How secure is cloud storage for SMEs?

The cloud storage market is on a rapid growth trajectory. In fact, according to Fortune Business Insights, it’s set to reach USD 472.47 billion by 2023. Marked by a relentless surge in big data, pacey technological advancements, and a hunger for both cost savings and efficiencies across the board, more organisations are turning to digital storage solutions than ever before. But how secure is cloud storage really?

Mark Allen, head of cyber, explores the strategies that underpin successful migration and maintenance — from combatting cloud sprawl and leveraging data insights to empowering a culture of vigilance among employees and stakeholders alike.

 

What is cloud security?

When the entire tech estate was on-premise, IT leaders had a small and contained selection of local devices to secure. As well as offering a great degree of control over where data resides, it meant cyber security infrastructure could be tailored to meet specific compliance requirements on-site. Above all else, it was relatively simple to procure, implement, monitor, and maintain safeguarding solutions — not least because everything was right there, in front of you.

Now, with so many ‘as a service’ offerings rolled into one environment, spread across a number of cloud service providers (CSPs), managing virtual technology estates naturally becomes more difficult. This is especially true for firms who implemented knee-jerk solutions at the height of the pandemic — never to be managed, maintained, or rationalised down the line. 

However, as attack surfaces grow, perpetrators become savvier in their approach, and data’s value as a currency increases, maximising security posture has never been so crucial. Firms in the firing line don’t just risk downtime. Today, financial and reputational consequences, as well as legal repercussions, are tenfold. With that in mind, SMEs must understand the best practices at play right now, as well as how to implement them effectively.

 

What are the security risks of cloud computing?

One of the most hotly debated topics in the cyber security space, is the mindset of ‘if’ versus ‘when’. For many C-suite executives, attacks are inevitable — so, why plunge time and investment into defence mechanisms? For others, it remains that prevention is always better than the cure. We sit at a happy medium, here at CloudCoCo. 

From zero trust and multi-factor authentication to firewalls, advanced monitoring tools, and more, we’re big advocates of building foundational resilience. Equally, we understand that threat actors are socially engineered to be one step ahead. That means the likelihood of being protected at all times is never 100%. Being able to identify, isolate, and remediate threats as soon as possible is therefore key. 

Are cloud based services more secure than on-premise infrastructure? Yes — but only if managed the right way. With that in mind, here are some of the biggest challenges facing firms when trying to protect data in the cloud:

 

Lack of oversight, exacerbated by cloud sprawl

The proliferation of data and resources isn't inherently a risk, but lack of oversight is one of the biggest hurdles for scaling SMEs. And this is only exacerbated by misunderstandings of contracts, terms and agreements with major hyperscalers.

Public cloud environments are inherently complex and distributed. When multi-cloud, hybrid cloud, and serverless architectures are added to that makeup, it can become even more challenging to manage the cyber security perimeter.

While securing applications does require careful consideration, this isn’t necessarily the struggle. Instead, it’s the lack of control over underlying infrastructure. For example, so many firms presume public cloud providers have cyber security covered. The reality is, shielding your tech environment is a shared responsibility — a ‘job zero’, according to AWS. Public cloud providers don’t provide end-to-end security, they simply secure what belongs to them. That means the core infrastructure, not the systems or data held on them. 

So, how is data security ensured in cloud computing services? The data owner must understand exactly which obligations they have, in relation to respective CSPs, and implement effective measures to safeguard sensitive information, ultimately preventing liability in the event of a breach. Not to mention, inefficient cloud management can also hamper budgets and resources.

As part of this, it's critical to have monitoring tools that flag any weaknesses. This is no mean feat, especially if there’s a myriad of solutions employed by multiple different providers. However, backed by global cyber security leader, Fortinet, our single-pane-of-glass solution means we can maintain complete oversight, wherever data is held.

 

Shadow IT and unchecked spending

At a time when spending caution should be a priority, many employees continue to go rogue with the company’s tech budget. It’s perhaps unsurprising, then, to see so many C-suite executives being sceptical about the ROI of cloud — not least against such a tumultuous financial backdrop. But this practice of ‘shadow IT’ — deploying systems without the permissions and protocols of the central IT department — isn’t just about unchecked spending. 

Ask yourself: Are cloud services secure if you don’t know which applications are stored there in the first place? You can’t protect what you can’t see. And, while self-provisioning may be great for agility and productivity, it can be of major detriment to the visibility of the tech stack — risking vulnerabilities, misconfigurations, and undetected policy violations.

If data or other assets are stored on personal devices, for example, this expands the business’ attack surface, baiting weaknesses that are not protected by the firm’s blanket solutions — such as antivirus, firewalls, edge AI and endpoint detection and response (EDR). Not to mention, if the data in the cloud server isn’t backed up properly. 

This is rarely malicious. Rather, employees are seeking a truly flexible and frictionless experience in managing their workload. For scaling SMEs, you could even go as far as to say shadow IT is inevitable (in parts!). Organisations must therefore implement steps to manage the challenge on an operational level — placing the onus on the employer, rather than the employee. At CloudCoCo, we’d recommend:

  • Conducting regular audits to assess any changes to infrastructure — exploring their suitability and how effectively they have been implemented, and rationalising any assets that are idle, redundant, or broken.
  • Maintaining visibility over the network to ensure all endpoints, applications, and systems are monitored at all times. An effective cloud security posture management tool can detect and prevent misconfigurations and blind spots that might be compromising strength.
  • Empower employees with seamless ways to procure assets as required — with approval and provisioning processes that are efficient, while maintaining a sharp focus on cost, compliance, and security.
  • Create a roadmap that prioritises ‘plan B’ remediation strategies in the event of rogue purchasing.

 

Insider threats 

A leading cause of cloud-based cyber attacks, insider threats can be one of the most damaging risks to cloud security. These stem from any person, or people, associated with the organisation that has been breached — including current or former employees, contractors, consultants, board members, or vendors. While not always conducted with malicious intent, they’re incredibly harmful because they occur so close to the source.

Implementing strategies such as zero trust network access (ZTNA) is an effective method to combat the challenge. Operating on the premise that no person, or device, should be trusted by default, it ensures everything is vetted before entering your cloud environment. Because this authentication can take place any time, from any place, it has quickly become a solution of choice for geographically disparate workforces.

Beyond this, ongoing training and development is key. More than handing over a process document, this should involve active participation in threat simulations, as well as encouraging users to raise any cyber security concerns impacting the integrity of your cloud infrastructure. Empowering a culture of vigilance can be the difference between having immediate responses to threats, and hours lapsing before any action is taken.

 

Spreading focus areas too thin

Despite common misconception, plunging more capital into cyber security infrastructure doesn’t always mean it’s better. If you’re in a highly regulated industry — such as finance, healthcare, law, or education — it makes sense to be extra vigilant. But not everyone needs the full bells and whistles, so don’t drill too deep for the sake of it.

Instead, prioritise the right solutions for your business’ unique needs, and procure them from a truly credible expert. It’s a delicate balancing act. However, viewing cyber security as an investment, rather than an expense, and taking stock of the challenge before implementing a generic solution, will pay dividends long-term. 

 

The bottom line

Understanding which aspect is the most important for cloud security is difficult. Rarely is there ever a one-size-fits-all solution — a holistic strategy will set organisations up for the most fruitful success. Above all else, don’t rest on your laurels. Cloud security is an evolving field, with dynamic threats emerging constantly.

Whether you’ve yet to embrace the transition to the cloud or are mid-roadmap execution, the support of a trusted IT partner can be an invaluable investment too. Having navigated a range of cyber security challenges in complex cloud environments, CloudCoCo is perfectly placed to see how your current practices measure up. Better still, we know how to tweak the dials to make sure all the levels are right. That way, you can focus on driving your core business objectives, safe in the knowledge your cloud storage concerns are covered.

Take advantage of our free NCSC audit to get the ball rolling. Or, if you want to hear more on this topic from industry leading lights, we’re hosting ‘Security First: Shielding SMEs With Cyber Security Expertise’ on 19 June, in Leeds. Secure your place.


Leave a comment!

Your email address will not be published. Required fields are marked *