According to Gartner, the worldwide public cloud services market grew 40.7% in 2020. But despite how commonplace it now is, a cloud migration can involve complicated and often challenging steps, particularly surrounding system and data security.
Clearly, it’s critical to understand how to approach the task, clearly identify the attack surface, and know what specific steps you can take to lock down data more effectively.
Yet too many businesses skip crucial steps and fail to use the right strategic framework in the rush to spin up clouds or introduce solutions. As a result, they are unable to:
- Distinguish where key assets reside
- See which data sets are vulnerable
- Understand how everything – from identities to governance – maps from legacy systems to the cloud
The result is a higher risk profile and a larger attack surface to protect. Let’s look at the details.
A starting point for securely migrating to the cloud is to know your attack surface and what vulnerabilities it introduces.
Historically, organizations have addressed security by implementing a cloud access security broker (CASB), which resides between on-premises systems and the cloud, and serves as a traffic cop for data flowing across the network. CASB helps to secure end-user access to SaaS applications like Salesforce.com and Microsoft Outlook 365.
Of course, CASBs aren’t the only game in town. In order to protect private applications running on AWS, Azure and GCP, Cloud Security Posture Management (CSPM) tools have emerged to detect misconfigurations like publicly exposed databases.
CSPM, however, does not address the attack surface associated with identities and their entitlements. For example, some 80% of cloud permissions are completely unnecessary. This problem frequently extends across business units and geographic locations. Moreover, as the number of cloud stakeholders increases along with siloed clouds and shadow IT, the complexities and risks multiply—sometimes exponentially.
It’s important to make the distinction between SaaS applications and cloud infrastructure, namely IaaS and PaaS. Generally, SaaS applications are considered more secure, because the cloud service provider is responsible for securing the infrastructure and its configurations. Whereas security for IaaS and PaaS is the end user organization’s responsibility.
Let’s consider the risks and security challenges associated with protecting cloud infrastructure in AWS, Google Cloud Platform, Microsoft Azure, and other clouds.
A least privileged identity model
It’s critical to acknowledge a basic fact: risk isn’t a measure against perfection, it’s a pragmatic gauge of the actual dangers an enterprise faces at any given moment.
There’s no way to get to a zero-risk environment, short of shutting down the business. It’s also important to appreciate that while cloud service providers take some responsibility for security, most of the responsibility falls on an organization to protect its systems and data.
What’s the answer? It’s critical to operate within a least privileged identity model and stamp out unnecessary entitlements and misconfigurations. This approach—think of it as best practice security hygiene—must span the entire cloud environment.
Within this environment it’s possible to view multi-cloud assets and access relationships, prioritize and remediate risky privileges, place stronger governance and compliance standards in place and, in the end, radically reduce an organization’s attack surface—and the risk of lateral movement of attacks.
When an organization achieves this level of visibility and automation, it can slide the dial from reactive to proactive. Migrations to the cloud cease being solely about a collection of ad hoc security tools that may or may not catch problems. Instead, an organization can automate and improve cloud configuration and identity governance within the entire infrastructure.
In the end, this approach knocks out the two main culprits for security breakdowns during a cloud migration: identity failures and misconfigurations. While it’s impossible to eliminate risk, this focus on identities, their entitlements and configurations delivers the maximum level of protection possible.
About the Author:
Arick Goomanovsky, Chief Business Officer of Ermetic