The adoption of cloud services has soared in recent years, as organizations transition from on-premises infrastructure to cloud technologies that offer flexibility and scalability. Cloud-based solutions are a huge driver of business innovation and adoption shows no signs of slowing down, with Gartner expecting spending on services to increase by 21.5% this year compared to last.
On the downside, it’s often assumed that cloud environments are inherently secure by default, which leads to a host of security challenges that many fail to properly address.
You’re only as secure as your configurations
The cloud is secure in some ways by default, depending on the services you bought from the cloud provider. But if you have multi-cloud environments or tenants, it gets complicated because you have more controls to implement and workloads to secure. Also, the more complex your environment or the more applications you have, the harder it is to secure them. Without proper expertise and regular assessments, security gaps inevitably emerge.
Lessons from major breaches
A cloud storage platform
Situation: A significant security incident involving a major cloud-based storage service, failed to protect an endpoint, leaving a high volume of data publicly accessible without proper access controls. This oversight exposed over 250 million customer records, including email and IP addresses.
Lesson learnt: Don’t assume that your cloud solutions are automatically secure. Depending on the shared responsibility model, it’s both the cloud provider's and an organization's responsibility to ensure that data is fully protected. Organizations must take ownership of security and implement proper configuration and access controls before exposing any endpoint publicly.
When an endpoint is publicly exposed, it means:
- The service can be accessed by anyone on the internet without going through appropriate security barriers.
- The endpoint has a public IP address or domain name system (DNS) that's reachable from outside your private network.
- There's potential for unauthorized access if proper authentication and authorization controls aren't in place.
A financial services company
Situation: A firewall misconfiguration in a global financial services company resulted in attackers exploiting a server-side request forgery (SSRF) vulnerability. The breach affected approximately 100 million individuals. Had it been monitored properly, and had an audit taken place, a simple configuration review of the firewall would have prevented a breach.
Lesson learnt: Implementing the principle of least privilege (PoLP) and conducting regular security audits could have prevented this incident. PoLP is a fundamental cybersecurity concept that limits user and system access rights to only what's necessary to perform required functions. Implementing the concept of least privilege effectively reduces the attack surface, minimizes the impact of breaches, helps meet compliance requirements, and follows the broader defense-in-depth security strategy.
A false sense of security
Organizations are overconfident with their cloud security practices. This is for several reasons:
- Over-reliance on cloud providers: As we can see from the breaches above, cloud environments are not secure by default.
- Confusing compliance with security: Being compliant with regulations doesn’t mean you’re completely secure.
- Lack of continuous monitoring: Organizations frequently fail to perform regular penetration tests and audits and/or implement continuous monitoring/patching.
Regulatory frameworks strengthening cloud security
As high-profile cloud breaches continue to make headlines, regulatory bodies around the world have responded with vigorous frameworks designed to protect sensitive data and critical infrastructure. Two particularly significant frameworks have emerged that directly impact how businesses approach cloud security: Network and Information Security (NIS) 2 and the Digital Operational Resilience Act (DORA). These frameworks are transforming cloud security in the following ways:
NIS 2
NIS 2 is an EU directive aimed at improving cybersecurity across the Member States. This directly impacts cloud security through requiring:
- Mandatory risk assessments to identify vulnerabilities in cloud infrastructure.
- Supply chain security requirements that extend to cloud service providers.
- Incident reporting mechanisms for timely response to security incidents.
- Business continuity planning to maintain operations during cyber incidents.
DORA
DORA specifically targets the financial sector with provisions for:
- Information and Communication Technology (ICT) risk management frameworks for comprehensive security oversight.
- Third-party risk management requirements for cloud service providers.
Structured incident reporting to regulatory authorities. - Regular resilience testing to ensure systems can withstand attacks. For certain financial entities this includes advanced threat-led penetration testing (TLPT) every three years.
Non-compliance with these regulations will have a negative impact on business in the form of both financial penalties (up to 2% of global turnover) and reputational damage, which will inevitably impact customers wanting to do business with you.
Cloud security best practices
To effectively secure cloud environments, consider implementing these best practices within your business:
- Master the shared responsibility model: Clearly understand where your security responsibilities begin and the cloud provider's end.
- Encrypt sensitive data: Wherever there's personally identifiable information, ideally and as per certain regulations it is necessary to encrypt it at rest and in transit.
- Implement robust identity and access management (IAM) controls: We see a lot of issues happen where roles and users are not configured with the correct access control or
- IAM policies, which allows attackers to escalate privileges.
Apply privacy by design principles: Implement role-level or column-level security in data warehouses so that teams are only able to view specific data.
While cloud services offer tremendous benefits, organizations must approach security with vigilance and thoroughness. Businesses should ensure that cybersecurity isn't seen as a hindrance, but more as a part of securing and ensuring data integrity and protecting customer trust.
Learn more about NIS 2 in Beyond NIS 2: Building lasting breach resilience and DORA in DORA: The EU's new digital resilience requirements.
