5 MIN. READ
The cloud has become an inescapable part of doing business—and so has cloud security.
Moving an application to the cloud or adopting a new cloud service can be a mixed blessing. For the most part, cloud service providers tend to make their applications more secure than an individual company’s security team would. However, statistics suggest most cloud applications used by employees—an estimated 94.8 percent—are not entirely enterprise-ready. Many companies lack the policies they need to be as secure as possible.
The ranks of enterprises with no cloud policies are rife with employees bringing in their own mobile devices and using their preferred services. An increasingly mobile workforce and the emergence of connected business devices, from printers to your company’s heating system to the break room refrigerator—the Internet of Things—are powered by on-demand services, making the cloud even more important at work. According to the cloud access security broker Netskope, in the third quarter of 2016, the average company had 1,031 cloud applications being used by employees.
With attackers becoming more sophisticated, you need to secure your cloud applications and make smart decisions about how to spend resources on security. While much of the focus on cloud security is on better development practices by app creators, for many companies that are consumers of apps and cloud services—and not creators—the applications often must be secured with zero visibility into their inner workings: the proverbial “black box.” For that reason, securing apps in the cloud should be treated much like securing on-premises devices.
Here are three basic steps to extending your security in the cloud:
1. Get visibility
Just as a business needs to be aware of what is going on with its own infrastructure, your security teams should also have visibility into the use and security of any cloud services. You need to know not only how employees are accessing cloud services, but which employees are accessing them.
You should take advantage of all the logging functionality offered by your cloud provider. Your provider should also be transparent in how it secures its infrastructure and provides information about security controls.
1,031
One thousand thirty-one cloud applications are being used by employees at the average enterprise.
2. Encrypt all data and identities
Business data kept in applications—and the data needed to access those applications, such as identity—become increasingly important when moved to the cloud.
“Cybercriminals are taking advantage of inconsistencies between the data center and the cloud.”
That same data can also be subject to privacy laws, such as the European Union’s General Data Protection Regulation beginning in 2018. Therefore, it’s critical that you make sure all data is securely encrypted.
Because remote access to cloud services is the new normal, the security of data stored in the cloud also relies on the ability to reliably identify users. Security teams should not assume that a user with the right credentials is authorized. Other authentication processes such as two-factor authentication, anomaly detection, and geolocation can all help make access to cloud services more secure and should be used when they do not overly burden workflow.
3. Create policies and educate users
Moving applications to the cloud gives security teams the opportunity (some might say obligation) to extend their policies outside the corporate network. Because any employee with a credit card can deploy a new cloud service, you need policies that are flexible and technology that can detect unsanctioned services—more commonly known as shadow IT.
Whether data is stored on premises or in the cloud, the same overall policies should apply. While complying to regulations is an obvious starting point, your cloud policies need to ensure security and not just compliance.
Robert Haynes is a solutions architect with over twenty years experience in IT. Starting at the bottom as a helpdesk analyst, his lackluster career has lead him through UNIX systems administration, backup and storage, and finally application networking. Having supported, designed, and sold complex IT systems across a range of industries and a number of continents, Robert’s focus is always on the practical implementation and real world use of technology. While this may seem utterly at odds with his current role in marketing for F5 Networks, he likes to think that he is primarily employed to bring balance to the Force.
Robert holds a B.Sc. in Applied Biology from the University of Wales College Cardiff, and a certificate in “Avoiding Collisions While Backing and Parking” from the Driving Dynamics Interactive Advanced Driving School, the latter of which has proved considerably more useful than the former.
About the Author
Related Blog Posts
The everywhere attack surface: EDR in the network is no longer optional
All endpoints can become an attacker’s entry point. That’s why your network needs true endpoint detection and response (EDR), delivered by F5 and CrowdStrike.
F5 NGINX Gateway Fabric is a certified solution for Red Hat OpenShift
F5 collaborates with Red Hat to deliver a solution that combines the high-performance app delivery of F5 NGINX with Red Hat OpenShift’s enterprise Kubernetes capabilities.
F5 accelerates and secures AI inference at scale with NVIDIA Cloud Partner reference architecture
F5’s inclusion within the NVIDIA Cloud Partner (NCP) reference architecture enables secure, high-performance AI infrastructure that scales efficiently to support advanced AI workloads.
F5 Silverline Mitigates Record-Breaking DDoS Attacks
Malicious attacks are increasing in scale and complexity, threatening to overwhelm and breach the internal resources of businesses globally. Often, these attacks combine high-volume traffic with stealthy, low-and-slow, application-targeted attack techniques, powered by either automated botnets or human-driven tools.
Volterra and the Power of the Distributed Cloud (Video)
How can organizations fully harness the power of multi-cloud and edge computing? VPs Mark Weiner and James Feger join the DevCentral team for a video discussion on how F5 and Volterra can help.
Phishing Attacks Soar 220% During COVID-19 Peak as Cybercriminal Opportunism Intensifies
David Warburton, author of the F5 Labs 2020 Phishing and Fraud Report, describes how fraudsters are adapting to the pandemic and maps out the trends ahead in this video, with summary comments.