Over the past several years, one of the more pronounced trends in technology has been a rapid move to the cloud. This has resulted in companies of all sizes and in all industries moving their entire technology infrastructure to providers such as Amazon AWS and Microsoft Azure. However, even though companies shift their infrastructure to the cloud, they remain responsible for developing adequate cybersecurity policies and procedures that are designed to protect data and ensure its availability.
Many organizations incorrectly assume that once they move to the cloud, they can simply check the compliance and security box, believing that it is the responsibility of the cloud providers. However, cloud providers are quick to point out that security is a “shared responsibility” with the client. While the cloud providers are responsible for availability and physical security of the environment, securing corporate technology resources and data, including confidential customer data, are still the responsibility of the client. Attacks targeting misconfigured Amazon and Microsoft cloud instances are becoming more frequent, creating a major risk factor for many organizations. Incidents such as Ghostwriter attacks, where attackers scan for publicly-writable Amazon Simple Storage Service (S3) instances, are on the rise. Once identified, attackers replace legitimate “trusted” content with malware-infected versions of the files to propagate larger attacks, many of which are ransomware related. By default, AWS S3 environments require administrators to add permissions, but for complex environments, it can be very tempting for organizations to take the easy route and simply click the “public” button in order to begin using the environment more quickly.
Properly configuring and securing cloud environments is the cornerstone of good cybersecurity strategy in the cloud. With that in mind, Amazon released a new AWS Certified security exam in April that is focused on establishing a credential that highlights an individual’s ability to securely configure an AWS environment.
Companies should also focus on monitoring their cloud environments to protect against misuse of their resources by attackers. Both Amazon and Microsoft have solutions to assist clients in this area. AWS Guard Duty is a managed threat detection solution provided by Amazon to monitor and alert clients regarding changes and threats that occur within an organization’s AWS environment. Microsoft has what it calls its Advanced Threat Prevention service, which also provides cybersecurity visibility for organizations with respect to their cloud infrastructure.
When operating in the cloud, cybersecurity teams need to change their focus from more traditional cybersecurity strategies that emphasized strengthening perimeter defenses to one that accounts for the fact that organizations’ employees and technology infrastructures are becoming more and more decentralized. Since one of the key benefits of moving to the cloud is the enablement of distributed workforces that can work from anywhere at any time, developing a pragmatic approach to cloud solutions, focusing on providing limited and controlled access to technology and data assets, is critical. Evidence suggests that when companies do not provide solutions that employees find useful and flexible, those employees will simply adopt solutions of their own choosing, which can present significant security risks to an organization.
Compliance is another key factor impacting companies that move to the cloud. Requirements from the CFPB, Fannie Mae, Freddie Mac, and states such as New York firmly establish the importance of third party vendor risk management. Performing due diligence on major cloud providers such as Microsoft and Amazon is as simple as visiting their associated compliance portals. However, many smaller cloud providers lack the same level of sophistication, adding challenges for organizations that attempt to obtain simple third party compliance reports such as a SOC II – Type II. The lack of this independent attestation forces organizations to adopt an established framework such as the FFIEC Automated Security Assessment Tool, which provides organizations with a standard framework to assess whether vendors have taken the steps necessary to establish good cybersecurity practices designed to protect their customers and their data.
Both Amazon and Microsoft provide services and tools to assist organizations as they move to the cloud, but organizations should be prepared to invest in the right training and expertise to protect against modern threats targeted at cloud environments. Establishing configuration standards and working with a trusted partner that understands industry best practices and trends are critical elements of developing effective cloud strategies in the current cloud-focused environment.