Secure cloud. Insecure use. (And what you can do about it)

For many IT workers and the organizations that employ them, the debate is over: The cloud is secure. But if that’s the case, why are there still cloud security breaches? The problem is the paradox at the heart of cloud security: The cloud is secure, but the way you use it is not.

We know that cloud security superiority is supported by three key factors:

• The economy of scale, with the decreasing marginal cost of security raising the baseline level of security;
• The cloud acting as a digital immune system, where every security update is informed by a threat, vulnerability, or new attack technique often identified by someone else’s experience, creating an accelerating feedback loop that provides better protection;
• And by the increased deployment velocity, where automated software deployments and updates deliver security enhancements, including more frequent security updates.

Indeed, classic on-premises security risks persist in the cloud, and they are coupled with the new risks. Think buffer overflows in traditional applications that have been shifted to the cloud, container escapes, and other cloud-native issues.

While that might sound like a delightful finger-pointing exercise, it's actually unhelpful. We want to get to the heart of what “using cloud securely” actually entails. As Rich Mogull, CEO, Securosis, said on a recent Cloud Security Podcast, “You need to know cloud, because unless you know cloud, you can't really use cloud securely.”

Threat actors use phishing scams, malware, and other techniques to try to gain access to your data — and new threats are emerging all the time. Some of the classic threats like credential theft and abuse are widespread in the cloud, while others are less common (such as Windows malware).

At Google Cloud’s Office of the CISO, we know that this can be challenging. Many on-premises risks like credential theft and abuse are also widespread in the cloud, while others — such as Windows malware — are less common. Meanwhile, threat actors are using a mix of cutting-edge and old-school techniques to gain access to your data.

As part of our shared fate commitment to our customers, we strongly recommend that you stay current on the latest cloud security trends, and take a proactive approach to protecting your data. You need multiple layers of security to protect your data, including strong passwords, encryption, and network access control.

Simply replicating your on-premises data center security practices in the cloud is worse than ineffective, a wasted effort that can miss critical risks. It’s also often a financial black hole.

We need to reinvent defense-in-depth for the cloud. This means re-thinking classic network security models like DMZs, as they might not be suitable or even necessary. It also means understanding that traditional endpoint detection and response (EDR) may not even be applicable in modern serverless environments.

Copy-paste, lift and shift, however you refer to it, it will lead you down a path of increased risk. The key is to adapt.

Sharing cloud security responsibilities

Consider a situation where your software-as-service (SaaS) enterprise resource planning (ERP) vendor relies on a partner to build your custom system, and that system is monitored by management detection and response (MDR) reliant on a SaaS security information and event management (SIEM) tool. Who does what if a threat is missed? Who is at fault? Who can fix it? Do you need AI to track the acronyms? Shared responsibility can be inscrutable, sometimes.

The good news is there are some frequent shared-model mistakes and pitfalls to watch out for, and avoiding them can help transform shared confusion into shared opportunity.

One is misunderstanding the model, when organizations misunderstand who does what and over delegate to the cloud provider. Not understanding your own responsibilities is an issue too, as organizations often don't understand that they are responsible for key security activities.

Also, security technology on the provider side changes rapidly and the security teams are not able to keep up with security changes. And many times the complexity and nuance of the model applicability can lead to confusion about who is responsible for what, especially when more than two parties are involved.

We advise security teams that they should start with the basic framework for the secure use of cloud.

Use cloud securely: The basics

Chances are good that you’ve incorporated these six foundational security components in your organization’s systems: asset management, configuration management, application security, data security, and threat detection and response, and, most importantly, identity and access management.

Once again: IAM

Of those six foundational elements of cloud security, the most complicated and most vital is IAM. If you only have time to revisit one of the six, take an auditor's eye to your current IAM approach.

IAM also is a microcosm of the “secure cloud, insecure use” paradox. IAM is vital for cloud security: Managing identities and their related access to resources and applications is critical for minimizing risk, but managing it properly can be complicated. This reality necessitates a shift from merely migrating on-premises security to a re-imagined defense in depth tailored for the cloud.

To effectively navigate this complex landscape and secure your cloud deployments, make these steps a priority:

1. Know what you have in the cloud through robust asset management.
2. Be acutely aware of your specific threat models and the real cloud threats you face.
3. Configure tools and services securely to prevent common misconfigurations.
4. Get cloud IAM right for you — the most vital and complex security component.
5. Consistently detect threats against your cloud environment.

By embracing this framework, organizations can transform shared confusion into shared opportunity, ensuring their data remains protected in the evolving cloud landscape. For a deeper look at IAM in the cloud, check out IAM so lost: A guide to identity in Google Cloud and I hate IAM but I need it desperately.