• Magazine
    • FEBRUARY 2022
    • JANUARY 2022
    • CISO MAG – Archives
  • NEWS
    • GOVERNANCE
    • STARTUPS
    • BUDGET
    • WORKFORCE
    • PARTNERSHIPS
    • THREATS
    • DATA PRIVACY
    • Regulations & Compliance
  • FEATURES
    • Careers
    • Explainers
    • Market Trends Report
    • One Quick Question
    • Trends and Predictions
  • PODCASTS
  • Get Featured
    • READING ROOM
    • INTERVIEWS
    • WHITEPAPERS
    • INFOGRAPHICS
    • MARKET TRENDS REPORT
      • GLOBAL BLOCKCHAIN IMPACT
      • SECURITY INTELLIGENCE REPORT
      • CLOUD FORENSICS
      • DIGITAL FORENSICS
      • CYBERSECURITY HIRING
      • DATA SECURITY
      • ENDPOINT SECURITY
    • INNOVATOR’S CORNER
    • HOTSPOT
    • SPECIAL FEATURES
  • Videos
    • VIDEO INTERVIEWS
    • EVENT VIDEOS
    • WEEKLY NEWS
  • WEBINARS
  • EVENTS
    • Upcoming Events
    • Endorsed Events
    • E-Events
    • Masterclass
Search
Saturday, March 25, 2023
  • About us
  • Advisory Board
  • Careers
  • Write for CISO MAG
  • Editorial Calendar
CISO MAG  - News and Updates| Cyber Security Magazine CISO MAG | Cyber Security Magazine
CISO MAG  - News and Updates| Cyber Security Magazine CISO MAG  - News and Updates| Cyber Security Magazine
  • Magazine
    • FEBRUARY 2022
    • JANUARY 2022
    • CISO MAG – Archives
  • NEWS
    • GOVERNANCE
    • STARTUPS
    • BUDGET
    • WORKFORCE
    • PARTNERSHIPS
    • THREATS
    • DATA PRIVACY
    • Regulations & Compliance
  • FEATURES
    • free-online-cybersecurity-courses-certifications
      Embark on a Cybersecurity Career with the Top Three Free Online Cybersecurity Courses
      PSTI IoT Bill, Common IoT Attacks
      3 Common IoT Attacks that Compromise Security
      Steganography attack
      How to Prevent Steganography Attacks
      Brainjacking
      How Brainjacking Became a New Cybersecurity Risk in Health Care
      Malicious QR Codes
      How Cybercriminals Exploit QR Codes to Their Advantage
      AllCareersExplainersMarket Trends ReportOne Quick QuestionTrends and Predictions
  • PODCASTS
  • Get Featured
    • READING ROOM
    • INTERVIEWS
    • WHITEPAPERS
    • INFOGRAPHICS
    • MARKET TRENDS REPORT
      • GLOBAL BLOCKCHAIN IMPACT
      • SECURITY INTELLIGENCE REPORT
      • CLOUD FORENSICS
      • DIGITAL FORENSICS
      • CYBERSECURITY HIRING
      • DATA SECURITY
      • ENDPOINT SECURITY
    • INNOVATOR’S CORNER
    • HOTSPOT
    • SPECIAL FEATURES
  • Videos
    • VIDEO INTERVIEWS
    • EVENT VIDEOS
    • WEEKLY NEWS
  • WEBINARS
  • EVENTS
    • Upcoming Events
    • Endorsed Events
    • E-Events
    • Masterclass
Home Features Cloud Computing Security 2022: Upgrading the Cloud to Make Infosec Efficacious
  • Features

Cloud Computing Security 2022: Upgrading the Cloud to Make Infosec Efficacious

Cloud computing security (CCS) is an essential aspect for businesses when securing virtual data from attacks such as DOS, malware, etc. and it is important for both cloud service providers and clients to understand and improve the cloud security framework.

By
CISOMAG
-
November 11, 2021
Facebook
Twitter
Pinterest
WhatsApp
    Nanocore Netwire AsyncRAT, Cloud security, cloud computing

    Cloud computing security (CCS) is an essential aspect for businesses when securing virtual data, however, like any other domain within IT security, it comes with its challenges. Being a shared and hybrid operation framework, business and security leaders along with cloud service providers continuously work on improving security through various technological and policy implementations and modifications.

    By Vito Sardanopoli, Chief Information Security Officer at Happify Health

    With more and more businesses opting for cloud-based services, its corresponding security has become a significant cause of concern. Given the capacity of the cloud to hold colossal amounts of data from different groups and organizations, it has become a prime target for threat actors that aim at gaining unauthorized access to confidential and proprietary data. Businesses and cybersecurity leaders are continually investing in cloud security strategies and techniques in a number of key areas including, for example, identity management, physical security, personnel/human resources security, and data protection, with the ultimate goal of maintaining effective security standards.

    The security standards for the cloud today need to take into account different forms of cloud deployment and usage.   These can include variations of hybrid cloud architecture, shared responsibilities between cloud customers and vendors, vendor consolidation, etc., that need to be considered before establishing and enforcing policies. A secure cloud assures the clients and users its competency towards securing their data and keeping it protected from external attackers. Any attack or compromise of cloud security could lead to dire consequences, where data could be modified, deleted, withheld in exchange for ransom, or simply sold online, which dramatically affects the victim psychologically and financially. It is imperative for organizations to keep investing in researching and implementing new solutions and updated security standards to ensure data security against multiple threats.

    The Current Cloud Security Is Not a Lasting Solution

    Cloud security is complicated, as the cloud itself is complicated due to the number of variations of deployment and use of cloud-based resources. Although people assume that cloud service providers take responsibility for the security of the infrastructure they manage, this is far from the truth in the shared security/responsibility model, which is applicable to almost all cloud platform types. The cloud users/customers are equally responsible for implementing and managing cloud security correctly and securing their applications. Any misconfiguration at the application level can lead to many security problems.  External threats that utilize malware infection is one of the most effective threats to your cloud computing environment.

    With the evolution of technologies, attackers have also stepped up their game! They are upgrading various types of malware and ransomware that can infiltrate with relative east the high-grade security practices and standards. Over time, attacks have evolved and are now increasingly sophisticated, a number of which have been successful in bypassing high-security measures.  Some of the most common threats which target cloud services are noted as follows:

    • Malware injection: The increase in malware threats shows that nearly 90% of organizations are experiencing data breaches after increasing cloud usage. Malware on cloud services service platforms, will not only allow for data manipulation but can also spread to collaborators in cloud systems. These malware are generally the scripts or codes that are rooted into cloud services that act as “valid instances” and can run as Software-as-a-Service (SaaS) to cloud servers. As a result, that harmful code can be injected into cloud services and reviewed as part of the running services inside the cloud servers. Once the injection is successful, the cloud begins to club malicious scripts, and attackers start stealing the secured information.

    “Businesses use an average of 1,181 services wherein that 92.7% of them are insecure or not ready for enterprise needs.” – Netskope.

    • Hijacking of accounts: Extended cloud service implementation has led to a host of issues such as account hijacking, where the attackers can utilize the employee’s login credentials to access their information stored in the cloud remotely. Hijacking techniques make use of scripting errors and reused passwords that enable attackers to steal your credentials.
    • Data breaches: Cloud computing and other services are comparatively new, but data breaches in all the platforms have been occurring for many years. Research by Ponemon Institute reports that around 50% of IT and security professionals believed their organization’s security measures of cloud services are insufficient. The overall probability of data breach is higher for businesses with cloud services, and it could be said that the cloud has a unique set of features and characteristics that make them more vulnerable.
    • Insecure APIs: Application Programming Interfaces (APIs) allow users to modify their cloud experience, through customized features, easier collaboration, improved innovation, etc. In some instances, use of APIs can pose a risk to cloud platforms. Often the intended use of APIs is for making improvements (e.g. service level, features, performance, user experience, etc.).  However, while there multiple types of improvements may be targeted, use of APIs may increase security risks. A key area of vulnerability for APIs exists in the communication that takes place between applications.
    • DOS attacks: Denial of Service (DOS) attacks are designed to make your web pages and networks inaccessible to legitimate users by flooding them with fake requests. In some scenarios, this DOS attack is sometimes used as a smokescreen for other malicious activities and for dismounting security appliances such as web application firewalls.
    • Insufficient due diligence: The knowledge gap with regards to cloud-native security impacts the needed due diligence. There is a distinction between clients and CSP (cloud service providers) regarding what they need and what CSP provides. The confusion of shared responsibility has not helped to mitigate this issue. It is imperative for the CSP to obtain a clear and detailed understanding of customer requirements in order to reduce the contractual obligations later.

    Migrating to the cloud can often reap important benefits for organizations.  However, it is not uncommon for enterprises and organizations to blindly migrate data and assets to the cloud without planning effectively planning security implementations, corresponding environments, and protection mechanisms. Additionally, they are often uncertain and unprepared in managing disaster scenarios, backup plans, applicable threats, or regulatory & compliance aspects. This is often due, in part, to a failure to perform sufficient due diligence, which, combined with a lack of proper knowledge of the cloud threat landscape, is very risky and could even lead to more serious information security challenges and related risks.

    Improving Your Cloud Security Framework

    It has become imperative for organizations to keep their security standards up-to-date.  It is also important to implement such standards in the earliest stages of the deployment lifecycle as possible in an effort to prevent or minimize risks. To ensure the protection of data from being accessed/viewed inappropriately, deleted, or modified without proper authorization, organizations can adopt various strategies to improve security in their cloud deployment.

    In an effort to increase the security of their cloud environment, organizations can leverage security solutions including, for example, continuous activity and event monitoring; data loss prevention (DLP); and user entity behavior analytics (UEBA).

    Security solutions and strategies that intend to further improve the cloud security of your data and virtual assets could be implemented by organizations. Some of the effective cloud security strategies that can be used to help protect your virtual assets are noted below:

    1. Understanding cloud data vs. on-prem storage

    Organizations need to understand that cloud-based storage differs significantly from their on-premises counterparts. Cloud infrastructures can be deployed with minimal oversight and are able to record extensive and detailed procedures towards ensuring correct configuration. Cloud services and resources are designed to enable the users to work with ease and efficiency. Efforts must be made to ensure application developers and infrastructure teams can effectively perform their roles in the cloud in a dynamic cloud infrastructure environment while maintaining effective security of the cloud environment. Organizations require cloud computing experts and/or services that are mindful of the conditions required for the proper functioning of the cloud data centers.

    2. Role-based security blueprint creation for cloud

    Depending on the types of cloud services and features to be used by the customer organization, it is essential to create an outline of what will be the key security features. Creating such an outline help to ensure that the security team is onboard with the strategies, procedures, and configurations to be utilized to ensure that effective security will be sustained in the long run.

    3. Reduction and protection of attack surfaces

    While incorporating security standards, it is essential for security experts to minimize the number of attack surfaces in the cloud infrastructure and provide the necessary strategies to secure the deployed attack surfaces. New platforms and/or incorporation of new software often are the gateways for such attack surfaces as they create specific vulnerabilities that allow unauthorized access and other risk factors like malware to enter.

    4. Consolidating vendor security

    When considering cloud security vendors, organizations must research them thoroughly.  Try to obtain evidence that the vendor is trustworthy and reliable, based on recent experiences of customers.  Additionally, cloud security vendors must maintain the required legal documents and certifications needed to fulfill their roles and responsibilities.

    5. Conducting due diligence

    Once an organization decides to choose an appropriate cloud service after considering security and resiliency aspects, steps should be taken to ensure appropriate due diligence and the auditing process are agreed to. The due diligence process should include the following: Define security benchmarks consistent with the nature of the data, applications, and other cloud-based resources; Verify that CSP security recommendations align with customer goals; Test offered security measures like encryption standards, identity management, etc.

    6. Protecting the loose ends

    Organizations need to deploy endpoint security protocols with multilayered security standards/protocols such as Endpoint detection and response (EDR) and User and Entity Behavior Analysis (EEBA) to detect malicious behavior of users. Weak security practices invite attacks against remote access infrastructure and/or users. CCS possess numerous endpoints that could be subject to frequent changes, and hence, require a higher level of transparency. Endpoint protection tools and practices help organizations monitor and control cloud-based workloads while ensuring effective remote access security.

    7. Enforcing adequate encryption standards

    The encryption process offers security while ensuring data integrity, confidentiality, and authenticity during data transport and storage processes in the cloud. Verify that encrypted data is safe and secure and can be accessed only by authenticated users with the appropriate encryption and decryption keys.

    8. MFA for CCS

    Social engineering is a primary method among attackers to acquire access to cloud data. A multifactor authentication tool for cloud computing services should be implemented and utilized to ensure end-user authentication.

    9. Backing-up cloud on cloud

    It is always essential to back up data in case of a worst-case scenario. Thus, data could always be secured and stored in the backup drive in case of any incident, allowing easy retrieval. A cloud-to-cloud backup option is most prevalent in cloud service models like Software as a Service (SaaS). For most SaaS services, the application’s data is stored virtually, and the backup is also done on a cloud platform.

    10. Attacking it to secure it

    Penetration testing of your security architecture is said to be the most effective way to detect vulnerabilities. Organizations need to test their application on a regular basis.  They should also periodically keep track of changes to their current security standards and review and update over time. Organizations should ensure that such testing is done by certified professionals who possess the skills to test effectively and to make informed decisions based on analysis of results, in order to efficiently uphold security in the long run.

    Conclusion

    Security is a continuous operation that continues to grow with the constant developments in technology. It is essential to stay updated with the latest trends and improve the security standards of your architecture accordingly. It is crucial to understand that making cloud infrastructure entirely fool-proof is impossible.  Cloud security is much more than the term itself. To have a compatible and functional cloud security architecture, it is essential to consider crucial aspects related to both technological and human interventions.


    References:

    1. https://www.red-gate.com/simple-talk/cloud/security-and-compliance/how-organizations-can-optimize-cloud-security/
    2. https://www.imperva.com/blog/top-10-cloud-security-concerns/
    3. https://www.cloudmanagementinsider.com/top-5-cloud-computing-security-issues-and-strategies-used-by-hackers/
    4. https://www.apriorit.com/dev-blog/523-cloud-computing-cyber-attacks
    5. https://www.metricstream.com/insights/risk-based-approach-to-cloud-computing.html
    6. https://www.itproportal.com/2016/02/18/how-to-mitigate-your-cloud-computing-risks/
    7. https://www.mygreatlearning.com/blog/best-ways-to-prevent-cloud-security-threats/
    8. https://digitalguardian.com/blog/50-cloud-based-security-selection-tips
    9. https://www.rapid7.com/blog/post/2020/01/24/seven-tips-for-better-cloud-security-in-2020/
    10. https://www.networkcomputing.com/cloud-infrastructure/5-tips-building-cloud-security-architecture
    11. https://www.otava.com/reference/top-5-tips-for-cloud-computing-security/
    12. https://www.ntiva.com/blog/6-tips-for-improving-cloud-computing-security
    13. https://searchdatabackup.techtarget.com/definition/cloud-to-cloud-backup

    About the Author

    Vito SardanopoliVito Sardanopoli is an accomplished technology leader, with a vision to distinguished record in progressive leadership roles. He is a forward-thinking technology and security executive with a strong strategic and business perspective. With more than 20 years of experience in information security, he is a renowned CISO, with experience in the functions of CTO and CIO roles. He is currently serving as an advisory board member for the Pace universities cybersecurity program and leads efforts to ensure that digital and security initiatives support business priorities and emerging opportunities. He has served as CISO for a number of leading organizations across multiple industries such as healthcare, retail, financial services, etc. with demonstrated success in delivering sustainable, cost-effective solutions, while consistently minimizing business and operational risks.

    Disclaimer

    Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

    • TAGS
    • account hijacking
    • API
    • cloud
    • Cloud Computing Security
    • cloud serve provider
    • cloud services
    • cybersecurity
    • Data Breaches
    • IT
    • malware
    • MFA
    • SaaS
    Facebook
    Twitter
    Pinterest
    WhatsApp
      Previous articleMicrosoft November 2021 Patch Tuesday Addresses 55 Vulnerabilities
      Next articleDDoS Attack on VoIP Provider Telnyx Impacts Global Telephony Services
      CISOMAG
      https://cisomag.com/

      RELATED ARTICLESMORE FROM AUTHOR

      free-online-cybersecurity-courses-certifications
      Features

      Embark on a Cybersecurity Career with the Top Three Free Online Cybersecurity Courses

      PSTI IoT Bill, Common IoT Attacks
      Features

      3 Common IoT Attacks that Compromise Security

      Steganography attack
      Explainers

      How to Prevent Steganography Attacks



      Latest Issue is Out!


      FOLLOW US FOR MORE UPDATES


      CYBER SHOTS
      Quick, punchy updates on Cyber trends, news and links to free resources. Only via Telegram and Signal. Join the groups now!
      Click Here Click Here

      MOST POPULAR

      Research Finds Increase in Botnet and Exploit Activity in Q2 2020

      45% companies don’t have cybersecurity leader: Study

      CISOMAG - December 11, 2017
      DEO data breach

      Nearly half of companies have suffered a data breach in the past year: Survey

      November 15, 2017
      Messaging

      Mobile messaging apps new hideout of Dark Web activities: Study

      October 27, 2017
      Kaspersky

      NSA hacking code lifted from a personal computer in U.S.: Kaspersky

      October 30, 2017

      Instagram data breach! 49 million users’ sensitive data exposed online

      May 23, 2019

      RECENT POSTS

      free-online-cybersecurity-courses-certifications

      Embark on a Cybersecurity Career with the Top Three Free Online...

      October 31, 2022
      PSTI IoT Bill, Common IoT Attacks

      3 Common IoT Attacks that Compromise Security

      February 23, 2022
      Steganography attack

      How to Prevent Steganography Attacks

      February 22, 2022
      Brainjacking

      How Brainjacking Became a New Cybersecurity Risk in Health Care

      February 21, 2022
      Malicious QR Codes

      How Cybercriminals Exploit QR Codes to Their Advantage

      February 20, 2022
      Cybersecurity News and Updates, Magazine
      CISOMAG is the handbook for Chief Information Security Officer (CISO)s, CXOs, and every stakeholder of safe internet.
      Contact us: [email protected]

      EVEN MORE NEWS

      free-online-cybersecurity-courses-certifications

      Embark on a Cybersecurity Career with the Top Three Free Online...

      October 31, 2022
      PSTI IoT Bill, Common IoT Attacks

      3 Common IoT Attacks that Compromise Security

      February 23, 2022
      Steganography attack

      How to Prevent Steganography Attacks

      February 22, 2022

      POPULAR CATEGORY

      • News2554
      • Threats1657
      • Features595
      • Partnerships215
      • Governance191
      • Startups161
      • Interviews121
      • Terms of Use
      • Privacy Policy
      • Advertise with us
      • Contact Us
      • MASTERCLASS
      © CISOMAG 2020
      We Care
      Ensuring that you get the best experience is our only purpose for using cookies. If you wish to continue, please accept. You are welcome to provide a controlled consent by visiting the cookie settings. For any further queries or information, please see our privacy policy.
      Do not sell my personal information.
      Cookie SettingsAccept
      Manage consent

      Privacy Overview

      This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
      Necessary
      Always Enabled
      Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
      CookieDurationDescription
      cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
      cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
      cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
      cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
      cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
      viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
      Functional
      Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
      Performance
      Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
      Analytics
      Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
      Advertisement
      Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
      Others
      Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
      SAVE & ACCEPT
      MORE STORIES
      free-online-cybersecurity-courses-certifications
      Features

      Embark on a Cybersecurity Career with the Top Three Free Online...

      CISOMAG - October 31, 2022 0
      Free online cybersecurity courses are a great place to start your learning journey if you’re considering a career in this field. Enrolling in a...