[Column] Marilyn Moodley: Cloud Security - Whose fault is it?
23-01-2023 07:56:00 | by: Nixon Kanali | hits: 1434 | Tags:

At least 95% of cloud security failures in the next three years will be the customer’s fault, according to Gartner. Unsurprisingly, the biggest threat to security is people. Misconfiguration mistakes escalated from 15% of exploitable errors in 2018 to more than 40% in 2021 and human error is now the third most common cause of security breaches, ahead of malware and right up there with social engineering and hacking. Complacency about cloud security is a major contributing factor, but this needs to change. Most cloud services operate under a shared responsibility model in which providers secure the infrastructure, while customers are required to lock down the software stack and applications. In other words, responsibility for patching vulnerabilities and controlling access to cloud accounts still lies with the user.

What does this mean? Organisations need to remain vigilant, ensuring that they take the necessary steps and precautions to secure their data and identities if they’re to avoid becoming an unfortunate statistic with no one to blame but themselves.

Identify, verify, control

No matter the deployment model, sufficient controls are required to govern access and usage. With such a variety of effective Identity and Access Control service providers available today, there is little excuse for businesses not to have these measures in place. Authentication and access control requires users to verify their identity, and secures their access to resources across cloud, SaaS, on-prem and APIs, while increasing speed, agility, and efficiency.

Such IAM solutions make it straightforward to provide the means for customers, employees and partners to all have secure access to the necessary resources. By using identity verification and access control services located in the cloud, the limitations and costs associated with on-premises IAM can be replaced by a more flexible, scalable solution. Cloud IAM is key to ensuring security outside of network perimeters and capabilities include authentication, access management, identity verification, consent collection, risk management and API security.

Access control to the cloud should be regulated through the creation of centralised rules and policies to streamline processes. The use of Multi-Factor Authentication (MFA) is critical to ensure the correct identification of individuals trying to access networked resources, while Privileged Access Management (PAM) tools enforce control over sensitive components and applications in the environment.  These tools form part of a larger cloud security picture that includes details such as a zero trust framework, bolstered with cybersecurity mesh, and reinforced with Secure Access Service Edge (SASE).

Zero trust: never trust, always verify

Zero trust is a framework for securing organisations in cloud and mobile spaces by insisting that no user or application be trusted by default. It enables least-privileged access, establishes trust based on context which is informed by user identity and location, endpoint security posture as well as the app or service being requested, while performing necessary policy checks at each step. A well-tuned zero trust architecture leads to simpler network infrastructure, a better user experience, and improved cyber threat defense.

SASE: borderless security

Secure access service edge (SASE) is a framework for network architecture that brings cloud native security technologies together with wide area network (WAN) capabilities to securely connect users, systems, and endpoints to applications and services anywhere. This ensures that data and traffic is secured, no matter where it travels.

Cybersecurity MESH: closing the gaps

Gartner describes cybersecurity mesh as “a flexible, composable architecture that integrates widely distributed and disparate security services”. Concerned with strengthening digital security while bringing tools closer to the assets they’re designed to defend, a cybersecurity mesh architecture (CSMA) encourages organisations to deploy solutions that fit their specific needs by working within their integrated ecosystems. This enables businesses to share cybersecurity intelligence, automate and coordinate responses to threats, and simplify their security operations. CSMA offers a distributed identity fabric that helps establish trusted access across all applications, customers, partners, and workforces.

Achieving visibility and developing security skill sets

Visibility in cloud security means eliminating blind spots that can result in overspending, performance inefficiencies and security complications. This is done through service-centric or role-centric tools, rather than host-centric tools to manage networks. If it is not possible to hire the necessary competencies, organisations will have to develop them. Many vendors offer online resources to help technologists learn the skills they need to become cloud security engineers. In addition to an increase in the need to cultivate the necessary skills, there will be an increase in demand for technologists that have the DevOps skills necessary to align business workloads with the cloud.  Upskilling will also be critical to bridging the skills gap which includes training business teams on how to use cloud tools.

Owning security responsibility

Accordingly, it’s important for businesses to remember that even when they’re purchasing infrastructure, software or functionality as a service, they’re not outsourcing total responsibility for security. This will continue to be a shared responsibility, because it is unlikely that service providers would willingly take on the possibility of being liable for human action or error beyond their control. As such, organisations will need to prioritise the acquisition of or the development of necessary security-minded skills in order to protect their digital assets from cyber harm.

Marilyn Moodley is the South African Country Leader for SoftwareONE.