Top 3 cloud security challenges in cloud computing
According to the definition by the European Network and Information Security Agency (ENISA), cloud computing is an on-demand service model for IT provision, often based on virtualization and distributed computing technologies. Cloud computing architectures have characteristics, including highly abstracted resources, near-instant scalability, and flexibility, near instantaneous provisioning, shared resources, service on demand, etc.
While cloud computing brings many benefits, cloud security has consistently been the top concern when enterprises immigrate to the cloud.
In this article, we will discuss the top 3 cloud security challenges enterprises are facing. You can then understand how these 3 issues make cloud security different.
As cloud computing becomes a major force dissolving perimeters, the traditional perimeter-based security approach no longer provides enough protection.
The perimeter-based security model considers all users and devices inside the corporate network as “trusted.” If attackers breached the network, they will have access to everything inside the perimeters. Nevertheless, in a highly connected cloud environment, the network perimeter essentially no longer exists - users and devices can access cloud data and applications from anywhere and anytime. Malicious actors can easily bypass traditional perimeter defenses to deliver a myriad of attacks and have unfettered access to cloud data and applications if the least privilege is not applied.
Cloud computing requires enterprises to shift the focus of access control management from devices and locations to identities. The principle of least privilege is also crucial - users and devices should not be granted extensive access to assets beyond what is intended or required. More about zero trust and identity management can be found in our previous article.
Cloud security is a shared responsibility. In a traditional data center model, enterprises are responsible for security across the entire operating environment, including infrastructures, applications, access control, etc.
In a cloud environment, especially public clouds, organizations and cloud vendors share responsibility for cloud security. In general, the cloud vendor owns the infrastructure, physical network, and hypervisor. Enterprises are responsible for access control, cloud-based data encryption and protection, and compliance. However, responsibilities may vary depending on the service model and vendors. In a hybrid and multi-cloud environment, these variations in security ownership enhance complexity and risks. It is always imperative to clearly define security ownership in a shared security model.
According to Gartner, at least 99% of cloud security failures will be the customer’s fault, mainly in the form of cloud resource misconfiguration. As each cloud vendor may have a unique set of security configurations, enterprises are tasked with rapidly identifying and correcting misconfiguration before possible security breaches. To this end, security teams shall work closely with the operations team to ensure proper policy-based control over access to cloud resources. Continuous asset discovery and monitoring and automated compliance management and policy enforcement are also crucial to address cloud security misconfigurations.
Traditionally, applications and data reside on dedicated physical hardware. In contrast, modern workloads are cloud-based - they are dynamic, scalable, and in many cases, serverless. In a highly dynamic cloud environment, cloud resources are provisioned and decommissioned constantly.
As traditional security configuration may take minutes, hours, or even days, it fails to respond to a cloud environment, where dynamic scalability and instantaneous adaption are required. The notion of security goes beyond securing hardware and expands to accompanying workloads and data in real-time no matter whether they are at rest or in transit.
Scale protection thus becomes challenging for enterprises. Two key requirements to secure clouds in a flexible and dynamic environment includes:
- Micro-segmentate workloads with zero trust principles. Zero trust segmentation allows for consistent policies while scaling with the underlying cloud infrastructure. As the cloud ramps capacity up and down, appropriate control and protection policies shall be automatically and instantly provisioned to new users or devices.
- Centrally manage security deployments and streamline policy enforcement through SASE. See more about SASE in our previous article.