The issue of security vulnerabilities has made more and more organizations interested in emerging security software. For example, Cloud Security State Management (CSPM) technology can search the
cloud computing environment and issue alerts to corporate employees about configuration issues and compliance risks, most of which are human errors.
Misconfiguration in the
cloud platform
Neil MacDonald, an analyst at Gartner, a research organization, said that most corporate chief information officers stated in the survey that their data is more secure on cloud computing providers’ cloud platforms, but due to human error and cyber attacks, many companies’ Data leakage. Gartner's survey shows that, in fact, by 2025, 99% of
cloud security failures will be the fault of customers themselves.
MacDonald said: "Their biggest concern is that some mistakes made by internal employees will leak their data."
Tony Taylor, chief security officer of Land O'Lakes, said, for example, due to the DevOps deadline, many enterprise developers rushed to start new virtual machines, and unintentionally exposed their networks.
Common configuration errors expose cloud storage folders and data transfer protocols, which can be accessed through the global Internet, and user accounts have excessive access rights. Previously, the staff found such vulnerabilities through manual inspection or writing automatic scripts.
Check cloud computing security status
MacDonald said that because cloud platforms have a high degree of automation and user self-service (for example, infrastructure as a service and platform as a service), it highlights the importance of proper cloud computing configuration and compliance.
Gartner recommends that companies respond to risks by investing in cloud security state management (CSPM). Cloud security state management (CSPM) is an extension of cloud access security proxy software (CASB) designed to implement software as a service (SaaS) Security, compliance and governance strategies.
Taylor stated that Land O'Lakes is using cloud access security proxy software (CASB) and cloud security status management (CSPM) software to understand who has provided thousands of accounts, what permissions each user has, and who share what data. The software is McAfee's MVISION Cloud, which can identify errors, such as configuration errors in ports and databases, unencrypted technical services, and systems that do not comply with state and federal privacy laws. It also automatically reminds security personnel of abnormal situations, such as suspicious visits.
For businesses that are concerned about protecting personal information under state privacy laws (such as the California Consumer Privacy Act and the General Data Privacy Regulation), this type of protection is essential. Taylor said: "We didn't have a good understanding of the security posture before we adopted cloud security tools."
The "side window" in the cloud
Rajiv Gupta, senior vice president of cloud computing at McAfee, pointed out that protecting the cloud computing environment is challenging because, unlike on-premises technologies, companies set up firewalls and other perimeter protections around on-premises technical facilities. Due to the multi-tenant architecture of cloud computing, multiple Customer data usually resides on the same computer, and each customer can utilize different resources.
Gupta pointed out that the cloud computing environment exponentially expands the scope for cybercriminals to find vulnerabilities to leak data. To be sure, these vulnerabilities also appear in the on-premises infrastructure, but there are still many misconfigurations. He said, "With cloud computing services, the original security measures have disappeared."
In addition, over time, developers inadvertently create vulnerabilities when they start new servers, open new ports, and gain higher privileges. Gupta said this "configuration deviation" weakens the security posture. When developers use APIs to connect third-party applications such as business intelligence tools to their cloud computing services, things get more complicated. Without the knowledge of many companies, third-party services will copy all data. Many companies did not realize that they created this "side window" before the data leak.
Gupta said: "The problem becomes more complicated because of the complexity and side windows between cloud-native components."
CIO's view on cloud security
Capital One’s data breach is a wake-up call, and many CIOs agree with this view.
Lookman Fazal, Chief Information Officer of New Jersey Transportation, believes that, like any emerging technology, cloud computing technology provides CIOs with a risk-reward program.
When considering migrating its business to a cloud platform, Fazal discussed whether it can replicate AWS's 99.9% uptime in its own data center to match its incident security response rate, but the answer is no.
84 Lumber's Chief Information Officer Paul Yater said that it is also critical for companies to choose the right cloud computing provider. As customers, IT leaders are responsible for ensuring that the correct checkpoints and audit protocols are in place.
When talking about cloud computing vendors, Yater said: “Enterprises cannot assume that they are doing everything right. Instead, they need to treat cloud computing vendors as an extension of their IT organization in order to hold them accountable for the same level of security.”
Tips for protecting cloud computing services
IT leaders provide some tips for working with cloud computing providers to ensure security.
Land O'Lakes company Taylor said that cloud platform security is of paramount importance. Before developers start cloud computing services, customers must first implement policies and procedures. IT leaders must fix any vulnerabilities in the cloud computing environment, ensure that data will not be leaked, and establish a sound DevSecOps model.
Yater pointed out that cloud computing vendors need to make a profit, and companies require cloud computing vendors to demonstrate PEN (penetration) testing, and track and query their firewalls, sensors, and other tools that monitor traffic between network connections. In addition, ensure that they have the correct data retention strategy to protect the normal business operations of the enterprise.
Gupta said everyone is responsible. Security should be achieved in the context of the "shared responsibility" model. In this model, enterprises and cloud computing providers will do their part to protect their own and user data. Gupta said, "People need to understand the meaning of responsibility for maintaining models."
