In 2019, human error remains one of cloud security’s weakest links.
Through 2022, at least 95% of cloud security failures will be on the fault of the organisation - not the cloud platform itself - according to Gartner Research.
In the past two years, cybercriminals have increasingly taken advantage of widespread human error in infrastructure configurations, particularly the cloud, to launch successful zero-day attacks. A report by IBM X-Force revealed misconfigured cloud infrastructure and servers on the part of its administrators was the reason for exposure of nearly 70% of compromised records.
Why such a high figure? The simple fact is savvy cyber criminals are cottoning on to a rising number of poorly configured cloud servers, resulting in a 424% increase in data breaches through this avenue, with financial services suffering 27% of attacks across all business sectors.
It’s a confronting set of statistics, backed up by several recent high-profile data breaches that demonstrate even with the cloud’s proven security benefits, it’s up to the organisation to enforce security best practices and standards if they don’t want their data - and customers’ data - at risk.
Cloud security is as much on the business as it is the provider
Traditional discussion around improving cloud and IT security has historically been focused on the security of the cloud technology itself.
However, in 2019 and beyond, that can no longer be the case.
For Australian organisations that contributed to the $10.7 billion spent on cloud security services last year, research giants such as Gartner identify the new security challenge to overcome to successfully avoid data breaches isn’t around the technology, but about having the right processes and the people in place to effectively use it.
While the conversation around the many security benefits and features offered by providers like Microsoft Azure and Amazon Web Services is always important to have, it’s not the only one - and certainly the least challenging roadblock in your ongoing digital transformation journey.
We recommend organisations take a more proactive assessment of their own capabilities in effectively controlling and managing the many policies and mechanisms for data protection provided by cloud platforms - rather than solely relying on the provider’s security capabilities to ensure their data - and customer data - remains secure..
According to Gartner, 60% of enterprises that took the time to assess and leverage the many cloud control and visibility tools offered in platforms like Azure to strengthen their identity and security capabilities in 2018 experienced one-third fewer failures in these areas.
Meanwhile, businesses hosting their data workloads on Infrastructure as a Service (IaaS) with public cloud providers like Microsoft Azure suffered 60% less cloud-based security incidents than those hosting sensitive data in on-premises data-centres.
With these organisations centering their efforts on mastering the many monitoring and security tools available to them on the platform rather than relying on the cloud provider for protection, they became overall less of a target for opportunistic hackers and general data theft. All of this is underpinned by the shared responsibility model.
What is the cloud shared responsibility model?
Maintaining and securing databases, training security experts, and learning the in's and out's of various security tools is both complex and time-consuming.
Cloud platforms like Microsoft Azure offer proven benefits that help organisations reduce or otherwise eliminate many of these challenges with built-in security controls, governance and cost-effective tools, By shifting certain responsibilities to Azure, such as infrastructure maintenance, governance and monitoring, this allows businesses to simultaneously move their security budget resources elsewhere in the business, while still improving their overall security coverage with the backing of Microsoft Cloud.
However, it's important to understand in order to close your potential cloud security gaps completely, you need to better acknowledge what the provider is responsible for and what the cloud customer is responsible for. Both Microsoft Azure and Amazon Web Services define this as the shared responsibility model.
Image via: Microsoft
Think of Microsoft as the foundation of your data's physical, infrastructure and operational security. The company protects its datacenters with state-of-the-art technology; it continuously monitors and tests its hardware, firmware and hardware; and it has several security teams that focus on mitigating security risks across the cloud platform.
In essence, cloud providers like Microsoft are responsible for the security of the cloud.
As the customer, your business is responsible for protecting the security of your data in the cloud and the parts of the cloud service you control, which include accounts, access and identity management, data governance and rights management, client endpoints and stored data.
For full-proof cloud security, your business needs to take the time to take responsibility over the ideas of cloud security offered by the provider - of which there are numerous tools to support this.
The built-in cloud security controls that protect our data
Cloud platforms such as Microsoft Azure provide the highest level of data protection for all of our hosted workloads in several ways - but even so require us to follow security best practices to fully leverage its capabilities. Here’s a brief breakdown of the best in-built security features that your organisation needs to get acquainted with.
At-rest data encryption: Azure provides the highest standard of encryption and several tools for organisations to take advantage of, including Azure Key Vault (for password encryption), Azure Disk Encryption (for VM encryption) and Azure Storage Service Encryption (for storage account encryption). It’s up to the business to make sure data stored in Azure is properly encrypted to the standards of the both the organisation and legal compliance frameworks.
Identity and access: Azure Active Directory (AAD) is a multi-tenant cloud-based directory and identity management service that combines all core directory services, application access management and identity protection into one platform for Azure, Office 365, and hundreds of other SaaS, PaaS and on-premises cloud services. It’s up to the organisation to employ AAD’s in-built capabilities, such as Azure Multi-Factor Authentication, Conditional Access, Role-Based Access Control (RBAC) and Single Sign-On (SSO) to ensure access to data is granted only to those who need it and are stringently authorised to do so.
Monitoring and tracking: Azure Monitor (AM) is a cloud-based, end-to-end monitoring solution that allows businesses to collect granular performance and utilisation data from both their cloud and on-premises resources, and analyse and act on that data to proactively prevent and solve issues. It is accessed via Azure Portal and is the best tool to monitor active subscriptions and environments.
Network security: Azure virtual networks (VNet) provide businesses with the foundation for a highly secure network, but require proactive management on the organisation’s part to configure access rules using the inbuilt Network and Application Security Groups, and extend on-premises networks to their cloud environments using secure site-to-site VPN or a dedicated Azure ExpressRoute connection.
Unified security management: Azure Security Center helps detect, prevent and respond to security threats and offers increased visibility into and control over the security of all Azure environments. It gives a detailed glance on the security state of all resources in Azure; to get the most out of it, organisations must set security policies for resources and leverage its advanced threat detection, threat intelligence map and best practices recommendations from Microsoft to guide continuous and consistent threat response.
Take ownership over your customers’ data privacy
Cloud platforms like Microsoft lead the industry in terms of meeting the latest security and privacy requirements. Azure meets a broad set of international and industry-specific compliance standards which guarantee our customers’ data stored on the platform is protected, such as:
Australia Information Security Registered Assessors Program (IRAP)
General Data Protection Regulation (GDPR)
SOC 1 and SOC 2
While this well-deserved reputation and consistent adherence to global standards brings peace-of-mind on their ability to provide world-class cloud security, it’s still absolutely the organisation’s responsibility to take ownership over their customer’s data and privacy - and that they also adhere to these important legal frameworks.
Providers like Azure make it clear that customer data ownership is on us, not them; they don’t approve, inspect or monitor any of our business-critical applications we deploy to Azure, meaning they don’t know what data we choose to store in the cloud or how we choose to utilise their inbuilt identity, security and monitoring tools. If compliance breaches occur through our apps, organisations must better examine their own processes to determine what went wrong.
With increasingly complex legal and regulatory legislation being introduced in response to customer data breaches, the most recent being Australia’s Notifiable Data Breaches Act (NDB), it only drives the point home further that businesses - particularly in highly regulated industries such as FSI - must maintain ownership and control over their customer’s data privacy, always remain aware of new changes and comply with the latest requirements to the best of their ability.
This includes proactive monitoring and management over where customers’ data is stored, secured in transit (or at rest) and how customers can access their cloud resources,
Better cloud security in 2019 requires a fresh assessment
Cloud security can no longer be viewed as solely the responsibility of the cloud provider's anymore - you must proactively approach this issue and evaluate current practices.
It’s important to acknowledge shared accountability of our own data protection and security in the cloud and proactively take action to improve it - whether it be with better trained staff, or a a deeper examination of underutilised tools available to you - to avoid becoming another data breach statistic due to misconfiguration or oversight.
Data is both the lifeblood of a business and a potential management challenge, but its security is always manageable - so long as you know your own important role in following best practices. In short, let the provider handle overall security of the cloud - you focus on ensuring data remains secure within it, using the tools at your disposal..
Download Xello’s free white paper on Azure Identity & Security for a more in-depth dive into the many cloud security capabilities of Microsoft of Azure - and how your business can better protect your data by following best practices.