This article is part of our new State of Cloud Security 2021 Series which will interview a diverse mix of cloud security experts, design-makers, and practitioners with a goal of better understanding their perspectives on the current state of and future of cloud security. The following is an interview OpsCompass CTO, John Grange recently had with Scott Nicholson, Director at Bridewell Consulting.
JG: What is the state of cloud security today?
SN: While people have increasingly adopted cloud computing technologies and are reaping the benefits, they also need to be conscious of the risks that come with cloud security, specifically the protection of data, applications and infrastructures. Businesses need to remember that many aspects of cloud security are the same as on-premise IT architecture deployments. Ultimately, it’s an unfortunate fact that no business is unhackable, and with organizations being responsible for securing space in the cloud, they need to ensure that they have security best practices in place to deal with emerging threats.
JG: What are the most common challenges organizations face when it comes to cloud security today?
SN: The Covid-19 pandemic has led to increased usage during the periods where people have been working from home. This has meant that organizations have recently had to align focus on securing these services. Depending on the cloud service utilised, for example Infrastructure as a Service (IaaS) or Platform as a Service (PaaS), a company’s level of responsibility on cloud security can vary, and there is a common misconception that security is supervised by the cloud provider. This is reflected in past breaches such as the one on Imperva. API keys were exposed on the internet and used for further attack.
JG: What lessons can be learned from the biggest cloud-related breaches of 2020?
SN: Along with breaches caused by the common misconception that a business’s security is taken care of by its cloud provider, high profile hacks have occurred from businesses falling foul of not following simple best practice security measures. It’s entirely possible that Verdaka’s high profile breach occurred due to the password reuse, particularly due to the increase in credential stuffing attacks in the previous year. A key lesson to be learnt is that sticking to best practice really is the best form of prevention when it comes to cloud security.
JG: What are 3-5 pieces of advice for organizations looking to improve their cloud security in 2021?
SN: Organizations of all sizes and sectors should utilise the services offered by the public cloud providers such as Microsoft Azure, Amazon Web Services and Google Cloud Platform, which will allow them to quickly improve efficiency, scalability and security. Secondly, for businesses making the move to the public cloud in 2021, defining a comprehensive migration plan from the beginning will help ensure that data remains protected. Lastly, seeking out a security partner that can offer the consultancy to perform a maturity assessment and offer managed services will help businesses future-proof their operations.
JG: What’s the future of cloud security?
SN: Use of public cloud services has grown exponentially over the years and it’s unlikely to slow down. According to Oracle, 80% of all enterprise workloads will be in the cloud by 2025. With this trend set to continue, the cyber risk also increases. Ransomware threats such as Sprite Spider have been on the rise since July 2020, which has targeted ESXi hosts and encrypted VMs running on that host. This is particularly concerning as over 70% of the world’s virtualised workloads sit on VMWare and commonly in the public cloud. Due to threats such as these, cloud security is only going to be more pivotal in future.