Is the public cloud safe? Organisations often have this concern as they engage services from third-party cloud hosts. They may have a point – the public cloud is not necessarily as secure as we want to think.
The rise in cyberattacks partially correlates with the spreading adoption of public digital services.
While there is reason to be concerned, it’s not a definitive conclusion. “The public cloud is more secure than most private estates because public providers spend a lot on security and specialise in security as a critical part of their business model. But there are risks in the public cloud that customer companies aren’t aware of,” says Alastair Cox, head of Microsoft Consulting at cyber security company Performanta.
Three security threats
A good way to explain this puzzle is to focus on a popular public cloud: the Microsoft 365 ecosystem. Countless companies rely on MS365, using services that range from straightforward mail and collaboration to complex infrastructure and emerging technologies.
Such an environment has three general security threats:
* Firstly, criminals know the public addresses that connect to those services, so they don’t have to first discover where, for example, a target’s mail service resides before launching an attack.
* Secondly, most criminals rely on easy-to-use solutions such as Ransomware-as-a-Service that are sometimes optimised to target popular public clouds.
* Thirdly, the complex integrations between public clouds and company systems leave room for configuration errors that translate into security gaps.
“The public cloud’s biggest security risk emerges when companies assume their provider will take care of their security,” says Cox. “What we’re seeing more of is organisations that don’t sufficiently configure and integrate cloud security measures. They don’t generally realise how much bigger attack surfaces become with the public cloud.”
Security controls will change
The top public clouds are nearly impenetrable, so criminals look for weaknesses among client configurations. Companies don’t realise how much their internal security services must adapt to the new environment.
“When organisations move to cloud services, there is a misconception. It may just be the email service that is outsourced, but the entire environment needs to be reviewed and considered, including critical areas such as identity. Traditional controls are important, such as reviewing transport rules to harden the environment and reduce the likelihood of being an open relay. But be aware that if you’re living in Microsoft 365, you need to take a holistic approach, reviewing the entire set of controls available to you,” says Cox.
Responsible organisations appreciate that public cloud security is a two-way transaction, but they can underestimate the changes on their side and often overlook critical steps that will harden their security against criminals who exploit new blind spots in the public space. Fortunately, they can address and overcome such risks by using security benchmarks and assessments.
A new diligence for security
Companies adopting public cloud services need a new type of diligence. The practice of assessing security is fundamental. But in the context of public clouds, they shouldn’t make assumptions based on their previous security posture. They should systematically check and improve security components that tie into the new environment.
Cox recommends using security benchmarks such as those provided by CIS, or Microsoft’s Secure Score.
“These benchmarks provide a holistic approach to hardening your environment, allowing organisations to use pre-defined frameworks and strengthen their environment. By applying good controls, you’ll be able to lower the risk of being breached, as well as limit the impact of any breaches which may occur,” says Cox.
Companies can use security assessment services that understand the security tools available in cloud environments. Benchmarks and assessment partners make an effective combination to close public cloud security gaps and bring an added benefit.
“The best public clouds are very secure but they depend on customer security teams who understand the available controls. Assessment services provide guidance and insight that help established security teams identify key risks and advise on remediation. This creates a positive feedback loop, closing gaps, improving security knowledge, and building confidence in the public cloud,” says Cox.
Even though they are better equipped to repel cyberattacks, public clouds introduce new risks and attack opportunities. But when organisations continually tackle these with the support of benchmarks and assessment teams, the public cloud is very secure.