Cloud security risks remain very human

Most of us picture cloud security threats as bad actors in some hostile country. More often, it’s you and your coworkers.

Talk about cloud security and you’re likely to discuss provider-focused issues: not enough security, not enough auditing, not enough planning. However, the biggest cloud security risks continue to be the people who walk beside you in the hallways. According to the latest “Top Threats to Cloud Computing” report by the Cloud Security Alliance on the HealthITSecurity website, the scary calls are coming from inside the house.

Based on a survey of more than 700 cybersecurity professionals, the report showed that the top 11 threats to cloud security include insecure interfaces and APIs, misconfigurations, lack of a cloud security architecture and strategy, as well as accidental cloud disclosure. The actual threats are not the bad actors sitting in an abandoned warehouse; it’s Mary in accounting, Robert in inventory IT, even Susan in IT security.

Researchers noted that the current view on cloud security has shifted the responsibility from providers to adopters. If you ask the providers that have always promoted a “shared responsibility” model, they have always required adopters to take responsibility for security on their side of the equation. However, if you survey IT workers and rank-and-file users, I’m sure they would point to cloud providers as the linchpins to good cloud security.

It is also interesting to see that shared technology vulnerabilities, such as denial of service, communications service providers data loss, and other traditional cloud security issues ranked lower than in previous studies. Yes, they are still a threat, but postmortems of breaches reveal that shared technology vulnerabilities rank much lower on our list of worries.

The core message is that the real vulnerabilities are not as exciting as we thought. Instead, the lack of security strategy and security architecture now top the list of cloud security “no-nos.” Coming in second was the lack of training, processes, and checks to prevent misconfiguration, which I see most often as the root causes of most security breaches. Of course, these problems have a direct link. The lack of security planning and security architecture are part of the reasons that misconfigurations occur in the first place.

At the heart of the matter is a lack of resources. Cloud security issues arise when enterprises are not willing or able to spend the money needed for a proper security plan. Also, just as important, organizations need to continuously coach people on proper security procedures until it’s second nature. This needs to be ongoing and coupled with a change in culture from a “mostly trust” to a “zero trust” security mentality.

IT staff still find sticky notes with user IDs and passwords throughout the enterprise and often discover cloud resources being leveraged in unauthorized ways. It sounds absurd, but I know of instances when public cloud storage and compute systems were being used by the children of IT leaders to complete homework assignments—I saw this happen more than once, in more than a few enterprises. I wish I were kidding.

Fortunately, the solutions to system security problems are easy to define: more resources and a greater focus on cloud security. With that said, you can’t just toss technology at the problem. The fix requires a sound security plan that will define what is to be done during at least the next five years to secure your systems.

It’s often more difficult to define how the culture needs to change and then implement the changes. All the training in the world won’t do much good if you’re dealing with a culture of apathy.

It’s always nice to blame others for system shortcomings. That’s not possible this time, and it won’t be the case moving forward. It’s time to start addressing your security issues by looking in the mirror.