The Cloud Balancing Act: Improving Business Outcomes without Degrading Your Security Posture

Who knew that way back in 1964 Bob Dylan would predict the challenges we’re facing with the cloud in 2020. Times they are a-changin’. We’re in the midst of an evolution in IT, led by the rapid adoption of cloud computing, which promises to produce better business outcomes. While most of us have our security posture top-of-mind in the face of these changes, it’s easy to become complacent, think that we have it covered and rely a little too heavily on the out-of-the-box security offered by our cloud providers. In Dylan’s prophetic words, “It’s time to start swimming or sink like a stone.”

With the cloud and SaaS applications, we get near-immediate deployment, consumption-based pricing, user customization, API architecture that supports application-to-application integration and global access. Business functional leaders have never-before-seen flexibility and power to tailor apps to their business needs, gather data and improve workflows.

However, these business leaders aren’t the only ones taking advantage of this opportunity. So are the bad guys, and their attacks come in all shapes and sizes—from sophisticated and coordinated to low-tech and highly scalable. Email is one of their favorite entry points.

In fact, the FBI reports that there were 166,000 incidents of business email compromise (BEC) between June 2016 and July 2019 worldwide, costing affected parties over $26 billion. In the United States over the same period, there were more than 70,000 BEC victims, which resulted in over $10 billion in losses. At SecureSky, 86% of the incidents we saw in our Cyber Threat Center in 2019 involved account takeovers (ATO) or tenant compromises.

The Dangers of Shared Responsibility, Business-Led IT and Legacy Security Thinking

It can seem like the deck is stacked against security professionals when it comes to the cloud. Cloud providers make it easy to adopt and optimize their offerings but wrap those benefits in a shared responsibility model. When something goes wrong with data integrity and confidentiality, endpoint security or account access and identity management—we’re left holding the bag. As a result, Gartner predicts that 99% of cloud security failures will be the customer’s fault through 2025.

Business-led IT is another confounding factor around the cloud and SaaS apps. With no offense intended to our HR, finance and sales and marketing brethren, someone without a career-focus on IT and security is simply not equipped to make informed decisions around it. However, because selection and implementation are typically so turnkey, they frequently make decisions about SaaS applications on their own in a vacuum. This introduces a new enterprise security risk.

Additionally, using a legacy security approach that worked for on-prem products won’t work for the cloud, but many of us still do it. This isn’t just me, in a cloud survey conduct by ISC2 Sixty-six percent of respondents say traditional security solutions either don’t work at all in cloud environments or have only limited functionality.  We bolt on a firewall and other products like CASB, which attempt to make the cloud a closed and controlled network. We put agents on devices we control. We assess risk and check configurations at a point in time, quarterly or annually. We create SOCs and manually respond to threats. 

Learning from Our Past Lives

That’s not to say you should throw out the baby with the proverbial bathwater. Compliance frameworks such as Forrester’s Zero Trust Networking, Gartner’s Continuous Adaptive Risk and Trust Assessment (CARTA) and Integrated Risk Management (IRM) are still very valid in securing the new cloud world.

Zero Trust can be modified to say that access to cloud features and data must be consistently verified before being trusted. CARTA expands the Zero Trust concept to add that access should be based on context—for example, the identity of the user, the geolocation of the requested access and the device being used. It also recognizes that risk is dynamic and should be assessed on an ongoing and continuous basis. IRM forces us to make risk management around the cloud a cultural underpinning of our business. All have a valid and necessary place in the brand-new world of the cloud.

5 Tips to Help You Get Started

We’ve gathered the following tips from clients who have successfully navigated the mindset shift necessary for balancing the promise of the cloud with increased security risks.

1. Speak with all business owners and make a complete inventory of your company’s use of cloud environments. Establish a process to maintain this visibility.
2. Extend and modify your enterprise risk program to include modern IT and Applications data flows and other risk factors associated with each cloud environment: for example, password, access control and authentication policies.
3. Leverage the available cloud-native security and compliance controls, detection policies and response capabilities, and augment with third-party tools and services as required.
4. Incorporate auditing of cloud environments into your company’s logging, monitoring and detection platform and operational processes.
5. Provide ongoing training to employees on securing cloud environments and recognizing SaaS-based attacks, such as phishing, BEC, ATO, and API-based.

If you would like more info about balancing cloud business and security, you can find more details on these concepts in our free eBook.