Cloud security is a complex challenge that most businesses still underestimate. A common mistake we see many organisations make after investing in a cloud management service is to then approach security in the same way they would with their IT systems of the past. But the cloud is an entirely new and unique concept, which requires a specialist approach to security and maintenance, as this article will explore in detail.
One of the top items on the agenda for any business using a cloud management service today is cyber security.
Whether you’re a small start-up or a global enterprise, large parts of your infrastructure, and many of your mission-critical applications, are now entirely digital. With that in mind, the risks you inherit by settling for poor cloud security cannot be taken lightly.
Not only that, but malicious attacks and data breaches are becoming more and more common all the time. Even some of the biggest companies in the world have been unable to defend themselves against this worrying trend in recent years.
A report by IBM also found that the cost of these incidents is rising for businesses who fall victim. 2021 has had the highest average cost for data breaches in the past 17 years, at a staggering $4.24 million USD (just over £3 million).
It’s become far too common now to wake up and find a high-profile news story about yet another cyber attack breaching a leading global brand’s cloud security measures.
Last year, British airline EasyJet was the target of a sophisticated hack on its IT systems, which reportedly compromised personal data of 9 million customers. This incident also involved the credit card details of almost 3,000 of those customers being accessed.
Just a few weeks ago, in October 2021, retail giant Tesco had to shut down parts of its website and mobile app for two days as it was under attack. For smaller organisations, a two-day outage like that would have a significant negative impact on the business from lost revenue.
In a world where organisations can now operate almost 100% digitally, situations like these are a business owner’s worst nightmare.
Unfortunately, as we can see from these examples, when you have cloud-based systems supporting your business across every department, security becomes more of a moving target than we’re used to.
If the security of your cloud management service isn’t keeping you up at night, either you’ve done all the necessary things to ensure it’s safe and sound – which is great – or you’re unaware of just how vulnerable the cloud can be if not given sufficient ongoing attention.
So, how do you maintain cloud security and protect your business against those risks?
Here we’ll explore the answers to this question and provide guidance for securing your own cloud deployments moving forward.
If you’re using the Amazon Web Services (AWS) cloud, or the Microsoft Azure cloud, these platforms do come with some security measures.
Of course, global tech leaders like Amazon and Microsoft will always ensure their platforms are highly secure. But it’s important to be aware that you’re responsible for maintaining and securing your own cloud systems once deployed.
Cloud security can be a bit like taking out a tenancy in a managed building. There will be security guards at the front door, an emergency exit, and maybe a few CCTV cameras. However, if you want to build a back door in your part of the building, you’d be responsible for adding locks and deadbolts to that door yourself to stop intruders getting in (or to ensure your employees aren’t taking things they shouldn’t be when they leave).
So, while the AWS and Azure clouds do come with plenty of in-built security, which we’ll look at in more detail shortly, you must also take your own proactive steps to ensure that all parts of your entire IT infrastructure are covered by an appropriate cloud management service that includes security.
Your organisation will contain a vast landscape of users, devices, applications, connected components, end-points, integrations, and much more. These must all be given dedicated attention to ensure your overall cloud environment is fully secure.
Remember, security isn’t just about stopping viruses and malware getting in.
Have you considered all the potential variables and vulnerabilities, beyond the basics? If not, your organisation is likely still at significant risk.
Another crucial point to understand here is that the concept of a cloud platform is different to a traditional on-premise IT system or a regular software product.
Similar to the issue of maintenance for the cloud, which we’ve discussed in detail here, you can’t just deploy a cloud-based solution and expect everything to run smoothly by itself. You must ensure you have processes and management in place for your cloud infrastructure, as it will be ever-changing.
For example, with the existing IT systems that are still supporting your organisation, you may have an annual or bi-annual evaluation of their security which has always been good enough. With the cloud, the evaluation and updating of security measures should be seen as a constant, ongoing responsibility.
Of course, it’s a positive thing to have those regular reviews in place, but it would be a mistake to think the same approach will be enough to keep your cloud secure.
One of the main advantages of a cloud deployment is its flexibility, scalability, and adaptability, but with those qualities comes that constant change. Your IT team will therefore need to think of your security strengths and weaknesses as continually changing as well.
It’s also important to remember that a cloud solution will include inter-connecting components to other systems, integrations with third-party or supplier software, and employees using shadow IT tactics, all of which make your infrastructure more vulnerable.
Additionally, if you have other divisions or areas of your business which have their own IT systems – even ones you’ve inherited – you’ll need to take due diligence to check they’re integrating with your cloud environment securely.
For example, global hotel brand Marriott International acquired a company named Starwood in 2016, unaware that its new addition’s IT network had already been compromised back in 2014.
The fall-out of this was catastrophic for Marriott, as the credit card details of many of those customers were included in the stolen data.
This serves as a valuable lesson, demonstrating the holistic view that must be taken to gain full confidence in the security of your IT infrastructure.
There’s another way that your cloud is regularly changing and evolving, which is from updates and patches delivered by Amazon or Microsoft themselves.
The AWS and Azure clouds are regularly being given security updates and patches, which address vulnerabilities and cover weaknesses in the platforms.
These are critical updates which will be pushed live no matter what, and they will affect your own cloud deployment as well.
You should consider it best practice to always check the updates have worked for your infrastructure, and to check they haven’t affected your own configuration or security measures.
It’s also important to have systems and processes set up – ideally automated, to save time and cost – to conduct regular updates of your own:
It’s crucial for whoever is responsible for security within your IT department to be proactive, rather than reactive, when managing your cloud environment.
All this may sound quite daunting, especially if your team doesn’t currently include any cloud specialists. Not only that, but we appreciate that you’d rather be spending your time running your business, or focusing on your own role, instead of constantly worrying about cloud maintenance.
This challenge was one of the driving forces behind the creation of our own bespoke CloudOps. CloudOps was built to automate the many ongoing processes which are necessary to successfully maintain and optimise cloud deployments.
We’d like to circle back to the earlier mention of AWS and Azure providing their own in-built cloud security tools and measures.
When procuring your cloud, you can either go straight to the vendor or you can work with a partner. We’ve spoken to many businesses who make the mistake of assuming that both of those options place the responsibility of securing the cloud with the provider.
This is rarely the case though, and often results in vulnerabilities or insufficient processes being present once the cloud solution has been deployed.
As discussed above, the cloud is your responsibility and it’s yours to secure. Whether you work directly with Amazon or Microsoft, or go down the partner route, they’re simply providing the platform and will only handle the basic security measures for you.
Of course, there are varying implications and limitations to this, depending on which of the two options you choose.
If you go straight to a cloud provider, they’ll offer you some support along with their own efforts to secure the platform.
AWS Security – Amazon states that, “As an AWS customer, you will benefit from AWS data centres and a network architected to protect your information, identities, applications, and devices. With AWS, you can improve your ability to meet core security and compliance requirements, such as data locality, protection, and confidentiality, with our comprehensive services and features.”
However, many of the features and services come at an additional cost. From identity and access management, to data protection, and even compliance, you’ll need to purchase additional solutions. This can become very costly.
Azure Security – Similarly, Microsoft offers, “Built-in controls and services in Azure across identity, data, networking, and apps, as well as continuous protection with deeper insights from Azure Security Centre. You can also extend protections to hybrid environments and easily integrate partner solutions in Azure.”
Of course, these are all things you’re responsible for doing yourself. And working out how to leverage and utilise these security tools within the platform is a complicated, time-consuming job in itself. Furthermore, if it’s something you get wrong then the impact on your business could be devastating.
Alternatively, if you’re working with a partner, it’s crucial to gain a full understanding of what they can and can’t do with regards to your cloud security.
Take proactive steps to check what measures they put in place for you, and where that leaves you in terms of your remaining vulnerabilities or gaps that need to be filled.
Unfortunately, it’s quite rare to find a partner that provides a cloud platform and then offers any ongoing security support beyond a standard configuration, which may not meet your needs.
For AWS these include managed services with cost management as well as hosting services
For Azure these include managed services with cost management as well as hosting services
When it comes to the cloud, the key thing to understand is that you must think far bigger, and be far more hands-on, than with any other IT infrastructure you’ve worked with in the past.
Of course, you and your team members need to be focusing on fulfilling your own roles. You want to be using your time to help drive your business forward, rather than worrying about getting to grips with managing a complex cloud infrastructure.
But we all know how important cyber security is these days. It’s unsurprising that as our digital business tools become more complex and sophisticated, so too do the tools used by the hackers targeting us.
With that in mind, placing the responsibility of your cloud security in the hands of a trusted, experienced partner can save you time and money, and could also save you from becoming the next in a long line of victims.
Cloud security is a vast area of IT and, as we’ve seen with the examples mentioned earlier in this article, it’s something even the biggest companies in the world fail to get right by themselves.
To gain full confidence in the security of your cloud infrastructure, it could be necessary to work with a specialist cloud management services partner with the expertise to fully protect your business.
Here at IG CloudOps, we’ve been helping businesses like yours gain full confidence in the security of their IT infrastructures for more than 10 years.
In that time, we’ve built a proven track record of providing guidance and support for the most challenging aspects of cloud management and security. We provide a cloud management service for both AWS and Azure which is underpinned by our CloudOps software and can be on your existing cloud deployment or ours.
This means that by working with us, you can finally hand over the burden of securing your cloud infrastructure into a pair of reliable, trustworthy hands, and return your full focus back to running your business.
If you need help with any of the cloud security issues explored here, and would like some additional guidance, please get in touch and a member of our team will be happy to talk through your needs.
CloudOps is designed to solve all the problems discussed here, and more. The solution has been developed based on our team’s experience in supporting and managing cloud environments since 2010.
CloudOps offers highly advanced performance and cost monitoring tools, support, security services, and administration through one single portal. This includes:
CloudOps is a proven way of solving the challenge of cloud management. The system can be implemented across any new or existing AWS and Azure cloud environment, allowing you to focus on delivering applications and services rather than worrying about maintaining your cloud infrastructure.
Unlike a traditional cloud support service, CloudOps already includes all the features and functionality your business needs without any hidden costs or surprise charges.
IG CloudOps will: