When Heraclitus penned the famous phrase "the only thing constant is change" more than two and a half millennia ago, he could not have imagined how hauntingly accurate his words would be in today's world. Nowhere is this truer than in the rapidly evolving world of IT, where change is not merely constant, but also constantly accelerating. While it's difficult for IT professionals to keep pace with all of the latest cloud developments, it's important to keep abreast of current issues in cloud security to maintain integrity and protect internal systems from unauthorised access or abuse. Being prepared to address threats to your enterprise data and infrastructure requires an understanding of exactly what you are up against. Here are several major trends impacting cloud security today.
While the motivation behind early attempts to infiltrate and defeat corporate security systems may have been driven by ego or out of a desire for notoriety, such threats are no longer the purview of isolated hackers looking for personal fame. It is becoming increasingly apparent that criminal organisations are staging well-resourced, sophisticated, targeted attacks for financial gain. With the increase in publicly accessible infrastructure via the internet, cybercriminals have expanded their attack targets from software to the platform. By leveraging cloud technology to expand their reach and avoid detection, these criminals have been able to increase the effectiveness of disseminating spam and malicious code.
As mobile devices and technologies continue to proliferate, employees are increasingly demanding to use personally owned devices to access enterprise applications, data, and cloud services. The growth in popularity of BYOD policies in the enterprise has been viewed by many executives as a valuable capital expense-reduction strategy. From an information security standpoint, however, BYOD increases the risk of corporate data loss or theft if personal devices are not adequately secured. Malicious apps installed on consumer smartphones that access data stored on the device without the user's consent pose another threat. The risk of lost or stolen devices and indeterminate physical access also heighten the risk of unauthorised access or security breaches to an organisation's cloud infrastructure.
The growth of virtualization and integration with public cloud infrastructure has left security perimeters and their controls within the datacentre in a state of flux. Data is no longer easily constrained or physically isolated and protected. API management and governance is also a critical discipline for enterprises to scale delivery of cloud services. Security must be well integrated with cloud service models, since reliance on weak APIs exposes organisations to a range of security issues. A fundamental understanding of the security implications associated with the usage and management of cloud-based APIs is crucial in maintaining the integrity, availability, and accountability of corporate IT systems.
Organizations face ongoing burdens of legal and regulatory compliance in jurisdictions within which they operate. With increasingly prescriptive demands and severe penalties for non-compliance or breaches, maintaining necessary standards of reporting and accountability can be a costly and difficult exercise. The geographically disperse nature of public or hosted cloud environments only compounds this complexity. Care must be taken to evaluate applicable legislation and when considering offshore cloud infrastructure, which may be different to local laws. Conversely, infrastructure physically hosted within local borders but owned and operated by a foreign entity may be exposed to additional regulatory scrutiny from the nation in which the foreign company has been registered.
Commonly cited examples of regulations in the United States include Sarbanes-Oxley (SOX), the Payment Card Industry Data Security Standard (PCI DSS), and the Health Insurance Portability and Accountability Act (HIPAA). The Data Protection Act in the United Kingdom and the European Union (EU) Data Protection Directive are also important directives that impose strict controls on privacy and data retention in their respective jurisdictions.
As the pace of cloud technology development quickens and adoption within the enterprise becomes increasingly widespread, several major trends facing security professionals have become apparent. The level of sophistication and coordination of attacks on both software and infrastructure for financial gain, often facilitated by the ubiquity of personal IT devices, cannot be ignored. Elasticity of security perimeters fencing corporate IT systems in a cloud environment provides constant challenges. Privacy and data-protection controls must be implemented and strictly enforced in order to avoid costly litigation or judicial penalties. Effective cloud security requires continual monitoring, review, and an ability to adapt to the constantly shifting IT landscape.