Solutions for:  Home Products  Small Business 1-50 employees  Medium Business 51-999 employees  Enterprise 1000+ employees

CompanyAccount
Bring on the future of technology and cybersecurity for business

Products Services Downloads Support Resource Center GDPR Blog

Magazine Menu

CLOUD AND SECURITY

Dispelling the myths

and misconceptions: Is
the public and hybrid
cloud really secure?
It’s a question that business leaders
must ask when considering adopting
cloud technologies – is your data
going to be secure in someone else’s
hands?
ART BY Morgan Fisher

5 minute read There’s no denying that securing applications and data across an increasingly
diverse range of computing environments is challenging. On the one hand,
today’s business leaders are under constant pressure to innovate and keep up
with a rapidly evolving market. On the other, security presents a constant thorn in
AUTHOR their sides in an age when major data breaches make headlines almost every day.
Charles Owen- But, while the naysayers might dismiss cloud technologies as disruptive and
Jackson
inherently less secure than traditional in-house computing, they’re missing an
important point.
SHARE ARTICLE
The reality is that it’s generally not the cloud itself that’s the problem. As with
 almost all data breaches, the human element is usually to blame. This might
 include factors such as inefficient risk assessments, mismanaged access controls,
poor data redundancy and a variety of other threats, most of which stem from

within the organization. The common misconception that the cloud is the source
 of these challenges is why software-as-a-service has yet to become an
established and trusted way of doing business in many parts of the world.

Dispelling the myth of cloud (in)security

Let’s get one thing straight: the world’s major cloud data centers – operated by
the likes of Amazon, Google and Microsoft – are some of the most secure
environments on the planet. This really shouldn’t come as a surprise, since these
companies are some of the most powerful in the world. They have access to the
financial resources, expertise and bleeding-edge tech on a level that few
organizations could ever dream of having. Not only do they have 24/7 physical
controls like security guards, video surveillance and perimeter fencing akin to that
of a maximum-security prison, they also offer administrative and technical
controls to safeguard the data in their care from hackers.

Information security and integrity are at the very core of what these major
technology providers do, hence they strive to eliminate every single point of
failure with built-in redundancies and automated rollovers. They distribute data
across many different machines in many different locations to protect it from
threats like natural disasters and hardware failures.

The cloud potentially offers improved security from an administrative perspective

by reducing the need for customer-controlled security layers. Some cloud
providers and server colocation vendors also offer a fully outsourced security
operations center (SOC), which is ideal for smaller businesses, who are often
targeted en masse by threats like phishing scams and malicious advertising. Even
in cases where migrating to the cloud doesn’t provide improved information
security, the greatly reduced capital expenses can offer more financial control to
invest in security.

So, where do the threats come from?

Now, I’m not saying that the world’s biggest data centers are impenetrable
fortresses – but they’re the closest thing to it. Why is it then, that major data
breaches targeting cloud-hosted digital business assets are always making
headlines?

The weakest link isn’t the technology – it’s the people. This is often the case
when managing complex, hybrid cloud environments in which businesses use a
blend of public infrastructures (like Amazon Web Services (AWS)) and an on-
premises or hosted private cloud consolidated across a wide-area network
(WAN). However, with the right approach, the hybrid cloud brings multiple
benefits, such as decreased capital costs and greater flexibility.

Here are the main threats to hybrid cloud security you need to overcome:

Mismanaged access rights

One of the greatest advantages of cloud-hosted resources is they’re accessible

from any device with an internet connection. This can also be its greatest
drawback in an age when social engineering attacks dominate the world of
cybercrime. After all, cybercriminals aren’t always stereotypical hackers staring at
lines of code whizzing across a monitor. Instead, they increasingly rely on tactics
of subterfuge and manipulation to encourage their victims to surrender
confidential information, such as login details. Social engineering tactics are often
used to put their malicious code to work.

To overcome these risks, IT administrators must enforce multifactor

authentication (MFA) to reduce reliance on passwords. This way, those accessing
the system, particularly from an unknown device or network, will need to verify
their identities with a secondary authentication method. This might be a
fingerprint scan or a temporary security token like an SMS code. Because the
secondary verification method is dynamic, or an innate characteristic of the user
(like a retinal scan or fingerprint), it’s far better protected from social engineering
attacks.

Unprotected APIs

Hybrid cloud deployments depend on application programming interfaces (APIs)

to ensure the interoperability between different infrastructures – such as in-
house data centers, public cloud resources and hosted private clouds. These
serve as conduits for ensuring the seamless flow of data between the two
systems to provide an uninterrupted experience for end users. But when
unprotected, these API endpoints can leave sensitive data exposed. This
vulnerability is often exploited when data is being transmitted across insecure
devices and connections. Other attacks may exploit misconfigured APIs to
coerce the system into doing something that would lead to its compromise. For
example, attackers started exploiting misconfigured Kubernetes APIs to issue
commands to it; in doing so, they downloaded and launched a malicious payload
from outside.

Since APIs are effectively gateways – access points into a public cloud
application or service – IT administrators need to take extra steps to secure the
data that flows through them. The easiest way to protect it is to ensure that data
never leaves an endpoint unencrypted. This way, even if a hacker does get their
hands on data exposed by a vulnerability in the API, it will be unusable to them.
Today’s AES-256 encryption algorithms would take 3×1051 years to crack without
knowing the encryption key, by which time even the youngest and most patient
hacker might just give up.

Insecure third parties

In hybrid cloud environments, your vendors are an additional source of risk. 181
third-party vendors access the average business network every week, leading to
two-thirds of companies experiencing data breaches linked to one of their
vendors. Unfortunately, some cloud vendors are vague when it comes to critical
factors like data ownership and governance. They may not have the necessary
controls in place to ensure that your data is safe during its migration to the cloud
or when it’s hosted on their own servers.

To reduce the substantial risks posed by third parties, businesses must carefully
vet any cloud vendors they choose to work with. Enterprise managers must
always verify data ownership and security controls and ensure that everything is
clearly defined in their service level agreements (SLAs). They need to know
exactly what the provider does with their data, which access controls and
permissions they have in place, and which resources they provide if something
goes wrong. Any agreement should ideally be reviewed by an attorney before
signing.

Breaches of regulatory compliance

Even if you have all available security measures in place when migrating data to
the public cloud, there’s still the matter of compliance. Many data-processing
regulations, for example, require data belonging to citizens of a particular country
to be stored in the same territory. In some ways, this contradicts the very ethos of
the cloud as a decentralized and distributed computing environment. To further
complicate matters, most cloud providers cannot guarantee the physical location
of your data, although there are some exceptions: AWS, for example, can work in
regional mode to avoid moving your data out of the territory.

Fortunately, hybrid cloud deployments are ideally suited to highly regulated

industries, since they provide more control over where data is physically stored.
For example, a healthcare provider subject to HIPAA and HITECH regulations
might keep patient health information (PHI) in a private cloud such as an in-
house data center or server collocation facility. A GDPR-compliant company
might do the same to ensure that customer data remains in the EU, while
business applications are moved to the cloud. In the end, the hybrid model gives
you more control over where your data is stored and how it’s protected.

Hybrid cloud computing – the first step towards

innovating at scale
The key to successful hybrid cloud deployment is a security-first approach that
provides IT administrators with full visibility into their digital assets. With the right
management solutions and software layers, enterprises can build a single
cohesive environment that incorporates the best of both worlds. A hybrid cloud
deployment is no more or less secure than on-premises virtualization, but with
the right approach, it can become even more secure. All it takes to get started is
to select a cloud security product that’s scalable and adaptable to your needs.

Share article    

Keywords:

CLOUD COMPUTING HYBRID CLOUD

HYBRID CLOUD SECURITY

Kaspersky’s Hybrid Cloud Security solution provides outstanding multi-

layered protection to multi-cloud environments.

SECURE HYBRID CLOUD

SUGGESTED ARTICLES

INDUSTRIAL
REMOTE WORKING CYBERSECURITY CLOUD AND SECURITY

Enjoy the freedom of The rise of Industry 4.0: Can migrating to the
workforce mobility, How industrial IoT is cloud benefit your
without compromising driving change in business?
on information security industry
Workforce mobility empowers employees Can the technologies that power our There’s a lot of excitement around the
with improved productivity and morale, but industries help build a safer and more cloud. But what is it, how do public and
it also introduces fresh security challenges sustainable future? private clouds differ, and how can your
that organizations need to overcome. business leverage it?

AUTHOR INFO

Charles Owen-Jackson
Charles Owen-Jackson is a writer and content strategist who helps B2B technology firms amplify
their brands and boost customer success with compelling web content. He has a keen interest in the
natural sciences and is an aspiring novelist.

MORE ARTICLES BY CHARLES OWEN-JACKSON

About Secure Futures What's coming next?

Secure Futures magazine is your go-to business guide for opinions, trends Be first to find out what's happening in tech, leadership and
and insight into the world of technology and cybersecurity. We help your cybersecurity.
business to bring on the future. Brought to you by Kaspersky, the global
cybersecurity experts.
STAY AHEAD

Got an idea for a story you'd like us to cover? Contact the Editor.

Home Products Small Business Products Medium Business Products Enterprise Solutions
1-50 EMPLOYEES 51-999 EMPLOYEES 1000 EMPLOYEES

Kaspersky Anti-Virus Kaspersky Small Office Security Kaspersky Endpoint Security Cloud Cybersecurity Services

Kaspersky Internet Security Kaspersky Endpoint Security Cloud Kaspersky Endpoint Security for Threat Management and Defense
Business Select
Kaspersky Total Security All Products Endpoint Security
Kaspersky Endpoint Security for
Kaspersky Security Cloud Hybrid Cloud Security
Business Advanced
Kaspersky Security Cloud – Free All Solutions
All Products
All Products

Copyright © 2020 AO Kaspersky Lab. All Rights Reserved. • Privacy Policy • Anti-Corruption Policy • License Agreement
   

Global 
Contact Us • About Us • Partners • Blog • Resource Center • Press Releases • Trust Kaspersky

Securelist • Threatpost • Eugene Personal Blog