- Research firm Gartner predicts that in 2023, worldwide spending on public cloud services will increase by 20.7% to surpass $591 billion.
- As noted by Cloud Tech, 60% of companies are now using a hybrid cloud strategy rather than a pure public approach to facilitate business functions.
- Flexera found that 89% of organizations say they’re opting for a multicloud framework.
The cloud isn’t going anywhere. Regardless of the specific cloud mix or how companies choose to identify their cloud environments, a consistent component remains — infrastructure. Cloud infrastructure includes the hardware, storage, network, and compute resources required to host applications and services.
Despite its importance, many companies aren’t properly securing this infrastructure. Here’s a look at why cloud infrastructure often gets skipped in security and what companies can do to reduce the risk of critical cloud compromise.
Counting on Cloud
Cloud leader Amazon still owns over 34% of the cloud market as per a 2022 Statista research, but more recent challengers Google and Microsoft are on its heels. Consider that recent data from Flexera’s 2022 State of the Cloud Report puts Microsoft Azure ahead of Amazon Web Services (AWS) regarding adoption pace and volume.
Meanwhile, evolving technologies and business expectations have led to the development of specialized cloud vendors that offer purpose-built services and solutions. These include — but aren’t limited to — data analytics, automation, identity and access management (IAM), and facilitating remote and hybrid work environments.
Put simply, companies are counting on the cloud to deliver the services and solutions they need to meet evolving customer needs and facilitate in-house operations. And the cloud delivers in spades — on-demand services and simple scalability make it easy for companies to ramp up or reduce consumption and costs as needed.
But increased uptake doesn’t always translate to improved protection. According to the 2022 Thales Cloud Security Report, 45% of companies experienced a cloud-based data breach between June 2021 and June 2022, up from 35% the year prior. The result? More cloud infrastructure is creating more security risk.
Why Infrastructure Security Gets Ignored
With clouds now critical to business success, why does infrastructure security get ignored? Three reasons are common.
1. Reduced Visibility
As cloud environments grow, visibility is naturally reduced. Consider an organization using multiple public clouds for general compute and storage along with a private cloud for sensitive data handling and purpose-built multicloud frameworks for specific needs.
While these clouds collectively offer enhanced operational performance, it becomes challenging for companies to see what’s happening, when, and why across multiple cloud instances. The result is often a case of “no news is good news” — if security incidents aren’t actively occurring, companies carry on with business as usual.
2. Offloaded Responsibility
Cloud providers typically assume some responsibility for security. For example, most detail their security policies in service-level agreements (SLAs), and specialist security vendors may offer proprietary tools designed to address specific defensive issues.
The challenge? Responsibility ultimately rests with first-party organizations. If a cloud provider is breached, companies can’t rely on SLAs or other agreements to protect them from liability. As a result, while shared responsibility is reasonable, businesses can’t offload all obligations to third parties.
3. Limited Skills and Time
IT Pro Today notes that 80% of organizations don’t have a dedicated cloud security team to manage infrastructure issues. In part, this stems from a lack of internal cloud skills — while many IT pros are familiar with the cloud, they don’t have specialized knowledge.
Time is the other part of this problem. With IT teams already handling a host of internal security concerns, it’s challenging to find the time for training and certification, in turn leading to a protective paradox — managing current and emerging cloud issues means that companies lack the skills and lack time to develop necessary security skills.
Four Ways to Increase Infrastructure Defense
While there’s no such thing as a perfect defense against potential cloud attacks, there are four simple ways for companies to increase infrastructure defense.
1. Give Security a Seat at the Table
It’s not enough to make security an IT focus or hire a third-party security provider. Security specialists need a seat at C-suite tables to defend cloud infrastructure effectively. This allows them to communicate key issues and raise potential problems before attackers have breached critical assets.
Put simply? An ounce of protection prevention is worth a pound of cloud cure.
2. Encrypt Everything
According to the Thales report, 83% of businesses still don’t encrypt 50% — or more — of the data they store in the cloud. By encrypting everything in the cloud, from highly sensitive data stores to less critical operational information, companies can reduce the impact of a potential infrastructure breach.
3. Create Robust Access Policies
According to Tessian, 85% of data breaches are caused by human error. While in the vast majority of cases, these errors are accidental rather than malicious; the outcome is the same: compromised cloud services.
Companies can reduce this risk by creating robust access policies that ensure the right people have access to the right data at the right time.
4. Test, Test, Test
Cloud security is dynamic. Threats are constantly evolving — for example, attackers are now using OneNote documents injected with malware to circumvent security detection by creating and implementing a regular cloud security testing framework, whether in-house or managed by an MSP, companies can stay ahead of the curve on security threats.
Keeping the cloud safe
Business strategy success isn’t possible without robust cloud infrastructure. Despite its importance, however, companies often ignore infrastructure security in favor of seemingly more immediate concerns. This approach, however, opens the door for malicious actors looking to compromise cloud services and access valuable digital assets.
To help reduce risk and improve infrastructure security, companies need to give security space at the table, encrypt data everywhere, create solid access policies, and consistently test protective approaches to ensure they deliver intended results.
MORE ON CLOUD
Image Source: Shutterstock