Is security keeping pace with growth for cloud native enterprises?

While cloud computing was always popular, the impact of the pandemic has made it a must have strategy for companies. The cloud has become the pivot for new age businesses empowering a host of new digital experiences that would have been difficult to achieve in the real world. For many startups, the cloud is a springboard, allowing them to leapfrog the constraints of finance and scale. Not surprisingly, Gartner says that more than 85% of organizations will embrace a cloud-first principle by 2025 and will not be able to fully execute on their digital strategies without the use of cloud-native architectures and technologies. The research firm also says that by 2025, over 95% of new digital workloads will be deployed on cloud-native platforms, up from 30% in 2021. 

It is not surprising hence for startups to prefer cloud only platforms, as they give them the ability to scale fast on a pay-as-you grow model. While the cloud gives cloud-native firms the capability to grow fast, the increased speed exposes them to vulnerabilities that they have not thought of. For example, cloud-native applications, by their nature, are dynamic and use a combination of serverless functions and multiple cloud platforms. Unlike traditional on-premise models, where the enterprise security team only needed to protect the specific server on which the application was hosted, cloud-native applications do not have a fixed perimeter. 

While cloud service providers have robust security measures to protect their infrastructure from hackers, the responsibility of security still lies with the customer. The cloud’s ease of use has made many cloud-native organizations underestimate the risks, which can prove to be costly. Gartner says that by 2025, 99% of cloud security failures will be the customer’s fault. This is important, as customers are responsible for securing the applications or databases that they have hosted on public cloud platforms. For example, cloud misconfigurations are a common cause of data breaches. Cloud misconfigurations happen when default credentials are left unchanged or excessive permissions are granted. 

Misconfiguration is just one aspect of inadequate cloud security. Besides misconfiguration, the Cloud Security Alliance, lists ten more threats to cloud computing. These include: data breaches, lack of cloud architecture and security, Insufficient Identity, Credential, Access and Key Management; Account Hijacking; Insider Threats; Insecure Interfaces and APIs; Weak Control Plane; Metastructure and Applistructure Failures; Limited Cloud Usage Visibility and Abuse and Nefarious Use of Cloud Services.

Most emerging cloud native firms have small teams, and security is an afterthought. Speed to market is a key focus area, and in the race towards releasing products or services faster to the market, security is often overlooked. As a result, there are a host of issues that crop up due to inadequate cloud security. There is lack of visibility and control on who can access confidential or sensitive data. In many cases, cloud-based applications are created or accessed by departments which the IT team is not aware of – a term called ‘Shadow IT’. With inadequate staff or expertise, cloud-native firms also do not have the ability to monitor their cloud workloads or applications for vulnerabilities. Additionally, as data and applications span multiple clouds, it becomes challenging for cloud-native firms to understand and monitor who is accessing which application. It is hence not surprising to see many cloud-native firms or startups being at the forefront of several publicly revealed data breaches. Security clearly has not kept pace at the pace that cloud-native firms are growing. 

What needs to be done?

In most of the data breaches, despite several examples, cloud-native firms have failed to encrypt their data. To prevent sensitive data falling into wrong hands, it is important to encrypt all data, be it static or in-motion data. If data is encrypted, it is of no use to hackers as it becomes unreadable without the unlocking key. This will prevent data leakage risks due to network eavesdropping or man-in-the-middle attacks. This alone can prevent some of the biggest data breaches that have occurred due to unauthorized users accessing confidential data.

Cloud-native firms also need to regularly scan their cloud ecosystem setups for known vulnerabilities such as SQL injections, cross-site scripting, embedded malware or improper server configurations. This can help server and application administrators to take the required necessary steps to protect the applications and associated cloud infrastructure.

As identity is the new perimeter, it is difficult to provide secure access in an environment which spans multiple clouds. In such environments, it is recommended to use cloud application security broker tools for application access and multiple-factor authentication. This enables enterprises to enforce an additional layer of security. This also helps in understanding who is accessing what kind of data and reduces the possibility of a data breach.   

In addition, given the vast and diverse landscape and the complexity of cloud environments, enterprises must consider using automation tools. Enterprises can use cloud automation tools to automate reporting, detect intrusion attempts and use governance features to stay compliant with respect to different regulatory requirements such as GDPR, HIPAA in healthcare or SOX in the financial services space. An automated cloud management tool can also help in enforcing and configuring permissions based on roles rather than individual users. Automation can also be used effectively for patching, where a lot of servers can be patched without manual intervention. Using behavioral analysis tools, automation can also help in analyzing the network and responding to an attack quickly -- this is extremely useful in the case of detecting zero day attacks. More importantly, automation can also help in quickly bringing up another site as part of a disaster recovery plan, if the first site is hit by ransomware or cyberattacks. Cloud automation tools can also be used for running automated and scheduled checks for continuous compliance monitoring. Organizations can also consider outsourcing the task of ensuring security to a specialist Managed Security Service Provider (MSSP). Most MSSPs have the experience, expertise and the infrastructure to help enterprises create a better security posture. MSSPs are also better equipped to handle the latest threats as they continuously monitor threat vectors, and can also ensure regulatory compliance. 

In the current scenario where attacks against cloud-based ecosystems have amplified, cloud-native firms have to be extremely vigilant to ensure that even a small gap in security does not cripple their growth. By following some of the recommendations mentioned above, cloud-native firms can ensure that their growth continues to be un-interrupted by utilizing the full power and potential of the cloud to leapfrog to new levels. 

The article has been written by Rishikesh Kamat, Vice President-Managed Services, NTT, Global Data Centers and Cloud Infrastructure, India