Business decisions are driving the adoption of cloud computing. Often, however, decisions to move to the cloud are made without considering the security risks associated with it, and information security teams are bypassed.
As a result, businesses put themselves at risk, according to the Cloud Security Alliance (CSA). Twelve cloud security concerns, in particular, threaten organizations, according to the CSA’s report “The Treacherous 12: Cloud Computing Top Threats in 2016,” which was sponsored by Hewlett Packard Enterprise (HPE).
“The 2016 Top Threats release mirrors the shifting ramifications of poor cloud computing decisions up through the managerial ranks,” said J.R. Santos, executive vice president of research for the CSA, in a news release. “Instead of being an IT issue, cloud security is now a boardroom issue. The reasons may lie with the maturation of cloud, but more importantly, higher strategic decisions are being made by executives when it comes to cloud adoption.”
Based on a survey of 270 security, software and networking specialists, the CSA identified the following security issues in cloud computing:
- Data breaches
- Weak identity, credential and access management
- Insecure APIs
- System and application vulnerabilities
- Account hijacking
- Malicious insiders
- Advanced Persistent Threats (APTs)
- Data loss
- Insufficient due diligence
- Abuse and nefarious use of cloud services
- Denial of Service
- Shared technology issues
The group’s previous top threats report highlighted developers and IT departments rolling out their own self-service Shadow IT projects, bypassing organizational security requirements, said Jon-Michael Brook, co-chairman of the CSA’s Top Threats Working Group, in CSA’s news release.
“A lot has changed since that time, and what we are seeing in 2016 is that the cloud may be effectively aligned with the executive strategies to maximize shareholder value,” he said. “The ‘always on’ nature of cloud computing impacts factors that may skew external perceptions and, in turn, company valuations.”
Keeping businesses secure in a cloud environment
The big question for executives wanting to adopt cloud computing is how do you move faster while ensuring your IT is protected, said Ken Won, director of Cloud Solutions Marketing at HPE.
“To address this challenge, it’s imperative that IT executives build security in from the start, to make security part of an enterprise’s DNA, not as an add-on or afterthought,” he said. “Just like meeting performance expectations or delivering the experience customers expect, security needs to be a core requirement built into the foundation of IT. By doing this, IT executives can balance the need to execute quickly and innovate while protecting their environment from hackers.”
Arpit Joshipura, vice president of marketing and product at application security provider Prevoty, agreed, saying traditional network security mechanisms aren’t enough in a cloud environment. A layered approach that addresses the infrastructure, apps and data is needed, he said in an interview with Converg! Network Digest.
“You want the network security and the firewalls to protect against Distributed Denial of Service attacks and the front-end standard type of things,” he said. “And then you want behind it runtime application security inside the applications to protect the applications themselves or to the calls to the databases. That’s a two-pronged approach we believe is the future of end-to-end security.”
Security must also be addressed at the board level, Santos said. Security executives should educate the board on current cloud-related security events or breaches happening or could happen at the company. It’s also important to explain how cloud is being used within their company.
“Make sure they understand the cloud, cyber security and board and board member liabilities, and how they relate to the enterprise,” Santos said.
At CSA’s recent Cloud Security Summit, Luis Aguilar, former commissioner at the U.S. Securities and Exchange Commission, told attendees that organizations should develop a board-level enterprise risk council and tie it into the board of directors.
“I think that’s very important,” said Jim Reavis, CEO of the CSA in an interview with Converge! Network Digest. “I think there’s some pushback from organizations, but I think it’s very critical.”
Surprisingly, a 2015 Ponemon Institute report on cyber security found 78 percent of companies’ board of directors had not been briefed on their organization’s cyber security strategy in the past 12 months.
While the first step is to brief boards, security executives must do it in a way that board members understand. That means they need to focus on the company’s risks instead of security threats and implications and use language they understand.
“Security needs to be considered as part of the risk management of a project,” Won said. “Understanding the potential business impact of a breach, just like understanding the potential business impact of downtime or not meeting core user requirements must be well understood.”
Security teams must make some adjustments, as well. They need to have a deep understanding of the security profiles and capabilities of each cloud environment—public cloud, private cloud, hybrid cloud and multi-cloud, Won said. And they must be able to give recommendations about which type of cloud is best for a given workload.
Security teams must also adjust to sharing responsibility with cloud service providers, Won said. With a cloud environment, IT no longer has complete control and responsibility like it did with a traditional data center.
“Security teams need to have a clear understanding of what the cloud service provider’s security responsibilities are and how their own security requirements complement them to ensure the project is completely protected,” Won said.
At the same time, security teams need to learn how to fit in with the rapid pace of cloud development and advocate for DevSecOps teams in which the security team works with the developers, wrote Dave Shackleford, founder and principal consultant at Voodoo Security, in the SANS Institute whitepaper “A DevSecOps Playbook.”
“If security teams are going to be a core component of DevSecOps, they must impress upon development and operations that they can bring a series of tests and quality conditions to bear on production code pushes without slowing the process,” he wrote. “If security parameters and metrics are incorporated into development and test qualifications, then the chance for security to be involved in the processes for DevOps is much higher.”
Information security professionals under pressure
With all security teams have to consider, it makes sense that in-house information security professionals feel more pressure than ever in doing their jobs. Trustwave Holdings’ 2016 Security Pressures Report found that 63 percent of information security professionals felt more under pressure in doing their jobs, and 65 percent said it would get worse in the year ahead, up 9 percent and 8 percent, respectively, compared to last year.
The threat of a data breach, the repercussions of a breach and the shortage of security expertise contributed to the increased pressure.
Board meetings also raise levels, respondents said. Forty percent said they feel the most pressure in relation to their security program either directly before or after a company board meeting—1 percent higher than how they feel after a major data breach hits the headlines.
Adding to the stress is the fact that 77 percent said they are pressured to unveil IT projects that aren’t security-ready.