Organizations are rushing to move many of their legacy IT systems to the cloud. Software as a Service (SaaS) and Infrastructure as a Service (IaaS) have grown more popular in recent years, as organizations have overcome their initial trepidation and embraced the cloud’s efficiencies, enhanced capabilities, scalability and reduced costs.
The move to cloud-based systems has brought about a sea of change in the way organizations approach security. With legacy systems, all computing activities and data retention were done in-house, putting the responsibili aties for security squarely on the shoulders of the organizations’ IT departments. Today, with cloud-based infrastructure and software, processing power and data retention are handled outside the organization by a variety of vendors. The average organization collaborates on average with 865 other organizations while doing business, according to prominent security vendor CloudLock. All of those organizations must work together to ensure cybersecurity in the cloud.
Why Cybersecurity is Vital in the Cloud
The need for a new approach is evident once you consider how much the cloud has changed IT. According to one recent report from PwC, the push for cloud computing is significant and accelerating:
- Adoption of cloud computing is increasing every year
- 55 percent of organizations surveyed in 2014 use some kind of cloud computing, up from 47 percent in 2013
- 41 percent of organizations use LaaS for mission-critical operations
“If correctly adopted, cloud computing will enable organizations to take advantage of the flexibility and simplicity of cloud architectures that transcend the barriers of traditional IT. Creating this next generation of IT capabilities is, in fact, the ultimate goal of cloud service providers.” — PwC
Cybersecurity Advantages of Cloud Migration
The promising news is that shifting to the cloud has real, measurable advantages related to cybersecurity. In the PwC report cited above, 59 percent of survey respondents said the shift to the cloud had “improved” their IT security programs. The cloud represents a “bold” concept that has the promise of disrupting the existing ways malicious parties attack organizations’ IT systems.
Part of the reason for the confidence around cybersecurity in the cloud is that each cloud vendor has a deep understanding of the types of attacks they may face, and can take measures quickly to mitigate risk and prevent intrusions. In other words, security is no longer the purview of an organization’s IT department; an entire community of vendors is also involved in the effort.
Author Jennifer Schlesinger, writing for CNBC, says this wide network of cybersecurity experts makes cloud computing and storage an ideal choice for small- and medium-sized organizations, who may not have the resources and time to adequately secure their IT systems and make updates as quickly as required. She calls this “outsourcing cyberdefense.” Third-party vendors can provide rich, up-to-date information about threats and solutions.
Assessing the Cybersecurity Risks of Cloud Computing
The outlook isn’t entirely rosy. Large cloud computing and storage vendors, such as Amazon Web Services (AWS) and Microsoft Azure, are all tempting targets for hackers — perhaps more so than an individual organization with legacy systems would be.
Just like any other organization, a cloud provider is susceptible to data breaches, which open the door for theft of company secrets and customer information, as well as Distributed Denial of Service (DDoS) attacks that compromise systems and interrupt service delivery.
In a recent report, CloudLock reiterates that cloud applications are becoming more secure, but points out that data on the cloud is still vulnerable. In 2015, there was a tenfold increase in the number of files stored in the cloud, and more than 10 percent of all this data is considered highly sensitive. Thousands of files at each organization may be publicly accessible.
CloudLock suggests that employees might be the weakest link in cloud cybersecurity. Employees might give third-party cloud-based applications (either on their computers or mobile devices) security permissions that allow the application to read, modify and even delete data. In today’s app-rich environment, even simple games seek permission to link with Google and Facebook accounts. Last year, for example, Pokémon Go — a popular game that many people installed on the mobile devices they use for work — initially required a great deal of access to new users’ Google accounts. This was later changed.
Most experts agree that protecting your organization’s information cloud requires rethinking how you view IT security. There’s talk about the “extended data perimeter” and broader “attack surface” today.
Some recommendations for minimizing risk are:
- Monitor the cloud environment consistently and analyze user behavior
- Know what information is being shared at all times between your organization and your vendors
- Focus on training employees to be more cognizant of potential security risks, such as phishing
- Assess the risk levels related to each IT computing function and data set, and concentrate on the most important assets