If you’re planning to rely on your cloud provider to protect your data, you’re placing your business at risk. You can count on your cloud provider to take steps to provide physical security of the infrastructure, and, depending on your cloud model, they may apply security patches.
But that isn’t enough to keep company data secure. Be sure you understand where vulnerabilities remain so you can take the necessary steps to protect your business.
Gaps in Cloud Security Control from Cloud Providers
There are several potential security vulnerabilities that cloud providers don’t address:
1. Secure configurations.
Determining the appropriate configuration settings for your cloud services is your responsibility. Relying on default configurations may be dangerous, as they are not always set up for security. There have been numerous reports in the media of databases and files accidentally made public when the default settings were not changed.
2. User management.
The cloud provider doesn’t know who should have access to your resources; you need to establish user access controls that grant users appropriate privileges. This can be challenging, particularly if you don’t have federated identity management and have to manage user privileges in multiple places.
3. Shared resources.
Cloud resources are shared by multiple cloud customers using virtual machines (VMs). There are known vulnerabilities in VMs that may potentially allow hackers to break the VM boundaries and access data from another VM. While these attacks are more theoretical than practical right now, the risk is real.
4. Compliance requirements.
Your cloud provider can’t ensure that you meet your compliance mandates, even if they provide an environment certified to meet industry standards. Your cloud provider doesn’t even know if the usage is authorized, particularly for free tiers and service trials. Unless you make special arrangements, you may not be able to ensure that data is stored locally and meets data residency and contractual obligations. When you terminate a service, data may not be fully deleted. You may not be able to manage your own encryption keys.
5. Insecure APIs.
Many cloud computing applications rely on APIs to connect services. These APIs aren’t always properly secured, meaning unauthorized users can access your services and data.
Overcoming Cloud Security Control Gaps
Overcoming these cloud security control gaps requires a comprehensive strategy using multiple tools and policies. One effective tool that addresses many of these gaps is a cloud access security broker (CASB). CASBs mediate access between users and the cloud, and they offer many features to address security concerns, including:
• the ability to discover shadow IT. CASBs can detect users accessing clouds you haven’t approved.
• data loss prevention. CASBs can detect personally identifiable information such as social security numbers in documents sent to cloud.
• access control and rights management. CASBs can limit access to cloud documents and prevent modifications or further distribution.