Cloud adoption has brought a wave of change to today’s businesses, from enhanced internal collaboration and consumer engagement to improved agility and cost savings. The growth of private, public and hybrid cloud use among enterprises has done more than just spur digital transformation; it has broadened the infrastructure businesses need to secure. To safely embrace the cloud and reap its benefits, organizations need visibility into a larger and more complex landscape than ever before.

There are four broad categories of security issues when it comes to securing cloud infrastructure: human error, runtime threats, shadow IT and poor strategic planning.

Understanding these issues and their potential impact will be critical if organizations are to achieve the business outcomes they expect.

The 4 threats you must have a game plan for

  1. Human error

Of all four categories, human error is the one most often blamed for cloud breaches. According

to Gartner, 99% of all cloud security failures through 2025 will be the customer’s fault.

These errors often take the form of misconfigured Amazon S3 buckets, open ports and the use of unsecure accounts or APIs. If left undetected, they can open the door for attackers looking to compromise cloud environments.

A key challenge to addressing human error is visibility. It is difficult for security to keep pace with the need to support the constantly changing and elastic reality of the cloud. In addition, using multiple point solutions to manage security across different cloud services as well as their on-premises environment has left many organizations struggling to maintain consistent security policies and enforcement. Without the ability to identify and remediate unsecure APIs and misconfigurations, cloud workloads can go from being IT assets to IT threats.

  1. Runtime threats

The previous statement is also true as it relates to workloads that are targeted using zero-day exploits. In public clouds, much of the underlying infrastructure is protected by the cloud service provider (CSP). However, organizations that fail to understand the shared responsibility model — which delineates the responsibilities of the CSP and the customer — sometimes create security holes for threat actors to exploit. This situation can enable attackers to target the operating system and application to obtain access. From there, they can potentially gain persistence through the use of malware or other similar techniques and move laterally throughout the organization’s environment.

Beyond attempting to gain a larger foothold in the environment, adversaries may also target intellectual property and confidential information stored in the cloud. The CrowdStrike Threat Research team has noted this trend this year across numerous breach investigations. Even if a cloud workload is properly configured, it may still be susceptible to unpatched vulnerabilities and zero-days, making runtime threats a critical concern for today’s enterprises.

  1. Shadow IT

Visibility issues are exacerbated by shadow IT, which by its nature circumvents the normal IT

approval and management process. Usually, shadow IT is not created for malicious reasons. Its

creation is typically the result of employees adopting cloud services in order to do their jobs. The ease with which cloud resources can be spun up and down makes controlling its growth difficult.

These unauthorized assets can threaten the environment because they are often not properly secured and are accessible via default passwords and misconfigurations. With cloud and DevOps teams looking to maintain high velocity, obtaining the visibility and management levels that security teams require is challenging.

DevOps teams want a frictionless way to ensure that they deploy secure applications and that their security solutions directly integrate with their continuous integration/continuous delivery (CI/CD) pipeline. There needs to be a unified approach for security teams to get the information they need without slowing down DevOps, and both security and IT teams will need to adapt and collaborate to meet each other’s needs.

  1. Lack of cloud security strategy and skills

The final critical security issue facing the cloud is the skills shortage and the lack of a cloud security strategy inside many organizations. As a result, many administrators attempt to secure cloud workloads the same way they secure their on-premises data centers. Unfortunately, traditional data center security models do not apply to cloud computing, and poor planning can open up new risks and vulnerabilities.

A key part of any strategy for cloud adoption is education — educating teams on security best practices such as how to store secrets, how to rotate keys and how to practice good IT hygiene during software development is critical. However, this piece of the puzzle is often overlooked. DevOps may be happening, but DevSecOps often is not — which is hampering the industry’s ability to make the cloud secure.

Winning means planning and execution

New tech and cloud adoption can be a double-edged sword. Organizations need it to innovate and improve business value, however, it is not without risk. CSOs are instrumental in the planning and execution of an effective cloud security program. With good planning and execution readiness, CSOs are in a prime position to influence growth and mitigate disruption by ensuring that business, technology, and DevOps intersect effectively. Learn more about CrowdStrike Cloud Security Solutions.

Engage with the author: David Puzas