SMEs benefit from booming cloud adoption. A whitepaper by the IDC and Microsoft-South Africa says that cloud solutions are the key to SME success. In India, a similar study demonstrates the advantages of cloud solutions, particularly the Software-as-a-Service (SaaS) model. SaaS allows small businesses to access apps without the large upfront costs and the long and tricky configuration and deployment time.
However, all these benefits inevitably come with risks. The cloud presents an unfamiliar territory to early adopters. Also, it exposes businesses to a new cyber threat landscape that endangers not only enterprise growth but the survival of a business itself.
The need for cloud security posture management
The shift towards the cloud entails the need to go beyond traditional security posture management. This is the reason cloud security posture management, known as CSPM, exists. CSPM tools allow organisations to more effectively and efficiently undertake risk identification and remediation. They enable automated compliance monitoring and thorough security evaluations with an emphasis on the cloud attack surfaces and associated threats.
Cloud security posture management encompasses not only SaaS but also the Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) infrastructure. It ensures the protection of services provisioned and managed online, the mechanisms used to access and utilise cloud-based apps, and the cloud development and deployment environments that make it possible to deliver simple to sophisticated cloud-based applications for various scales of use.
CSPM mainly focuses on misconfigurations that are often the cause of data leaks and breaches. Through automatic and continuous assessments, it ensures the protection of cloud infrastructure and assets. These misconfigurations or errors in the configuration are typically accidental. They happen because of lapses in the management of several connected resources including serverless functions and containers.
These configuration management lapses are usually attributable to the lack of visibility over an organisation’s cloud resources. To address this, a systematic cloud security approach is crucial, which is what CSPM is designed to do. This is important in light of the growing enormity and complexity of modern enterprise environments. Organisations operating in multiple locations and dealing with hundreds or thousands of processes in a day need an effective way to secure their cloud resources, especially when it comes to granting permissions in accessing critical assets.
The state of cloud adoption security
A survey jointly conducted by the Cloud Security Alliance (CSA) and Google reveals significant details about how organisations are faring in securing their cloud resources. For one, it shows that 52 per cent of organisations that have newly-adopted cloud solutions did not evaluate the risk of the cloud services they were using. They say that they did not reevaluate the security of their cloud resources after product features were changed, or new features were added, and also after their business environments changed.
Also, most cloud adopters lack consistency in data classification across the different cloud platforms and services they use. The study shows that only 21 per cent of cloud users employ cloud service data classification. Among those that undertake cloud data classification, only 65 per cent say that the classification systems they use are in-line with their organisation’s own data classification schemes.
Another important finding from the CSA-Google survey is there is a need to improve the tools currently being used for measuring risks on the cloud. Some 70 per cent of the organisations surveyed say that the tools and processes they used in identifying cloud asset risks were less effective, and only four per cent are confident that they have adequate means of assessing risks.
Moreover, the study shows that there is pronounced difficulty when it comes to cloud risk monitoring, measuring and reporting. A significant 30 per cent of users of risk scoring systems say that these systems are being used as a directional guide for improving risk detection and response for certain cloud solutions, not as reliable and comparable measurements across all cloud services.
Cloud security improvement
Even with the less-than-reassuring findings of the CSA-Google survey, it can be said that cloud security is improving, especially with the availability of cloud-specific cybersecurity solutions, CSPM in particular. Organisations across different industries can benefit from the automated and continuous advanced security afforded by CSPM. It ensures the proper monitoring and response to threats across the infrastructure cloud stack.
Additionally, cloud security posture management can be used to look for unused, abandoned or forgotten assets that can still be put to good use or be taken out of the network (if it becomes a vulnerability or an unmanaged cyber-attack surface). CSPM can also help in mapping out the operation of an organisation’s security teams and test the integrity of recently deployed apps and other cloud resources. With these, CSPM does not only identify problems but also opportunities to optimise systems.
As Google Cloud VP and CISO Phil Venables explains, “This study has shone a light on the opportunities enterprises can take to manage and measure their risk and will hopefully lead to improved risk management practices. And, whereas these practices impact many areas in the enterprise, modernising the approach helps both businesses and providers improve their cloud adoption.”
Cloud-based solution for cloud protection
The advent of cloud computing is already here and it is the future of most businesses that have yet to embrace it. As early as 2018, at least one study showed that cloud adoption has already hit 96 per cent. Cloud adoption is increasing, which is definitely a good development, but this comes with a call for caution.
The cloud does not only have rainbows for adopters. There are security challenges that should be properly addressed. What’s great about the current state of cloud security is that there are also cloud solutions for cloud security. As Google’s Venable also suggests, “Increasingly, cloud is becoming less of a risk to manage and more of a means to manage these risks.” Cloud-based cybersecurity solutions aimed at addressing security concerns in cloud environments can continuously examine an organisation’s risk status and facilitate proper configuration and the optimisation of existing security controls.