenge 7 – Unmanaged Attack Surface
The swift adoption of cloud services and the explosive growth of publicly available workloads have greatly increased the attack surface of the cloud. IT departments struggle to control the use of cloud services by other groups within their organizations, a trend known as shadow IT. These shadow workloads, often deployed outside official channels and without security oversight, can unintentionally expose confidential information to outsiders.
Challenge 8 – Lack of Security Visibility
Logging, monitoring, and alerting are all critical to effective security management. Lack of visibility across a cloud environment limits an organization’s ability to detect and respond to security events. Cloud environments involve dynamic resources, distributed systems, and diverse, interconnected services, making monitoring and response intricate and complex. Additionally, the sheer volume of logs and events generated by large cloud workloads can overwhelm security teams. Working with multiple CSPs further compounds the problem, as tracking events across cloud borders may be difficult.
Challenge 9 – New Cloud Vulnerabilities
While many traditional vulnerabilities apply to the cloud, new cloud-specific attack vectors have surfaced. Attackers now target exposed cloud APIs, infrastructure code, trust relationships between cloud components, cloud-based software deployment pipelines, and vulnerabilities in specific cloud services. In addition, many cloud workloads are vulnerable to supply chain attacks that target individual components or dependencies within an application or service. Through these attacks, malicious users may gain access to data, systems, or an entire cloud environment. Attackers may modify the infrastructure or deploy new cloud resources to facilitate criminal activities such as malware distribution, botnet command and control, and cryptojacking.
Shared Responsibility Model
A major difference between cloud security and traditional enterprise network security is the level of control afforded to the customer. With enterprise networks, IT managers have complete control over the network infrastructure and related security measures. In contrast, with cloud computing, the CSP and the customer split responsibilities. The balance of responsibilities depends on the type of cloud service, but generally speaking, the provider is responsible for securing the underlying infrastructure (“Security of the Cloud”), and the customer is responsible for securing their data and applications (“Security in the Cloud”). This is referred to as the shared responsibility model.
The shared responsibility model can be a source of confusion for those new to the cloud. Where do the responsibilities of the provider end and the customer begin? Customers may assume or expect the service provider to protect resources they are responsible for securing themselves. To compound the issue, the level of responsibility required of the customer varies based on the type of cloud service and may include any or all of the following:
- user management (accounts, roles, and permissions)
- network configuration and access control
- host hardening and patching
- per-service security configuration
- application installation and security maintenance
- secure data storage and transmission
- application layer security controls
- remote access
Zero Trust
The lack of well-defined network boundaries coupled with the use of shared computing resources and the distributed nature of cloud services is driving a new approach to security in the cloud. Zero Trust is a security model that emphasizes security without perimeters. According to CISA, it represents a shift from a location-centric model to one based on identity, context, and data.
Several core principles anchor the Zero Trust movement:
- Never grant access based on location.
- Perform frequent authentication and authorization of access requests.
- Provide least-privilege access using granular access controls.
- Always assume compromise and “limit blast radius.”
- Continuously monitor your security posture.
- Collect as much information as possible about your environment and use it to improve your security posture.
———————–
“Zero Trust is a cybersecurity strategy premised on the idea that no user or asset is to be implicitly trusted. It assumes that a breach has already occurred or will occur, and therefore, a user should not be granted access to sensitive information by a single verification done at the enterprise perimeter. Instead, each user, device, application, and transaction must be continually verified.” — The National Security Telecommunications Advisory Committee (NSTAC)
———————–
With Zero Trust, access is never granted implicitly. Systems and applications must authenticate users regardless of identity or location (this applies to people, computers, and services). Before granting access, security controls must validate all requests against the current security policy. In addition to frequent, granular access control, Zero Trust emphasizes the importance of continuous security monitoring to assess the integrity of protected resources, rapidly respond to security events, and measure the effectiveness of security controls.
To learn more about Zero Trust, see NIST Special Publication 800-207.
Summary
Cloud computing has changed how organizations create, deploy, and deliver networked applications and information systems. The scalability, flexibility, and cost-effectiveness inherent to the cloud increasingly drive adoption by businesses and users alike. However, the same qualities that enable rapid innovation, ubiquitous access, and ease of deployment present many security challenges. They also demand a new approach to security, one that does not rely on network boundaries and perimeter defenses. While cloud service providers shoulder much of the security burden, it’s ultimately up to the customer to understand their responsibilities when securing the cloud.
Need help securing your cloud environment?
Whether you’re deploying your first cloud workload or need a detailed security assessment for your existing environment, GreyKeep Security has the services and experience to help. Contact GreyKeep Security for a no-cost introductory consultation.