Cloud computing has revolutionized the way organizations operate and has become a key driver for digital transformation, with many organizations looking to adopt cloud services to achieve greater scalability, flexibility and cost savings. According to a report by Gartner, worldwide public cloud services revenue is projected to grow by grow 20.7% to total US$591.8 billion in 2023, up from $490.3 billion in 2022.
Over the past few years, organizations have seen several benefits from adopting cloud services, such as scalability, flexibility, cost-efficiency and ease of deployment. While migrating to the cloud has become a popular trend, it also poses certain risks that organizations need to consider as they begin their cloud journey or look to expand services and operations further into the cloud.
One of the primary risks is data security in the cloud. Cloud service providers store data in remote servers, which can be a concern for organizations that may not have complete control over their data. A study by Crowd Research Partners found that 90% of organizations are concerned about cloud security.
In this blog post, we will explore the risks and rewards associated with migrating to the cloud.
What are the rewards of migrating to the cloud?
Migrating to the cloud offers several rewards to organizations, such as:
Cost savings: Organizations can save costs on hardware, software and infrastructure. Cloud providers offer pay-as-you-go pricing models that allow organizations to pay only for what they use. A study by Nucleus Research found that for every $1 spent on cloud migration, organizations saved $1.68 on average. The study also found that organizations can save up to 50% on IT costs by moving to the cloud.
Scalability: We can spin up instances and deploy apps, add servers, increase computing capacity with the cloud or scale down based on demand, but remember to watch that billing console to ensure that you don’t have systems creating costs if they are not being optimally used.
Netflix uses AWS to scale its infrastructure based on the number of users, adding or removing servers in real-time to handle fluctuations in demand. This scalability allows Netflix to handle over 203 million subscribers globally.
Ease of deployment: Cloud service providers offer easy deployment options that enable organizations to deploy their applications quickly. AWS’s Elastic Beanstalk, for instance, allows organizations to deploy and manage their applications quickly, allowing IT teams to focus on developing applications instead of managing infrastructure.
Flexibility: Cloud providers offer flexibility options that allow organizations to choose the type of services they need. GCP, for instance, offers several types of computing services—virtual machines, containers and serverless computing.
High availability: Cloud providers offer high availability options that ensure that applications are available 24/7 with SLA metrics to back their service offerings.
Architecture choice: The variety of cloud architectures available to organizations, such as public, private and hybrid clouds, can be tailored to the specific needs of various applications. By leveraging automation tools like Infrastructure as Code (IaC) and Continuous Integration/Continuous Deployment (CI/CD) pipelines, organizations can simplify the process of application deployment, management and monitoring.
Improved security: You can leverage cloud tools, audit reports, technology and security skills.
Disaster recovery: You also have the advantages of robust and tested disaster recovery solutions to ensure application availability in the event of outages or disruption. I have seen some organizations moving to hybrid cloud or multicloud services to host critical applications and systems essential to business operations as a recovery plan.
Business collaboration: Cloud-based applications can facilitate collaboration between teams and departments, enabling more efficient work processes and shortening the time it takes to make decisions, create a design and test deployment of a product.
What are the risks of migrating to the cloud?
While migrating to the cloud offers many benefits, it also poses certain risks, such as:
Data security: Cloud service providers store data in remote servers. A concern all organizations share is that they may not have complete control over their data, and they look for assurance on how their data are secured and protected from unauthorized access.
Identity and access management: IAM plays a critical role in cloud security. In traditional environments, organizations have clear visibility into how users access resources, as well as how governance, entitlements and privileges are managed. However, in the cloud, there is a need for assurance that only authorized users have access to assigned resources, and administrator accounts are locked down and monitored.
To address these challenges, some organizations are moving away from customized IAM solutions to commercial IAM, MFA, and PAM solutions offered by companies such as SailPoint, Saviynt, CyberArk, Okta, Transmit Security, Ping, Centrify and others. These solutions provide a centralized and automated approach to manage access across multiple cloud environments, streamline provisioning and deprovisioning, and improve monitoring and reporting.
According to a study by Delinea, 74% of data breaches involved privileged access abuse, highlighting the importance of effective IAM controls in cloud environments. Additionally, rogue access and unauthorized accounts can pose a significant threat to cloud resources. It is essential to implement a process to quickly disable user accounts of employees who leave the company to mitigate these risks.
Using MFA is also recommended, as it adds another layer of protection with a second factor, such as a one-time password or biometric authentication. However, it is essential to note that MFA is not foolproof, as tools like Burp Suite have been used to crack four-digit one-time passwords.
Adopting commercial IAM, MFA, and PAM solutions, monitoring privileged access, and disabling unauthorized accounts are critical steps in securing cloud resources. Organizations must also regularly review and update their IAM policies and controls to keep pace with evolving cloud security threats.
Application security: Applications running in the cloud are vulnerable to the same traditional attacks that are experienced outside of the cloud, such as SQL injection, cross-site scripting and others. As more companies move to the cloud, many have had to refactor legacy application architecture to be cloud-ready. This should be taken as an opportunity to develop a robust DevSecOps program to ensure that new cloud-built apps or refactored apps are secured and protected from these known attacks.
Compliance: Organizations need to comply with various regulations and standards, such as GDPR, HIPAA, PCI-DSS, etc. Cloud providers may provide compliance features, but organizations need to ensure that they are fully compliant.
Two other areas of concern for me during cloud migrations have been around Public Key Infrastructure (PKI) and Domain Name Systems (DNS):
With PKI, ensuring proper configuration is a must. Misconfigurations are a risk to cloud environments, as improper certificate management, incorrect certificate revocation or certificate expiration can result in security incidents, which can lead to service disruptions and data breaches.
Robust key management practices like certificate lifecycle management, certificate revocation and certificate expiration policies are key to success, as is having a clear process for key rotation and rekeying.
I’ve led teams working with Hardware Security Modules (HSMs) to store keys and certificates in this hardware secured environment, ensuring only authorized users can access keys and certificates.
Compatibility: Some applications and operating systems may not support self-signed certificates, leading to compatibility issues.
PKI Management: Self-signed certificates require manual management and renewal, which can be time-consuming and error-prone.
In addition to evaluating the use of self-signed certificates from a technical standpoint, it’s also important to consider the organizational factors that may drive their use. In some cases, product teams may be under pressure to deliver products quickly and may resort to using self-signed certificates in non-customer facing systems or in development environments to save time and money.
However, it’s important to recognize that self-signed certificates come with inherent security risks. Users accessing a website or application with a self-signed certificate will be presented with a warning, which can make it easier for attackers to impersonate the website and potentially compromise the system.
To address these risks, organizations should consider separation of duties so no one user has absolute control over PKI, auditing product teams and their use of certificates, even in non-customer facing systems or development environments. This can help ensure that proper security controls are in place and that the organization is not unknowingly exposing itself to unnecessary risks.
While self-signed certificates may seem like an easier and cheaper option, the security risks associated with their use should not be underestimated. It’s important to weigh the potential benefits of using self-signed certificates against the security risks and consider alternative options, such as trusted third-party certificates, where appropriate.
Implementing and managing a PKI in the cloud can present unique challenges for organizations using cloud environments such as AWS, Azure and GCP. However, careful consideration of best practices, such as centralized management, automated certificate management, secure key management, and compliance management, can help overcome these challenges and ensure the security and integrity of digital communications. It is important for organizations to carefully plan and implement a PKI that meets their specific needs and compliance requirements to establish trust in their digital communications in the cloud.
When looking at DNS risks in cloud environments, improper controls or poor DNS security can result in unauthorized access to cloud resources, service disruptions and data breaches. To mitigate these risks, organizations should implement DNSSEC, strong access controls, rate limiting and filtering mechanisms, DNS traffic analysis tools, and regular DNS configuration reviews and validation checks.
DNS is a critical component of any cloud infrastructure, as it has been in traditional IT environments, with any compromise resulting in a range of security issues. Misconfiguration can result in service disruptions and downtime. To mitigate this risk, organizations should implement regular DNS configuration reviews and validation checks to ensure that DNS records are properly configured and maintained.
What are the DNS security concerns?
DNS security concerns include DNS spoofing, DNS hijacking, DNS amplification and DNS tunneling. Implementing DNS security extensions, enforcing strong access controls and using rate limiting and filtering mechanisms can prevent these attacks.
Cloud providers like AWS, Azure and Google offer cloud-based DNS traffic analysis tools and services, such as Amazon Route 53 Resolver, Azure DNS Analytics and GCP Cloud DNS, which can help organizations monitor and secure their DNS traffic.
Additionally, services like Amazon GuardDuty, Azure DNS Private Zones and GCP Cloud Armor can help identify and block potential security threats, while GCP Stackdriver Logging and Network Intelligence Center provide DNS traffic insights.
What are the top cloud auditing priorities?
When organizations move their applications to the cloud, IT auditors face several challenges related to compliance, data privacy, vendor management and availability.
Compliance is a top priority, and IT auditors must ensure that the organization’s cloud environment complies with relevant laws and regulations, such as GDPR and HIPAA. This involves reviewing the cloud provider’s compliance certifications and assessing the organization’s own compliance posture. IT auditors must also implement appropriate data protection and privacy controls, including data encryption, data retention policies and data access controls.
Data privacy is also critical, and IT auditors must review the cloud provider’s data privacy controls and assess the organization’s data protection policies and procedures. They must also ensure that data is classified accurately and that adequate controls are in place to safeguard sensitive data.
Vendor management also is an essential aspect of moving applications to the cloud, and IT auditors must ensure that the organization has appropriate vendor management controls in place to mitigate risks. These risks include service disruptions, data loss, or vendor lock-in. IT auditors must monitor vendor performance, contract terms and conditions, and vendor exit strategies.
Finally, IT auditors must ensure that the organization’s applications and data are available and accessible in the cloud. They must review the cloud provider’s service level agreements (SLAs) and evaluate the organization’s business continuity and disaster recovery plans. They must also implement appropriate backup and recovery controls to minimize the risk of data loss in case of an outage.
Balancing cloud’s risks and rewards
While cloud migration can offer many benefits, organizations must address associated risks, such as data security, compliance and vendor lock-in. This can be achieved through implementing strict security measures, contingency plans and effective cost management. Auditors should adopt a risk-based approach and stay up to date with the latest threats and industry standards. Automation tools can simplify the auditing process for accurate and reliable results. Regular cloud auditing is critical to ensure security, compliance and cost-effectiveness of cloud services and infrastructure.
Editor’s note: Learn more about ISACA’s Cloud Fundamentals Certificate and Certificate of Cloud Auditing Knowledge (CCAK) credentials.