The evolution of cloud security

Trevor Dearing at Illumio argues that cloud security is changing, and so should your mindset

Cloud technology has become the backbone of business innovation and agility. Yet, as organisations migrate to the cloud at an unprecedented pace, security remains an afterthought.

This was evident in our latest Cloud Security Index research, as 45 per cent of the breaches faced by UK companies originated in the cloud last year. In fact, nearly half (46 per cent) of the organisations suffering these breaches saw an annual loss of over £400,000. 

The majority of enterprises house their critical data and run high-value applications in the cloud today, meaning the stakes are always high. There needs to be a fundamental shift in mindset towards cloud security.

Organisations must move away from legacy reactive measures to a proactive strategic mindset. 

Don’t rely solely on the cloud provider

In any cloud service arrangement, both the provider and the customer share the responsibility for ensuring the security and accessibility of data and workloads. Understanding this shared responsibility model is pivotal for organisations using cloud services, but the concept is frequently misunderstood. Businesses have a common misconception that security is solely the cloud provider’s responsibility - a high risk oversight. 

In reality, cloud service providers (CSPs) are only responsible for securing the infrastructure, including the hardware, software, networking, and facilities that run cloud services.

However, customers are responsible for securing their data within the cloud repositories and systems. This includes managing access controls, encrypting sensitive information, and configuring security settings in line with their specific requirements. This uneven handshake means businesses must therefore be more proactive in securing the assets they store in the cloud.

Breaches today have far-reaching consequences beyond financial losses, impacting trust and the company’s reputation significantly. Our research highlights that 47 per cent of UK security decision-makers view reputational damage as a primary concern following a cloud breach. This is because financial losses can often be recovered, but restoring a tarnished reputation is a more daunting challenge.

So, regardless of how secure the service provider’s cloud infrastructure is, organisations must develop their own proactive cloud security strategy that focuses on breach containment and resilience. 

Plan for a multi-cloud environment

Organisations are increasingly adopting multi-cloud strategies to leverage the unique strengths of different providers, enhance resilience, and avoid vendor lock-in.

However, this approach introduces a complex challenge: ensuring a consistent security posture across diverse cloud platforms. The very flexible and simple concepts in cloud computing make it easy for ghost IT to exist in the infrastructure.

The disparity between different cloud systems can create gaps in security policies and practices, making it difficult to maintain a uniform level of protection. In our survey, one third of the respondents highlighted the lack of visibility across multi-cloud deployments as the main threat to their cloud security. Notably, only 26 per cent consider themselves highly confident in their ability to stop breaches from spreading across hybrid and multi-cloud environments. 

This poses a big problem, as weak access controls can enable attackers to rapidly move through an environment and access critical data and systems – turning a minor breach into a business catastrophe if rendered uncontained and unchecked.  

So, how can organisations achieve a consistent and resilient security posture across the entire cloud environment? 

Zero Trust segmentation

Organisations need to implement security measures that are agnostic to specific cloud providers and ensure that security policies are uniformly applied. One of the best ways to achieve this is by implementing microsegmentation tools that can create smaller and more secure network zones in each cloud service where data and systems can be kept safely.

Microsegmentation allows organisations to keep a close watch on their digital assets, understanding how they interact and ensuring they are secure, regardless of which cloud service they reside in. This approach also helps in monitoring these assets in real time, providing an extra layer of security by constantly checking for any unusual or unauthorised activities.  

The first step to this is visibility. Being able to gather a full understanding of application and workload connectivity along with context-based labels and object metadata. This visualisation allows security teams to uncover unnecessary connectivity that increase risk. It also categorises test and production workloads, providing insight to create and edit the right policies and controls.

Zero Trust Segmentation (ZTS) enables this by offering a unified approach to microsegmentation across diverse environments—cloud, endpoints, and data centres. This strategy empowers organisations to identify and mitigate risks more effectively than traditional, static defences. 

The benefits of microsegmentation, or ZTS specifically, are not just theoretical. Our research showed that 93 per cent of respondents believe segmenting their critical assets is imperative to securing cloud-based projects and resources.   

Imagine a modern, high-security office building equipped with advanced access control at every level rather than just at the entrance. At the entrance, security checks your ID to ensure you’re authorised to enter the building—this is the traditional perimeter security most organisations have in place.

However, with a ZTS framework, the security measures don’t stop there. Once inside, to access any specific floor or room, you need to swipe your access card again. Each swipe is evaluated based on who you are, what you need access to at that moment, and under what conditions.

ZTS embodies the "never trust, always verify" principle of Zero Trust. This approach doesn’t just apply a blanket of security; it scrutinises every request as if it originates from an untrusted source, regardless of its actual origin. This granularity makes ZTS highly effective in a multi-cloud environment and also easy to implement and manage, unlike traditional firewalls.

The human element: education

Beyond the tech, the human element plays a crucial role in fortifying cloud security. Continuous education across all team levels ensures that every member is equipped with up-to-date knowledge of cloud security practices.

Education on cloud security equips teams with the foresight to identify and rectify misconfigurations, a common yet critical oversight that can open floodgates to potential breaches.  

It’s about transforming employees from potential security vulnerabilities into active, informed participants in the organisation’s security posture. Through regular training sessions, updates on the latest security trends, and simulations of potential security scenarios, businesses can significantly bolster their defences against the most insidious of cyber-threats.

Ultimately, a well-informed team can significant mitigation an organisation’s risks and increase its overall cyber-resilience.

As organisations continue to adopt cloud technologies at scale, the imperative for a fundamental shift in security strategies becomes apparent, with Zero Trust at the forefront. Businesses must reassess their security strategies if they want to navigate the cloud’s complexities effectively and protect their most valuable assets.

By implementing dynamic defences like microsegmentation, organisations can significantly improve their threat response capabilities and recover from incidents without jeopardising their resources, reputation, and trust. 

Trevor Dearing, Director of Critical Infrastructure at Illumio 

Main image courtesy of iStockPhoto.com