What are the challenges for CISOs when it comes to data security in the cloud?
Hybrid and multi-cloud environments are a reality for many companies. And they’re a real headache for CISOs when it comes to data security compliance, because heterogeneous environments harbour countless cybersecurity challenges.
Text: Andreas Heer, Image: Swisscom, Date: 1 March 2024 5 Min.
There are moments when even IT professionals feel that the cloud is nebulous. It can be intransparent and intangible, much like a real cloud in the sky. Such moments always occur when these professionals try to get a clear overall picture of (heterogeneous) cloud environments.
It goes without saying that a lack of transparency is an undesirable condition when it comes to cloud security. This is because the demands on data security have increased almost as exponentially as the volume of data itself has done in the context of ongoing digitisation. In a data-driven environment, data must be available and reliable for a business to run.
These factors have made data security more challenging in the cloud age. ‘In the past, when the data was exclusively located in companies’ own data centres, it was sufficient to divide it into different security zones,’ says Alex Obrist, Product Manager for Managed Cloud and Security Services at Swisscom. ‘Now, on the other hand, data is classified and categorised, and roles and identities are checked when accessing it. This is the real paradigm shift that has taken place with the cloud.’
The challenges of data security in hybrid and multi-cloud environments can be summarised with the three Cs: complexity, culture, compliance. More specifically, the situation is as follows:
- Complexity: In hybrid and multi-cloud environments, data is processed and stored in multiple locations: on-premises, in the private cloud and in the public cloud. This increases the area of attack, which is being hit by increasingly sophisticated and increasingly frequent cyberattacks.
- Culture: Complex environments increase the risk of configuration errors, such as AWS Buckets and Azure Blobs that are easily accessible via the Internet. In addition, there are employees who – usually unintentionally – do not use the necessary safety measures when storing data in the cloud. According to the Verizon Data Breach Investigations Report 2023, the human factor played a role in three-quarters of all cases.
- Compliance: For one thing, the demands on companies are constantly increasing because regulations and laws are being tightened up – for example with the new Federal Act on Data Protection (nFADP) and the EU’s NIS 2 Directive. In addition, verifying and enforcing compliance across different environments is challenging.
Conveniently read this article and the subsequent article on best practices and solutions in PDF format.
Complex cloud environments make data security more difficult
Cybercrime has long been a business. Ransomware as a service, dividing the individual steps of an attack among specialised individuals and even call centres run by ransomware gangs for their ‘customers’ bear witness to this. Attacks are becoming more widespread and new security loopholes are exploited within days. Attacks often occur where there is an opportunity – and companies that haven’t patched their systems in time bear the brunt.
Ninety-eight per cent of respondents had critical gaps in their cloud environments due to configuration errors.
Source: Zscaler Cloud (In)Security Report 2022
Misconfigurations in the public cloud simplify the work of cybercriminals, especially when they are trying to gain initial access to a company’s infrastructure. A poorly protected test system over here, and webmail access without two-factor authentication over there, vulnerable due to login data acquired through phishing, are just a couple ingredients that attackers can mix into a poisonous cocktail.
Cybercriminals take advantage of the fact that hybrid and multi-cloud environments quickly become confusing. It is faster to set up test VM than it is to secure and document it. And soon enough, the security managers are poking about in the fog. The lack of visibility is a challenge for companies, as Alex Obrist says: ‘In the past, there was a concept for data storage. Today, there are countless tools to identify data in the cloud. Finding the right one and using it correctly is a challenge.’ A lack of clarity makes it difficult for companies to enforce uniform policies and meet compliance requirements.
People are decisive when it comes to security culture
It is not only the distribution of data and applications that makes the IT landscape confusing. Added to this are cloud providers’ different security approaches and systems. This means that, depending on the provider they are using, customers themselves need to adopt different approaches to achieve the same goal and secure the cloud environment as required. ‘If a company tries to implement its security requirements using the different tools, there is a risk of losing track,’ says Alex Obrist, describing the situation.
Such a heterogeneous tool landscape increases the likelihood of human error, especially when there is a lack of experts who are familiar with different cloud providers. And misconfiguration is one of the biggest security risks in hybrid and multi-cloud environments. According to a 2022 study by Zscaler, 98 per cent of respondents had critical gaps in their cloud environments due to configuration errors.
But unwanted data leakage and the accidental release of confidential business documents are also risks in cloud environments – whether intentional or not.
An additional layer of complexity is created by the subject of ‘data storage in Switzerland’. Has it been ensured that the security tools used are actually operated in Switzerland, and that the SMS service for customers, for example, does not take a detour via another country? Getting a clear overview of the services offered by providers is a real challenge – and a tedious one.
Compliance when flying blind through the clouds
The nebulous moment mentioned at the at the beginning of this article often arises when compliance needs to be demonstrated. Without visibility and a clear overview of the entire IT environment, comprehensive monitoring is simply not feasible. However, this is a prerequisite for complying with data governance, regulations and legal requirements. ‘Companies need a data inventory to protect these assets. This requires visibility,’ says Alex Obrist. ‘For a company that doesn’t have the core competence to operate cloud environments, it’s difficult to keep track.’
The same requirements also necessitate safety certifications such as ISO 27001. They are based on compliance and standardised processes and require appropriate controlling instruments. Recovering visibility over the entire environment should therefore be the primary objective of a data security strategy.
Effective data security in hybrid and multi-cloud environments
Heterogeneous hybrid and multi-cloud environments require new approaches and tools to ensure and verify data security:
- Security and compliance by design to detect configuration errors before commissioning.
- One aspect that is central – in the truest sense of the word – is a monitoring system that checks the state of the entire hybrid or multi-cloud environment. This can be used to demonstrate correct implementation.
- In order to enforce uniform safety guidelines, they must be managed and applied in one centralised place.
- Because cloud providers rely on different approaches and tools, IT professionals also need increased security awareness. Security awareness training should therefore be extended to these specialists.
- If the experts are not available, or if it is not economically feasible to operate a comprehensive in-house cybersecurity unit, tasks can be outsourced to managed security services providers (MSSP).
‘Companies need to be able to decide centrally how they want to protect this data – no matter where it is,’ says Alex Obrist. This means the fog can finally lift and give you an unobstructed view of the cloud landscape.
Read the following article to discover best practices and solutions that companies can use to ensure data security in hybrid and multi-cloud environments. Download both articles now.
Download the “Data Security” article series now
Your personal download link for the document you require will be sent to you via e-mail.
You can find our privacy policy including the online data protection statement as well as the options for revoking permission to process data or unsubscribing from the newsletter here: Privacy policy(opens in new tab)