Thursday, 30 December 2021

How born in the cloud firms can ensure a proactive security posture

  In 2021, India had a phenomenal year with respect to startups. The Indian Tech Unicorn Report 2021 said that India saw 46 unicorns (companies with a valuation of more than $1 billion). India also today has the world’s largest startup ecosystem in the world with more than 60,000 startups. 

A huge percentage of these startups relied on the cloud, thanks to the cloud’s natural ability to help startups achieve scalability at a lower TCO and access to the latest technologies. With a pay-as-you-go pricing model, the cloud has truly enabled early-stage start-ups or born-in-the-cloud firms to access technology services as required without the commitment of upfront capital. This allows startups to keep on experimenting with different services, and create a business model that can succeed in the market. Naturally, the cloud has acted as a big lever for startups to leapfrog without the restrictions of capital or scalability.

It is hence not surprising for startups to prefer cloud-based platforms, as they give them the ability to scale quickly on a pay-per-use model. That said, while the cloud gives born in the cloud enterprises to take the advantage of scale, this also exposes them to several vulnerabilities. Firstly, unlike the traditional model, cloud-based applications do not have fixed boundaries to guard.

Most born in the cloud firms do not have huge security teams, with growth and profitability as the main parameter. Security is almost like an afterthought. In the rush to release products faster than the competition, security is always a lower priority. Due to the limited number of security personnel, there is a lack of control and understanding on who can access sensitive or confidential information.

In many cloud-dependent firms, it is common to see information stored on applications that is beyond the control of the IT team. In most enterprises, the IT team is not even aware of these applications – this is referred to as ‘Shadow IT’. As these startups grow in scale, and workloads span multiple clouds, it becomes extremely challenging for these companies to secure their data.

While most cloud service providers have the best security processes and technologies to protect their infrastructure from cyber criminals, the onus of security still lies with the customer. Because of the ease of using the cloud, it is common for born in the cloud firms to underestimate the risks, which have often proved to be costly and have led to many data breaches. However, as a research firm, Gartner, rightly points out, the challenge of ensuring security lies in not in the security of the cloud, but around processes and policies related to the configuration of the cloud. In most cases, an improper configuration is the cause of data breaches.

The Cloud Security Alliance highlights some of the most common risks with respect to cloud security. Some of these include misconfiguration and inadequate change control; lack of cloud security architecture and strategy; insufficient identity, credential, access, and key management; account hijacking; insider threats; insecure interfaces and APIs; limited cloud usage visibility and abuse and nefarious use of cloud services. Not surprisingly, a research firm, Gartner says that by 2025, 99% of cloud security failures will be the customer’s fault. For example, cloud misconfigurations, one of the most common reasons for data breaches, happen when default credentials given by the service provider are left unchanged.


Ensuring a secure cloud

One of the most effective steps that are born in the cloud firms can take is to encrypt their data. This includes encrypting static or data in motion. If this is done, the stolen data will be of no use to any cybercriminal as it is unreadable without a key. It is also equally important to regularly scan for vulnerabilities such as SQL injections or hidden malware.

Additionally, as workloads can span multiple clouds, it is important for organizations to use cloud application security broker tools and multi-factor authentication. This can not only ensure one more layer of security but also reduce the possibility of data breaches.

As most born in the cloud firms have small teams, they can get overwhelmed by the challenge of ensuring security – especially if the organization is growing fast. Last year, a survey by Cloud Security Alliance, pointed out that nearly one-third of the respondents still managed cloud security manually. This problem is magnified for cloud-dependent firms. This is where automation can help. Automation tools can not only enforce standardized policies across every cloud ecosystem but also help in automatically configuring firewalls, networks, databases, or access points. Automation can also help in automatically patching servers or virtual instances, which makes it possible for even smaller firms to ensure robust security. Cloud governance tools can help in bringing in a centralized and unified view for managing workloads across multiple clouds. Cloud governance tools can also be used to ensure compliance with respect to different regulations in different countries.

Last, but not least, born in the cloud firms, can take the help of managed service providers, who have the required expertise, the credentials, the experience, and the skillsets to help these firms address the gaps in their security posture.

Going forward, as cloud-based usage will continue to be high, it is recommended that cloud-native firms take some of the steps as advised above, which can ensure that their growth is not hampered by any security-related issues.

#cloud #Security #Automation #ManagedService #partner #AWS #CloudInfra

No comments:

Post a Comment

AWS CodeGuru Elevating Code Security

  Security and code quality are paramount in today’s fast-paced software development landscape. As the cornerstone of DevSecOps, Static Appl...