E-Handbook: Know your role in the cloud shared responsibility model Article 3 of 4

everythingpossible - Fotolia

This article is part of our Essential Guide: How best to secure cloud computing in this critical era

Properly configure resources to reduce cloud security threats

Misconfigured cloud resources can quickly open the door to IT risks. Be mindful of access controls, and don't brush off your cloud provider's recommended security practices.

While Amazon S3 data leaks have dominated headlines in the past, the misconfigured security controls that caused them aren't exclusive to Amazon. In fact, misconfigurations can pose a risk across all public cloud platforms, which means enterprises should be careful to prevent them.

Some of the biggest cloud security threats come from the improper setup or configuration of cloud access controls and permissions.

"The No. 1 issue is not properly securing access credentials," said Fernando Montenegro, analyst at 451 Research. For example, there is the tendency to use authentication methods that are not as secure as they could be, especially for admins.

A lack of multi-factor authentication (MFA) poses a risk that is exacerbated in cloud compared to on-premises data centers. If an admin has a weak password in a traditional environment, a hacker would still have to get into the data center to use it. In the cloud, though, that access can happen remotely.

"The downside of failing to [use MFA in cloud] is that, if someone can grab your root account, the sky is the limit," Montenegro said. "They can literally create resources and new accounts, which is a serious problem."

Sharing isn't always caring

To avoid cloud security threats, it's best to go back to the basics. For example, enterprises should be especially cautious with open file shares, which are typically too accessible, said Jay Heiser, analyst at Gartner. Most organizations use a large number of SaaS apps and don't always known which support sharing, as those decisions are often made on an ad hoc basis, he said.

Security is normally a function of competency. If organizations don't know what they're doing, they tend to do the wrong thing.
Jay HeiserAnalyst, Gartner

This is why cloud access security brokers (CASBs) -- such as those from Skyhigh and Bitglass -- now play a more prominent role in the enterprise. CASBs have become more like firewalls, in the sense that they're viewed as tools for baseline protection, Heiser said.

"If an organization wants to control open file sharing, the CASB tools are the most efficient way to do that," he said.

Another risk that enterprises commonly ignore involves sharing code for application development. It's now common practice to put code on a shared site, such as GitHub, but sometimes, that code can include access credentials or other sensitive information.

"If anyone downloads that, they have your secrets," Montenegro said. "One developer could accidentally blow away your infrastructure."

Know your responsibilities

To minimize cloud security threats, enterprise IT teams first need to know exactly where their providers' responsibilities end and where their own begin. In other words, they need to be familiar with their providers' shared responsibility model.

The level of responsibility an enterprise has varies, however, depending on the cloud model: SaaS, PaaS or IaaS. Each of those different approaches puts an increasing level of configuration and security burden on the customer, said David Monahan, managing research director at Enterprise Management Associates.

To learn more about users' vs. providers' responsibilities in a SaaS vs. PaaS vs. IaaS deployment, check out this brief video.

Follow provider best practices

Another rule to avoid cloud security threats, and the misconfigurations that cause them, is to adhere to your provider's recommendations and best practices.

"People talk about problems with AWS S3 buckets, but that's another case of people going against the provider recommendations," Montenegro said.

All major cloud providers offer guidance and documentation to securely deploy their resources, but users don't always follow through. AWS, for example, pushes for best practices, such as not using root accounts for projects and enabling two-factor authentication, but when enterprises prioritize speed over caution, they often overlook those recommendations. So, be sure to review your cloud provider's security best practices thoroughly and apply them as much as you can.

"Security is normally a function of competency," Heiser said. "If organizations don't know what they're doing, they tend to do the wrong thing."

Dig Deeper on Cloud infrastructure design and management

Data Center