Share this article on:
It’s been a part of business IT infrastructures for more than 15 years; however, adoption rates continue to accelerate, Aden Axen at Somerville writes.
Cloud computing entered mainstream usage when Amazon launched its public cloud resources back in 2006. Since then, organisations of all sizes have been attracted to the concept because of the flexibility and cost savings on offer.
Cloud adoption was given an additional boost by the pandemic restrictions that forced many people to leave their offices and work from home. Shifting applications and data to a cloud platform made remote access easier and ensured staff could remain productive.
The challenges of effective cloud security
While cloud platforms can deliver significant business benefits, they can also bring challenges when it comes to ensuring effective IT security. Rather than having digital resources housed within an on-premise data centre protected by a firewall, they are entrusted to an external platform managed by a third party.
As well as making use of tools that can protect resources housed on a cloud platform, organisations must also ensure they comply with regulatory requirements. One example is Australia’s Privacy Act 1998, which spells out clear guidelines on how the privacy rights of Australian citizens must be handled.
Compliance with the act, and other regulations, is the sole responsibility of a business, regardless of whether data is stored on-premise or in the cloud. While the responsibility for protecting data stored on premises is easily understood, many companies lack the understanding of the shared responsibility concept of cloud security.
While cloud service providers are responsible for managing the security and availability of the cloud infrastructure, businesses that use it remain responsible for the security of their own data and applications.
Achieving strong cloud security
To ensure that data housed in a cloud platform is as secure as possible, there are some vital steps that businesses need to take. They include:
Many organisations will realise they don’t have the knowledge and skills required to achieve effective security in the cloud. In these situations, guidance and assistance should be sought from an experienced technology partner.
Problems posed by growing complexity
As more resources are shifted to the cloud, and multiple clouds are used for different purposes, the complexity of the resulting IT infrastructure can quickly increase. According to recent research, 51 per cent of organisations agree that it is more difficult to manage privacy and data protection in a multi-cloud environment than on-premises.
Complexity is exaggerated further by the current skills shortage problem. According to the ISC 2022 Cloud Security Report:
When the methods being used by cyber criminals to steal data from cloud platforms are examined, it becomes clear that ransomware is the number one threat. According to Verizon’s 2022 Data Breach Investigations Report, ransomware attacks increased by 13 per cent in 2021. That increase was as large as the past five years combined.
To gain access, cyber criminals tend to follow three primary attack main paths. They are compromised credentials, phishing campaigns, and exploiting vulnerabilities.
Ongoing investment in security is vital
Relying on prevention controls alone is never going to provide the level of security protection required by a modern, cloud-first organisation. Unfortunately, there is no bulletproof solution and so having a layered security practice with resilient response methods is the best approach.
When data breaches do happen, it’s important to have the ability to detect and recover as quickly as possible. The Verizon report found that almost 70 per cent of breached organisations detected the attackers within days or less.
However, while that percentage looks promising, it must be tempered by the awareness that there remains another 25 per cent that still required months or more to detect a problem. Ignorance and late response times are the biggest enemies to business continuity.
For this reason, ongoing investment in security tools and services is vital. Organisations must have the capability to respond to an attack quickly and thus avoid long periods of disruption to business activity.
Preventive controls must also be accompanied by detailed incident response and business continuity plans. Other measures include having a robust data recovery capability so that any affected systems can be brought back online as quickly as possible.
Making strategic investments in security measures, and seeking external support and advice when required, can allow an organisation to achieve appropriate levels of security for its cloud-based resources. The significant benefits of the cloud can then be enjoyed without exposing the organisation to any additional risks.
Aden Axen is the cloud services manager at Somerville.