‘Building the plane while flying it’ is a Silicon Valley idiom that has probably felt a bit too real for the UK’s hardworking IT teams these last few months, faced, as many have been, with a sudden need to enable a remote workforce and ensure business continuity. The use of cloud services has soared, connecting infrastructure, people, devices, applications and information, in ways we would never have imagined before.
Cloud computing is a wonderful tool for business at any time. Organisations that haven’t embraced it already are likely to have it on their roadmap. Earlier this year we asked enterprise leaders in the UK about their top business priorities to 2025. Nearly four in 10 (39%) said they planned to move all computing and data into the cloud. They thought they’d have five years. Instead they had weeks.
What mattered most in March was ensuring the business got the IT it needed to keep going. It is almost inevitable that not everything was done perfectly. That was OK then, but it’s not now.
As a more normal working life starts to resume, this may be the perfect time to review those cloud setups and make sure we understand what we have, where it is, who has access to it and whether there are any security gaps.
It’s worth taking the time to do this properly. We’ve just published new research that shows that in the last year six in ten UK organisations that use public cloud services experienced a security incident. These incidents included attacks from ransomware and other malware, exposed data, and compromised accounts. For those organisations juggling several cloud environments at the same time, the number of security incidents not surprisingly went up.
Exposed assets and compromised credentials
By and large, attackers got into the public cloud environment because the business accidentally left a window open or the keys in the door. Over half (59%) of UK incidents resulted from a security misconfiguration leaving stuff exposed to the internet, while a third (38%) involved the abuse of stolen cloud account credentials. Just over one in four (28%) of the UK businesses surveyed admitted that they didn’t really have full visibility of what they’ve got in the cloud.
Security is a continuous process that involves managing and monitoring cloud environments all the time in order to stay one step ahead of determined attackers, or even just opportunistic ones looking for an easy way in. The good news is that businesses don’t need to do this alone, responsibility for security is shared between the organisation and its cloud service provider. But there are some basic security measures that businesses can and should introduce to protect their assets in cloud.
Cloud security checklist
Start by assuming that if you’ve got exposed assets in the cloud, hackers will find them. Attackers run automated scans to look for assets that are open to the internet, and if there is a bug or set-up error they can exploit or if they’ve got their hands on an employee’s cloud access credentials, they’ll use them.
Take a good hard look at how you’ve configured everything. Check for mistakes and oversights and correct them. Be selective about who has access permissions and set some robust authentication requirements. Treat remote virtual desktops with the same security respect as your most critical servers and provide secure connections for your workforce to access applications and corporate data, whether they’ve returned to the workplace or will remain remote for now.
Then make sure you have the right multi-layered security software in place. Invest in cloud workload protection with anti-malware technology. Cybercriminals use a wide range of techniques to get around defences. When one is blocked, they move on to the next one until they find something that can be exploited. A good security solution will be lying in wait to stop them.
Last, but definitely not least, understand your share of the responsibilities when it comes to security.
Essentially, your public cloud provider is responsible for physical protection at the datacentre and the virtual separation of customer data and environments, but the security of whatever you store or run in the cloud is down to you.
It’s time to take control
As we emerge into a new reality, there may a brief moment of relative calm as organisations get workplaces ready and make new plans. Let’s use that opportunity to take stock of our cloud computing infrastructures, to review and fix and prepare it for the exciting challenges that lie ahead.
