The cloud has become an indispensable tool, and it’s pretty simple in concept: you lease or use data resources that are managed by another entity and located away from your physical devices. In turn, your data is kept safely offsite, where it’s visible, manageable, and can be accessed quickly whenever you need it.
But nothing’s perfect. Google’s inaugural Threat Horizons report outlines a few recent real-life examples of cloud breaches, and from these, we can draw out some common cloud security misconceptions to address. But first, let’s answer the million-dollar question…
Is the cloud secure?
The cloud is lauded as a safe and secure mechanism built for the many organizational challenges of modern businesses. But when it comes to securing your data, is the cloud all it’s cracked up to be?
In a word, yes – the cloud brings a host of advantages, like agility, the ability to scale, a reduction in upfront costs, and a high level of security. After all, you’re not having to rely completely on your own systems, which can harbor unknown vulnerabilities and will likely demand a solid team effort to monitor and maintain.
On the other hand, cloud security isn’t guaranteed; both the provider and the user have a part to play. Here are a few commonly held beliefs that could put you at risk, and how to ensure your data stays safe in the cloud.
Myth: Your cloud provider handles all the security.
Cloud security is not owned by one person or organization — it’s a shared responsibility. In fact, some responsibilities are always the provider’s, some are always the user’s, and some will vary depending on the service model.
So what are you, the user, in charge of? You’re tasked with:
- Managing your company's users and their access
- Safeguarding your cloud assets from unauthorized access
- Encrypting your cloud-based data
- Managing your organization’s security posture
The bottom line
Your cloud provider oversees security related to the cloud infrastructure itself, including the physical hosts and physical network. You’re charged with maintaining the right day-to-day cybersecurity practices and configurations to defend your data from bad actors.
Myth: All employees can safely be given full access to the cloud.
Traditionally, system firewalls were used to broadly protect everything that lies within (known as the “moat and castle” model), but identity is the new perimeter when working in the cloud. Today, the principle of least privilege (PoLP) reigns supreme: Users should have access to what they need, and nothing more.
There are other benefits to PoLP, too. Not only does it limit insider risk, but it helps you keep things more organized – and staying organized means better visibility and more control.
The bottom line
More people with access means more points of vulnerability. Owners or administrators are in charge of identity and access management to limit the risk of unauthorized access that could lead to a data breach.
Myth: Small businesses aren’t big targets on the cloud.
The size of your business doesn’t matter much. These days, hackers are paying less attention to the nature of a business or size of assets and instead focusing on the path of least resistance.
Page three of the Google report states that 86% of compromised cloud instances were used to conduct cryptocurrency mining, which means many hackers are after your cloud capacity, not the data itself. Still, neglecting vulnerabilities can mean trouble for your business when motives turn to theft.
The bottom line
Smaller businesses can’t ignore the danger of being hacked, as automated tools to scan IP addresses are common and will attack anything that’s vulnerable.
Myth: Cloud breaches are normally the result of targeted attacks.
You likely haven’t done anything to make your business stand out from the pack; data breaches are usually from misconfigurations, not from a suspicious actor who targets you specifically.
Google’s findings suggest that the public IP address space is routinely scanned for vulnerable cloud instances, so it’s just a matter of time before any given vulnerability is detected. Moreover, the majority of compromised cloud instances can be traced to poor customer security practices or vulnerable third-party software.
The bottom line
You could be in the line of fire more often than you imagine, so focus on strengthening your cyber strategy. That includes everything from using using multi-factor authentication to monitoring your configurations and responding to alerts.
Myth: The cloud is a set-it-and-forget-it tool.
If you neglect to track and monitor everything you’ve created and stored in the cloud, you could run into a tangled mess — or worse, you could lose a lot of money by unintentionally using assets you had forgotten about or no longer need.
Visibility is key: When you can see everything in one dashboard, including the details of your assets, it helps you configure things well and avoid scenarios that could bring cost and compliance issues (for instance, running workloads in a totally different region by accident).
The bottom line
Keep track as you create or migrate your cloud assets to catch issues that could be costly, time-consuming, and even unlawful before they build up in the background.
Stay on high alert
When you accept your security responsibilities and take configuration seriously, you can save a good deal of time and money on the cloud, freeing you up from personally managing your infrastructure and security. Of course, that can only happen when you keep on top of alerts.
The technical information in an alert isn’t always easy to understand. Rest assured, there are cloud security tools to offer visibility and consolidate alerts for you, making it easier to stay in control and interact safely with your data on the cloud. Start with the tools offered by your cloud provider.
Backing up data in the cloud will help you avoid the fallout of ransomware. But cyber extortion is changing, and your cybersecurity strategy may need to change with it — read our expert take on where ransomware might be headed.