Understanding the Security Risks of Cloud Environments
C-suite executives should not expect the pace of decision-making to slow as the pandemic continues. Network migrations to the cloud, which likely would have taken place over five years, will be compressed into much shorter time spans. In the race to move digital assets to the cloud, most organizations did not have time to ensure basic network security compliance.
What cloud security gaps do organizations need to address now?
C-suite executives should not expect the pace of decision-making to slow as the pandemic continues. Network migrations to the cloud, which likely would have taken place over five years, will be compressed into much shorter time spans. In the race to move digital assets to the cloud, most organizations did not have time to ensure basic network security compliance. More than 30% of surveyed respondents said that they rely on their third-party providers to certify security management services.Although the cloud enables organizations to respond rapidly to pandemic-related issues
and market opportunities, the decentralized nature of this model adds complexity to how
applications and computing resources are secured.
Who Secures What?
Organizations cannot simply move their critical business infrastructure and applications to the public cloud and assume that the hosting partner will take care of security. Cloud providers typically deliver the same standardized security across their customer base,
essentially a “checkbox level” offering that meets basic requirements but does not meet the specialized needs of a specific enterprise.
This depends on the nature of the application and the enterprise’s readiness to move to the cloud as is or needing to be transformed into a cloud-native architecture. Organizations may assume that cloud providers are securing their digital assets without realizing how many gaps exist in the broadened attack surface.
To understand where the gaps exist in public cloud network security, organizations need visibility across all the different platforms from one holistic solution that enables management of the security posture by utilizing one common language. The goal is to be able to:
- Prevent attacks by reducing the size of the attack surface
- Detect and identify evolving threats
- Respond with accurate and effective mitigation
As network architectures get more complex, there is added pressure to secure the new points of attack vulnerability. Cloud environments introduce a significantly larger attack surface that requires protection from cyberattacks.
Mind the Gap
There is also a lack of visibility about which entity — the organization or the cloud service provider — is responsible for specific elements of network security.
In Radware’s 2019 State of Web Application Security Research report, 65% of the respondents said that they are not clear about security boundaries, and 53% of the respondents experienced data exposure as a result of misunderstandings with the public cloud provider regarding security responsibilities.
Increased agility and the pace of assets staged or de-staged make it challenging for organizations to realize and protect their rapidly changing security perimeter. C-suite executives should be mindful of potential security gaps as they continue to move digital assets to the cloud.
Indicators of Cloud Security Gaps
Senior executives are seeking ways to reduce risk exposures by proactively aligning network security strategies with business objectives. There are a number of questions they can consider to determine if their cloud environments have security gaps that need to be addressed.
- Changes in network topologies and configuration
- Challenges in adapting applications to cloud-native architectures
- Changes in cloud workloads, such as containers, application programming interfaces (APIs), compute instances, storage, etc.
- Sophistication of data access/authentication methods and shadow IT
- Remote operations and workforce possibly resulting in noncompliance for key regulations such as HIPAA, GDPR and CCPA
- Management of distributed assets and environments
- Management of third-party interfaces
- Inconsistencies in third-party data access
- Overall lack of consistent security posture and policy enforcement