In order to best mitigate cloud security risk, it’s necessary to understand what threats exist, how they originate, and how they can be prevented. Thereafter, a best practice is to use a cloud security and compliance solution with real-time detection and automation capabilities to protect your cloud environment around the clock.
Here are the twelve most highly-rated security risks of operating in the cloud with descriptions of their consequences, analyses of how they originate, and advice on how to mitigate each cloud security risk. The Treacherous 12 are:
- Data breaches
- Weak identity, credential, and access management
- Insecure APIs
- System and application vulnerabilities
- Account hijacking
- Malicious Insiders
- Advanced persistent threats
- Data loss
- Insufficient due diligence
- Abuse of cloud services
- Denial of service
- Shared technology vulnerabilities<
Although each entry is a cloud security risk in its own right, there are some that share similar characteristics and could be mitigated by the implementation of a simple measure—for example, applying least possible privileges to all users would mitigate the threat from account hijacking, malicious insiders, abuse of cloud services, and possibly data loss and data breaches, as well. Indeed, applying the least possible privileges is the first of our five ways to mitigate cloud security risk.
#1 Grant the Minimum Privilege Levels Necessary
Most Cloud Service Providers have their own best practices for identity, credential, and access management. AWS’ best practices are particularly comprehensive, as they cover giving each IAM user a unique set of security credentials and applying different privileges to each user, starting with the minimum necessary permissions to perform only the tasks users need to perform.
AWS recommends applying a minimum set of privileges to each user and adding additional privileges as necessary. It’s also suggested businesses manage privileges in groups, fine-tune privilege levels with policy conditions, and enable AWS CloudTrail in order to gain greater visibility into user activity. Thereafter, businesses should enforce a strong password policy and rotate security credentials regularly.
#2 Enable Multi-Factor Authentication for Privileged Accounts
AWS also recommends enabling multi-factor authentication for privileged accounts; however, some security experts recommend enabling multi-factor authentication for all accounts to minimize cloud security risk. It takes only one compromised email account at the lowest privilege level for cybercrimes such as phishing to escalate to a much higher level.
There’s no doubt multi-factor authentication can be inconvenient, but it’s a good way to keep users aware of cloud security risks. A best practice for implementing this measure is to use security keys rather than SMS or email PIN numbers, because the same devices are likely used to log into the businesses cloud accounts as are used to receive SMS or email PIN numbers.
#3 Everyone Needs Educating about Cloud Security Risk
Inasmuch as multi-factor authentication can keep cloud security risk in the forefront of users’ minds, everyone in the business from C-Suite to warehouse needs educating about cloud security risk. As mentioned above, it only takes one compromised email account for a cybercriminal to hijack an account, steal data, and infect a system with vertically-spreading malware.
Educating employees about cloud security risk involves more than speeches and demonstrations. Employees should be put to the test with phishing simulations and social engineering attacks. This measure will not only help your business mitigate cloud security risk, but also strengthen security in other areas of its operations.
#4 Encrypt as Much Data as You Can
Data encryption doesn’t necessarily keep data secure, but it limits the impact of data breaches if stolen data is undecipherable and unusable. Yet the majority of businesses fail to encrypt data in the cloud—one investigation finding 40% of data in storage buckets and 82 percent of data in relational database services unencrypted.
Some businesses are opposed to encrypting every piece of data because it can affect the performance of cloud-based applications. Nonetheless, encrypting sensitive, personal, and business-critical data is a best practice every business should follow—ensuring that the encryption keys are maintained separately from the encrypted data.
#5 Take Advantage of Automation to Mitigate Cloud Security Risk
It’s not humanly possible to monitor a cloud environment around-the-clock, so taking advantage of automation to proactively detect and mitigate security risks makes perfect sense. With automation, you can build security guardrails that proactively look for misconfigurations at the time of application deployment and then continuously monitor for drift over time. The idea behind guardrails is that security does not enforce strict policies but defines boundaries within which developers can innovate freely in cloud. If someone accidently violates a guardrail, the automation solution can proactively be configured to provide feedback or take an automated action that remediates the violation.
In the context of what has been discussed above, you could apply a guardrail during application deployment to automatically alert a user or execute a function if a storage volume tagged “PII” is unencrypted. In this case, the function would encrypt the volume and its contents. The solution can also be configured to alert you to any users with root account API access or users that log in from an unrecognized IP address.
Speak with CloudHealth about Mitigating Security Risks in the Cloud
If you have concerns about the “Treacherous 12” threats to security in the cloud, speak with our team of cloud experts to find out more about the security and automation capabilities of CloudHealth. Our team will be happy to organize a demonstration of real-time detection and automation capabilities for you to see the simplicity with which it’s possible to mitigate cloud security risk.