Navigating cloud security risks: Staying ahead of the curve

As businesses of all sizes move to the cloud, security risks are on the rise. With cybercrime increasing year after year, it is essential for organizations to stay ahead of emerging threats and navigate cloud security risks before they become a problem.

As the world becomes more and more digitized, data privacy and confidentiality concerns are only going to become more prevalent. And with the recent rise in cloud computing, these concerns are only amplified. When you store data on a remote server (i.e. in the cloud), you are entrusting that data to the security of that server. And unfortunately, there have been a number of high-profile breaches of cloud security in recent years.

In 2011, for example, Sony's PlayStation Network was hacked, exposing the personal information of 77 million users. This is just one example of why data privacy and confidentiality are major concerns regarding cloud computing. When you store data remotely, you are essentially giving up control over who has access to that data. And if that data falls into the wrong hands, it could be used for identity theft, fraud, or other malicious activities.

Raj Sivaraju, President, APAC, Arete

“The majority of businesses are switching to cloud storage solutions. However, according to a survey, India is still one of the top five target countries for threat actors, and the report indicates over 8,174,132 breaches in the first quarter of 2022. Data loss prevention is crucial for the security and privacy of an organization's information. According to recent studies, cyber risks are expanding and entering the mainstream. In 2023, top firms will have extensively invested in cybersecurity policies and processes that have been updated or established, attack surface monitoring, and security automation."

Concerns around sensitive data have grown concurrently with the rise in cloud utilization. The SaaS solutions and expanding infrastructure unquestionably increased the services' accessibility. Nearly all solutions provide 99.97% uptime. However, are they also upholding security, confidentiality, and privacy requirements, which are crucial to the data you and your clients store?

The majority of contemporary solutions have seen rapid feature evolution. These are created by entrepreneurs who are always competing with time to develop and release new features, enter the market first, and sign-up customers. Large-scale service providers like AWS, Azure, GCP, etc. are the foundation for these solutions.

Manoj Shastrula, CEO & Founder Socly.io

“Young developers that are working on such a project with little expertise are aware of how to make it function, but they are unaware of how secure it is. They think that the cloud service providers are sufficiently safe to handle their products. In general, I use an analogy when a potential client says "Since AWS has so many security certifications, my solution is already secure, I reply. "Think of AWS as an apartment complex that will give you a sturdy apartment." But it's up to you whether you choose to lock the door for security or punch a hole in the wall for more air." These service providers have strong requirements for security, but how you utilize it is up to you.”

You might have taken a detour while you were creating that exposed private information to the public, or perhaps you accidentally switched off the encryption. This need not occur in your setting, but you can attest to the legitimacy of any vendor you work with.

With the aid of automation platforms that are already accessible, compliances like SOC 2, ISO 27001, GPDR, HIPAA, and others provide you control and help you prevent these problems 24 hours a day, seven days a week. To protect your data and the data of your clients, thousands of checks are constantly made across compliances and criteria including Security, Privacy, Confidentiality, and Process Integrity. Companies must insist that their vendors obtain these compliances before signing and offer their customers the same level of trust given the rising data and security concerns.

Ganesh Srinivasan, Vice President – Compliance, Volante Technologies

In an era when digital transformation is rampant across industries, the significance of cybersecurity has never been larger. According to Nutanix’s global 2022 Enterprise Cloud Index (ECI) survey and research report, the complexity of managing across cloud borders and cybersecurity remains some of the major challenges for financial services organizations, with 50% of respondents citing security concerns as a challenge to the multi-cloud model.

Compliance with existing data security regulations is one step to mitigating the risks of operating in a public cloud environment and creating a secure infrastructure for financial institutions. Certifications with global compliance standards give customers a sense of security and save time in their due diligence. These certifications and regulatory requirements bring the fintech providers one step closer to catering service to customers in a secure manner.

A lack of visibility of the cloud attack surface within an organisation presents a huge risk, and assessing (and mitigating) cloud risk must start by identifying the cloud services an organisation currently uses. With 79% of employees in organisations actively using cloud apps to upload, share, or store data, the need to identify the cloud app and the type of data being processed or stored is key to understanding the risk.

It is incredible how much money is being spent by organisations on ensuring incredibly tight security controls over certain connections, or around certain applications, while the door is left open for data exfiltration or malware entry in other parts of the IT real estate, particularly cloud. Once IT teams have visibility of the realities of what is in use, and how it is being used, they can actually start to protect data.

David Fairman, Chief Information Officer and Chief Security Officer, Netskope

One of the areas that is a particular concern of mine is the regularity with which I see organisations creating exceptions to their well throughout security policies for huge quantities of their data.  For instance, it is very common for organisations that do not have cloud native security to route their major cloud application traffic (such as Office 365) around—rather than through—security systems.They do this to ensure fast user experiences among remote workforces—avoiding backhauling through security architectures which can create latency.

However, we know that nearly 50% of all malware is now delivered via the cloud, and we also know that OneDrive is the primary source of this cloud delivered malware. Making an exception in this instance is introducing risk to your organisation. It frustrates me not just because of the increase in risk, but because it’s simply not necessary—we have worked hard to build technology where organisations do not have to compromise security to ensure user experience. In fact, a highly performant cloud security solution like ours—with significant local infrastructure investment—actually improves user experience.

When migrating to the cloud, security can be an afterthought for many organizations. This leaves the organization exposed to risks and threats specific to the cloud environment that are not protected by traditional on-premises security measures and tools. Therefore, it is important to understand the cloud security challenges.

Often in a hurry to enable business initiatives, cloud transformations are rushed without a specific cloud security strategy in place. This can result in lack of trained security personnel, processes, and technology, for example, Covid-19 like scenarios requiring for business continuity solutions quickly. This creates a new attack surface with business-critical information, and it leads to misconfiguration or/and inadequate change control mechanisms and often abuse of insecure cloud credentials and access rights. While there are several cloud security technologies available, including cloud posture management, Identity and Access management and cloud workload protection, they need to be carefully configured and implemented to address specific risks.

Data privacy which is the protection of an individual’s sensitive and confidential personal information is the most common concern for many customers embarking into the cloud journey. as Additional areas of concern are:

•     Data sovereignty, which refers to the laws applicable to data relating to the country in which it is physically located

•     Data localization, which refers to a governmental policy that prohibits organizations from transferring data outside a specific location and

•     Data residency, which is a decision by businesses to store data in a specific geographical location

It is important to understand this journey as it relates to how data is being collected and processed. Understanding data sovereignty in the source and destination regions is imperative in order to adjust your data flows and ensure that data ends up in under the most appropriate legal jurisdiction. While selecting the cloud vendor and thru cloud agreements, it is particularly important to check all compliance aspects, including adherence to the ISO 27001, ISO 27017 for cloud security, PCI DSS and SOC1 and SOC2 compliances to ensure adequate security measures are taken by the cloud provider.

Umesh Bhapkar, Senior Director -Technology, Synechron

To reduce the risks, frequent assessments and adequate mitigations should be in place e.g., policies to enforce prevention of misunderstandings, right security procedures and increased visibility of user access and behaviours through a monitoring software deployed to cover your cloud assets and data.

Your cloud security framework should include a five-function approach: Identify, Protect, Detect, Respond and Recover with each function adding a layer of security to your cloud environment. Finally, cloud resources are configured by periodic backups and restoration tests which are routinely performed to ensure business continuity.

Unsecured cloud development environments, insecure API’s and test environments could lead to cyber security attacks on your cloud instances, these scenarios are not uncommon when due diligence is not applied thoroughly. Overall, lack of visibility on what is happening in the cloud and lack of capabilities to Protect, Detect, and Respond to threats could be disastrous. It is important to note that cloud security is a shared responsibility and cloud providers are not solely responsible for the security of your cloud instances running in their datacentre.

The cloud security stack should include Discovery, Monitoring and Assessment, and Protection mechanisms to defend your cloud environment from cyber-attacks. Therefore, it is important to maintain a holistic view of the assets in need of protection and build the right solutions based upon the service you have opted for in the cloud e.g., IaaS, PaaS, or SaaS.

Anuj Bhalla, Digital and Cloud Transformation Leader, President & SBU Head, APJI Enterprise, Tech Mahindra

“Data security in the cloud can be a challenging endeavor, especially with the adoption of different architectures such as multi-cloud and private Cloud as the organizations are preferring to go for hybrid cloud environments. Organizations are finding it more difficult to keep their data safe as the data's residency becomes more distributed, privacy regulations like the GDPR and CCPA are implemented, and growing threats of hacking unfold.

As organizations are thinking through their cloud strategy it is imperative for them to build security as a key component of their Cloud roadmap. To deal with the challenges around security one has to take a holistic approach. To begin with, there is a requirement to develop a data security governance strategy by understanding the security frameworks (governance-COBIT, architecture-SABSA, management standards-ISO/IEC 27001) and best practices for cloud security (Cloud workload protection platform, Cloud security posture management) to prioritize critical and sensitive data protection. While defining processes can be overwhelming, it is important for an organization to understand these security measures to avoid cybersecurity pitfalls.”

Finally, Insider threat which is the risk of employees and insiders with access to sensitive information and systems should not be ignored. 

Insider Threats – Employees and insiders who have access to sensitive information and systems pose serious risk to the Data & business with their deliberate or accidental actions. Insiders may include employees involved in critical business/technology operations, contract staff or third parties involved in provides services.Threats may include unauthorised changes, causing revenue/data leakage or degradation of services.

Statistics related to security incidents due to insider threat are highly alarming:

1. 34% of business worldwide are affected by insider threats annually.

(Source: https://www.sisainfosec.com/blogs/insider-threat-human-vulnerabilities-resulting-in-cyber-attacks/)

• Over the last 2 years, insider threat has increased by 44%

(Source: https://www.infosecurity-magazine.com/news/home-working-drives-44-surge-in/)

• Cost per insider threat in 2022 is $15.38 million.

(Source: https://protectera.com.au/wp-content/uploads/2022/03/The-Cost-of-Insider-Threats-2022-Global-Report.pdf)

Therefore, it is imperative to implement processes and controls that provide greater visibility and control to prevent such threats.

• Know your critical business processes, systems, information and periodically assess the risk surface for those areas from insider threats. This would assist in prioritizing and building controls to check unauthorised activities authorised users.
• Minimise access, use methods such as Just in time access, segregation of duties, workflows involving maker-checker, strict change mgmt. processes and rotation of duties etc.
• Review of activities of users involved in sensitive operations such as finance, operations, IT mgmt. etc; reconcile the activities on periodic basis.
• Define and enforce policies such as incident management, password standards, data leakage prevention, user monitoring, acceptable usage etc.
• Deploy appropriate technological and operational controls to detect unauthorised activities establish recovery processes.
• Awareness to all employees on various insider threats and its implications on organization and employees.
• Above all, put in place liabilities and penal provisions to be invoked against violating parties.

With the above set of controls and practices any organization could bring down or minimize the risk of insider malicious activities and prevent the organization from financial, reputational, and regulatory implications.

Srihari Kotni, Vice President - Chief Information Security Officer, Pine Labs

Today Cloud services including IAAS, SAAS have become inevitably part of IT infrastructure and IT strategies are stressing moving more services in to the cloud as this model offers businesses more flexibility, efficient scalability, lesser technical overload. As the Cloud services are managed by the respective service providers, organisation will have partial/no control over the controls and oversight on Data/Information assets being treated with in CSP environment.

As certain organisations operate in highly regulated environment, CISO organisations have to plan measure that help in protecting critical information assets and demonstrate compliance applicable to the sector. Adherence to compliance requirement has now become board room agenda and ensuring the same can be very complex with ever growing transition to cloud environments and involving multi-cloud environments.

For regulated industries, such as FinTech, Healthcare which deal with large volume of sensitive information it is imperative to for CSPs to ensure their data on Cloud is secure and meets compliance requirements hence consuming organisation out in a place a program to perform due diligence of the controls on continuous basis.

• Define a road map and Cloud strategy that prepares organisation to adopt cloud services that ensure compliance to standards organisation has obligations to comply. Cloud security framework, policies, procedures may support in smoothly transitioning to Cloud based services.
  • Currently SOC 1 and SOC 2 reports are the benchmark to substantiate that the organization has necessary controls in place to ensure security and privacy of information processed by cloud service provider.
  • Data localization check is very critical for certain sectors in India, organisation must check the region of service being offered.
  • CSPs often aggregate infrastructure for different customer, organisation must check for controls that segregate their data from other customers.
  • Classify the assets based on data being processed, organisation must put controls over and above the security features offered by the cloud service provider as deemed necessary.
  • Organisation shall consider data protection measures such as encryption/data masking by keeping the key management internally.
  • Put in place monitoring to timely assess incidents, misconfigurations and accidental exposures.
  • Most importantly clearly document cloud service providers responsibilities in supporting adhering to compliance and regulatory requirements such as ISO 27001, HIPAA, PCI DSS and RBI etc, protecting data and support remediation in case of occurrence of breaches.

Ruchin Kumar, VP – South Asia, Futurex

Compliance is essential to both payments and general-purpose security. International compliance standards like PCI DSS ensure that every organization involved in the payment process is using secured systems—from the merchant, to the merchant’s acquiring bank, to the customer’s issuing bank. This creates trust between organizations and consumers, and is essential to any functioning payment cycle. Regulations like HIPAA are designed to make sure that organizations use encryption for personally identifiable information (PII), helping to protect the privacy of individuals. At the end of the day, cryptographic compliance is a symbol of trust. And trust is essential to the healthy functioning of an organization.

Organisations should look to build security architectures and policies that put data at the heart of everything, ensuring that controls and protections follow data anywhere it goes. In a modern business this means being able to continuously understand cloud and SaaS usage, and adapt access around changing contexts such as user location, device, identity, user behaviour, threat, application risk, jurisdiction and activity. The ability to gather such data points enables organisations to make informed risk decisions and adopt access accordingly.  We call this approach ‘continually adaptive zero trust’ and visibility sits at its heart.