Why cloud security matters and why you can't ignore it

Cloud means handing over data and apps, but that doesn't mean giving up responsibility for security.
Written by Danny Palmer, Senior Writer
Image: Getty

As convenient as cloud computing has become, it isn't without problems. Poor cybersecurity planning for cloud applications, such as allowing users to rely on simple passwords, failing to use multi-factor authentication or not applying patches and updates, can leave you vulnerable to attacks.

Managing cybersecurity was already a challenge for many organisations and their boardrooms: adding the cloud just widens the potential threat surface and increases the complexity for many.

That's especially the case for firms that might not even be aware of their cybersecurity responsibilities when it comes to cloud services.

"Sometimes we still have a perception by organisations that it's a set-and-forget-it mentality," says Jason Nurse, associate professor in cybersecurity at the University of Kent. 

"The reality is that, for many organisations, they view using the cloud as sort of handing over all responsibility on security and data protection," he adds.


But, he points out, a lot of responsibility still falls on these organisations to do things to ensure that they have the right setup, to ensure that they have the cloud configured correctly and that they don't have data "hanging around" that's not appropriately protected. 

The lack of understanding around configuring and securing cloud services can leave sensitive information exposed – potentially even directly to the open internet where anyone, including malicious cyber criminals, can see it. 

This isn't just a theoretical problem, as cases of misconfigured cloud environments exposing sensitive information are regularly uncovered.  

"Organisations do not completely understand the cloud environment and a lack of expertise and skill set makes it difficult for businesses to identify and implement the right set of security controls to protect their cloud operations," says Prakash Venkata, principal within PwC's cybersecurity, risk and regulatory practice. 

"Companies that seem to be ignoring cloud security altogether may be doing so due to a lack of understanding, a lack of skills and expertise, limited time due to competing corporate initiatives, or limited budget to invest in leading tools," he adds. 

But cloud security isn't something that can just be ignored – if your organisation is using cloud applications or servers, securing it is a must, particularly as cyber criminals and other malicious hackers are on the lookout for insecure services they can exploit to gain access to networks with relatively low effort. 

SEE: Cloud computing security: New guidance aims to keep your data safe from cyberattacks and breaches

For example, there's been a big rise in enterprises and employees using cloud application suites for emails, managing documents and other daily tasks. It's beneficial for employees, but if those accounts aren't secured properly, they can provide an easy backdoor for attackers.

If your organisation isn't on top of its cloud security strategy, it could be easy for the information security team to miss early signs of suspicious activity, only to finally notice when it's too late, once information has been stolen or ransomware has encrypted the network. 

There are also additional steps that information security teams can take to bolster cybersecurity defences of cloud services, such as rolling out multi-factor authentication to all users. This provides an opportunity to stop and detect malicious intrusions before they happen, because even if the attacker has the correct password, the user has to confirm that it's a legitimate login attempt.

"Identity access management, the ability to ensure that networks' data system services can only be accessed by by authorized parties, that's really the essential bit," says Nurse.

"Even considering the basic stuff, such as multi-factor authentication on key accounts and key services, I think those are the things that are more and more required broadly," he adds.

SEE: Terrible cloud security is leaving the door open for hackers. Here's what you're doing wrong

And just because software is cloud-based, that doesn't mean it doesn't require security patches and updates. If there's a security update available for cloud software, it's best to apply it as soon as possible, particularly as cyber criminals also know about the vulnerabilities and will do their best to exploit them. For this, it's important to select the right cloud vendor. 

A good cloud service provider that becomes aware of security vulnerabilities in their products will roll out those patches to customers as soon as possible, providing the customer with the greatest opportunity to stay protected from attacks, using the exploit – as long as they apply the update on time. 

However, your choice of cloud service provider could make a significant difference to your overall cloud security strategy. Many vendors will be responsive, quickly supplying updates and fixes for cloud software issues – but some aren't, and it's important to learn which these are before signing a contract.  

"There's no point choosing a cloud provider that has really cheap services, but then that cloud provider doesn't patch regularly or doesn't monitor its own attack surface, because at the end of the day, it's still the organisation's data that could be breached," says Nurse. 

Even when you have a cybersecurity strategy around cloud in place, that's not the end of the journey – and much like when you first start using cloud services, you can't just ignore it and hope for the best. Cybersecurity is always evolving, new threats emerge, and new strategies need to be applied to help keep networks and users as safe and secure as possible.  


Editorial standards