Cloud Compliance Security- Despite continuous adherence to regulations, many organizations still fall prey to attacks.
Ever since the cloud became the de facto infrastructure choice for forward-thinking organizations, it has enabled organizations of all sizes and types to scale and transform in ways they never imagined possible. But for all its benefits, the mass migration to the cloud and its many IaaS and PaaS options has created huge amounts of complexity for IT and security teams. With countless policies and configurations, plus the lack of visibility to account for, securing the cloud has become somewhat of a nightmare.
According to a recent study by LogicMonitor, nearly 50% of organizations expect to have 95% of their critical workloads running on the cloud within the next 10 years. Couple these figures with the fact that 44% of organizations call cloud complexity their top barrier to establishing robust security, and that’s a massive amount of sensitive data being protected with less than ideal security.
Why Securing the Cloud Is so Challenging
There are many reasons cloud security is more complex and nuanced than perimeter-based security: constant innovation, which breeds new features on a daily basis; an ever-changing threat landscape; compliance with regulations; the list of complexities goes on and on.
The framework for cloud security is known as the shared responsibility model, which states that the provider is responsible for the security of the cloud itself—storage, databases, etc.
According to Amazon, “AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.”
Microsoft Azure’s guidance on the shared responsibility model states, “The importance of understanding this shared responsibility model is essential for customers who are moving to the cloud. Cloud service providers offer considerable advantages for security and compliance efforts, but these advantages do not absolve the customer from protecting their users, applications, and service offerings.”
Attaining compliance in the cloud is critical. Compliance addresses anticipated threats and risks that organizations must protect their data from, and as such, non-compliance isn’t an option. Moreover, being non-compliant comes with a very steep price tag. Fail to meet regulations such as PCI, GDPR and the newly established CCPA, and you may be subject to heavy fines and legal actions.
Understandably, many organizations assume that if they are compliant, they are good to go when it comes to maintaining security in the cloud. But the reality is that despite continuous adherence to regulations, many organizations still fall prey to attacks. In fact, it happens all the time; many of the biggest cloud hacks in recent years were on systems that were completely compliant with all required rules, regulations and recommendations. A 2018 study by the Journal Cyber Security and Information Systems (CSIAC) found that many organizations that were indeed PCI compliant still fell prey to data breaches. What’s more, despite the fact that they were technically compliant, many still had to pay fines for having suffered a breach.
Why Being Compliant Isn’t Good Enough
So how did we get here? Why isn’t being compliant good enough? As mentioned above, compliance deals with anticipated threats, the ones we know about. But attackers don’t necessarily take the road most traveled, they see through compliance to locate the weaknesses within. They take advantage of configuration vulnerabilities caused by weak configurations and misconfigurations in the cloud, akin to the exploitation of application vulnerabilities due to oversights and bugs in code.
Attackers don’t need to exploit application-level or infrastructure-level weaknesses to cause damage to an organization in cloud-based environments. All they need to do is locate a misconfiguration or one that’s technically configured properly but is inherently weak. So sure, compliance might be good enough to tick all the boxes off your security configurations checklist, but it’s not enough to see your cloud from an attacker’s perspective.