Categories

Editor's Choice
Tech Jobs Network
News & Events
Access Control & Identity Management
AI & Data Analytics
Asset Management
Associations
Conferences & Events
Facilities & Building Management
Fire & Safety
Information Security
Infrastructure
Integrated Solutions
IoT & Automation
Perimeter Security, Alarms & Intruder Detection
Power Management
Products & Solutions
Security Services & Risk Management
Smart Home Automation 
Surveillance
Training & Education
Videos
Security by Industry Sector ▾








Print this page printer friendly version

Is the public cloud secure?

Issue 6 2022 Information Security, Security Services & Risk Management

Is the public cloud safe? Organisations often have this concern as they engage services from third-party cloud hosts. They may have a point; the public cloud is not necessarily as secure as we want to think. The rise in cyberattacks partially correlates with the spreading adoption of public digital services.

While there is reason to be concerned, it’s not a definitive conclusion. “The public cloud is more secure than most private estates because public providers spend a lot on security and specialise in security as a critical part of their business model. But there are risks in the public cloud that customer companies aren’t aware of,” says Alastair Cox, head of Microsoft consulting at cybersecurity company, Performanta.

Three security threats

An effective way to explain this puzzle is to focus on a popular public cloud: the Microsoft 365 ecosystem. Countless companies rely on Microsoft 365, using services that range from straightforward email and collaboration to complex infrastructure and emerging technologies. Such an environment has three general security threats.

1) Firstly, criminals know the public addresses that connect to those services, so they don’t have to first discover where, for example, a target’s email service resides before launching an attack.

2) Secondly, most criminals rely on easy-to-use solutions such as Ransomware-as-a-Service that are sometimes optimised to target popular public clouds.

3) Thirdly, the complex integrations between public clouds and company systems leave room for configuration errors that translate into security gaps.

“The public cloud’s biggest security risk emerges when companies assume their provider will take care of their security,” says Cox. “What we’re seeing more of is organisations that don’t sufficiently configure and integrate cloud security measures. They don’t generally realise how much bigger attack surfaces become with the public cloud.”

Security controls will change

The top public clouds are nearly impenetrable, so criminals look for weaknesses among client configurations. Companies don’t realise how much their internal security services must adapt to the new environment.

“When organisations move to cloud services, there is a misconception. It may just be the email service that is outsourced, but the entire environment needs to be reviewed and considered, including critical areas such as identity. Traditional controls are important, such as reviewing transport rules to harden the environment and reduce the likelihood of being an open relay. But be aware that if you’re living in Microsoft 365, you need to take a holistic approach, reviewing the entire set of controls available to you,” says Cox.

Responsible organisations appreciate that public cloud security is a two-way transaction, but they can underestimate the changes on their side and often overlook critical steps that will harden their security against criminals who exploit new blindspots in the public space. Fortunately, they can address and overcome such risks by using security benchmarks and assessments.

A new diligence for security

Companies adopting public cloud services need a new type of diligence. The practice of assessing security is fundamental. But in the context of public clouds, they shouldn’t make assumptions based on their previous security posture. They should systematically check and improve security components that tie into the new environment.

Cox recommends using security benchmarks such as those provided by CIS, or Microsoft’s Secure Score.

“These benchmarks provide a holistic approach to hardening your environment, allowing organisations to use predefined frameworks and strengthen their environment. By applying good controls, you’ll be able to lower the risk of being breached as well as limit the impact of any breaches which may occur,” he says.

Companies can use security assessment services that understand the security tools available in cloud environments. Benchmarks and assessment partners make an effective combination to close public cloud security gaps, and bring an added benefit.

“The best public clouds are very secure, but they depend on customer security teams that understand the available controls. Assessment services provide guidance and insight that help established security teams identify key risks and advise on remediation. This creates a positive feedback loop, closing gaps, improving security knowledge and building confidence in the public cloud,” says Cox.

Even though they are better equipped to repel cyberattacks, public clouds introduce new risks and attack opportunities. But when organisations continually tackle these with the support of benchmarks and assessment teams, the public cloud is very secure.




Share this article:
Share via emailShare via LinkedInPrint this page


Further reading:

What are MFA fatigue attacks, and how can they be prevented?
Information Security
Multifactor authentication is a security measure that requires users to provide a second form of verification before they can log into a corporate network. It has long been considered essential for keeping fraudsters out. However, cybercriminals have been discovering clever ways to bypass it.

Read more...
SA's cybersecurity risks to watch
Information Security
The persistent myth is that cybercrime only targets the biggest companies and economies, but cybercriminals are not bound by geography, and rapidly digitising economies lure them in large numbers.

Read more...
Cyber insurance a key component in cyber defence strategies
Information Security
[Sponsored] Cyber insurance has become a key part of South African organisations’ risk reduction strategies, driven by the need for additional financial protection and contingency plans in the event of a cyber incident.

Read more...
Deception technology crucial to unmasking data theft
Information Security Security Services & Risk Management
The ‘silent theft’ of data is an increasingly prevalent cyber threat to businesses, driving the ongoing leakage of personal information in the public domain through undetected attacks that cannot even be policed by data privacy legislation.

Read more...
Data security and privacy in global mobility
Security Services & Risk Management Information Security
Data security and privacy in today’s interconnected world is of paramount importance. In the realm of global mobility, where individuals and organisations traverse borders for various reasons, safeguarding sensitive information becomes an even more critical imperative.

Read more...
Sophos celebrates partners and cybersecurity innovation at annual conference
News & Events Information Security
[Sponsored] Sun City hosted Sophos' annual partner event this year, which took place from 12 to 14 March. Sophos’ South African cybersecurity distributors and resellers gathered for an engaging two-day conference.

Read more...
Proactive strategies against payment fraud
Financial (Industry) Security Services & Risk Management
Amid a spate of high-profile payment fraud cases in South Africa, the need for robust fraud payment prevention measures has never been more apparent, says Ryan Mer, CEO of eftsure Africa.

Read more...
How to prevent and survive fires
Fire & Safety Security Services & Risk Management
Since its launch in August 2023, Fidelity SecureFire, a division of the Fidelity Services Group, has been making significant strides in revolutionising fire response services in South Africa.

Read more...
A long career in mining security
Technews Publishing Editor's Choice Security Services & Risk Management Mining (Industry)
Nash Lutchman recently retired from a security and law enforcement career, initially as a police officer, and for the past 16 years as a leader of risk and security operations in the mining industry.

Read more...
Risk management: There's an app for that
Editor's Choice News & Events Security Services & Risk Management
Zulu Consulting has streamlined the corporate risk management process with the launch of Risk-IO, a web-based app designed to consolidate and guide risk managers through the process, monitoring progress as one proceeds.

Read more...











SMART Security Business Directory



Published by Technews

»  Dataweek Electronics & Communications Technology
»  Electronics Buyers' Guide (EBG)

»  SMART Security Solutions
»  SMART Security Business Directory

»  Motion Control in Southern Africa
»  Motion Control Buyers' Guide (MCBG)

»  South African Instrumentation & Control
»  South African Instrumentation & Control Buyers' Guide (IBG)



© Technews Publishing (Pty) Ltd. | All Rights Reserved.