Security Risks in Cloud Infrastructure and How to Mitigate Them

In an interaction with Asia Business Outlook, Sundar Balasubramanian, Managing Director, Check Point Software Technologies India & SAARC, shares his views on security risks associated with cloud environments, best practices for securing sensitive data in cloud infrastructure, security risks in complex infrastructures and more. 

Cloud infrastructure is integral to many organizations, but it comes with security risks. Could you provide an overview of the most prevalent security risks associated with cloud environments, especially in light of the ever-evolving threat landscape?

The universal adoption of cloud infrastructure has been growing from strength to strength because of its ability to provide access to business critical infrastructure much needed by today’s digital business and the elimination of overheads of on-premise hosting. However, all choices brings with it risks. 

A key security risk when embracing cloud environments is with cloud misconfiguration. Misconfigurations are a major public cloud security threat, according to 59% of cloud users as per Check Point’s recent Cloud Security Report. Of those cloud users that experienced a security incident within the last 12 months, 19% of the time, the incident involved a misconfigured resource or account.They remain a significant cloud security challenge because of the wide range of provider-specific configuration settings. Companies — and their employees — unfamiliar with cloud environments can accidentally misconfigure these settings, leaving cloud environments vulnerable to attack, which is exacerbated by the prevalence of multi-cloud environments, where companies must properly configure settings for several different cloud providers. In addition to ensuring the security of corporate data and applications before and after the move, companies also need to design a secure cloud migration process to ensure that these resources are protected during the intermediate stages as well.

Another risk is the Exfiltration of Sensitive Data. As companies increasingly move to the cloud, these environments contain larger volumes of sensitive data. According to Check Point’s 2023 Cloud Security Report, for 51% of organizations, data exfiltration is considered a major security threat of public clouds, and 13% of cloud incidents within the last 12 months involved files or data being inappropriately shared by a user.Cloud environments are a component of the corporate network that is directly accessible via the public Internet, making it easier for an attacker to search for misconfigurations and other vulnerabilities, and with cloud environments designed to support data sharing,  it is easier for users to accidentally share a file with an unauthorized user or to misconfigure security settings in a way that leaves data exposed.

Another area that may bring risks to the cloud environment are Insecure Interfaces/APIs. APIs are ubiquitous in the cloud, especially as microservices and containerized applications become more common. In some cases, companies have shadow APIs that are not officially documented and, therefore, not properly covered by a corporate security strategy. In others, APIs may be designed in insecure ways, such as providing excessive, potentially sensitive data in response to user requests, risking data loss unnecessarily. 

Other risks includes the complexity of multi-cloud security due to multi-cloud deployments, which are difficult to secure, with the need to properly configure the unique settings of various cloud providers. The complexity of Workloads in the Cloud caused by the transition of workloads to the cloud impacts cloud security and access management as more workloads are distributed across multiple cloud environments. This requires a complex web of entitlements to effectively implement least privilege access and minimize potential security risks to the organization and its cloud-based solutions.

Data breaches and unauthorized access are major concerns in the cloud. What are the best practices for securing sensitive data in a cloud infrastructure, and how do you recommend mitigating the risks associated with data exposure?

An organisation’sdata is its most precious asset and Data Security Posture Management (DSPM) solutions are the key to safeguarding it. These solutions are able to pinpoint sensitive data stored in the cloud, determine who is allowed to access it, and analyze the overall security posture of the data.

Other practices we suggest in ensuring your data in a cloud infrastructure is secured includes :

Inventory of Cloud Data: Companies can’t properly protect data that they don’t know exists. Performing a complete audit of data stored in the cloud is essential to designing and implementing solutions to secure this data.

Encrypt Data: Encryption is the most effective way to protect data against unauthorized exposure. Data should be protected both at rest and in transit within cloud environments.

Implement Zero Trust: A zero-trust security strategy limits access to sensitive data to the minimum that a user or application requires to do its job. Implementing zero trust reduces the risks associated with a compromised account or a user’s abuse of their privileges.

Monitor Security Settings: Cloud environments have a variety of settings that must be correctly configured to secure the data and applications hosted within. Automated cloud security posture management (CSPM) is essential to rapidly identifying and remediating security misconfigurations at scale.

Create Secure Backups: In addition to data leakage, cloud data protection strategies should also address the risks of data loss. Cloud data should be backed up, and these backups should be protected at the same level as the original data.

It is essential for all organisations looking to mitigate risks from data exposure in the cloud to adopt a strong CSPM (Cloud Security Posture Management) policy. Inorder to protect their data, they need to understand where it is and apply consistent security across their multitude of cloud providers. Most of the functionality of CSPM tools will use APIs exposed by the cloud providers. The use of APIs allows a CSPM solution to operate with little to no impact on the performance or architecture of the cloud environment as it does not require the installation of agents or virtual machines but should only require the proper credentials to the cloud accounts to access the exposed APIs from the cloud provider.

CSPM tools will also enable monitoring and enforcement of “least privileged access” concepts as overly permissive access roles are one of the biggest issues leading to security vulnerabilities in the cloud. CSPM tools can provides visibility not only through asset management; also by diagraming the connectivity of networks (VPC/VNETs) and showing connections to unmanaged/unknown networks, which again could lead to breaches within the cloud.

Any organization that is not implementing continuous compliance of their cloud environment is missing one of the easiest ways to reduce their risk and achieve better visibility of their public cloud infrastructures. CSPM tools offer the best defense to mitigate the risk of misconfiguration, which is one of the top causes of cloud data breaches.

With the rise of multi-cloud and hybrid cloud environments, managing security across different platforms can be challenging. How can organizations effectively address security risks in such complex infrastructures and ensure consistent protection?

The cloud has revolutionized the ways in which development teams’ work, and security teams have strived to keep up at the same velocity and scale. With the exponential increase in distributed assets, changes occur at a rapid pace, and different teams are not always aligned with the security guidelines needed throughout the development lifecycle. 

This has left security teams unable to stay on top of the risks within their cloud environment, and take action quickly on the most critical alerts. Organizations need actionable insights to drive pragmatic remediation. Unfortunately, the majority of CNAPP solutions on the market lack the context needed, from across workloads, to operationalize security at cloud speed and scale.

We need a comprehensive protection from code to cloud, with CNAPP approach that unifies cloud security, merging deeper security insights to prioritize risks and prevent critical attacks —providing more context, actionable security, smarter prevention. We need increased visibility by enriching context, that provides actionable remediation insights and speeds up threat mitigation across diverse cloud teams.

Zero-day vulnerabilities and emerging threats are constantly evolving. What proactive measures should organizations take to stay ahead of the curve in identifying and mitigating new security risks in their cloud infrastructure?

In India, IDC reported that the overall India public cloud services market is expected to reach $13.0 billion by 2026, growing at a CAGR of 23.1% for 2021-26. The revenue totalled $2.8 billion for the first half of 2022. According to IDC, SaaS continued to be the largest component of the overall public cloud services market, followed by IaaS and PaaS during the first half of 2022.

As such, we can fully expect organisations to continue leveraging cloud across their business globally. However, cybersecurity risks for cloud users remains and can be mitigated. Of key importance is  visibility of the Cloud and Cloud Security & Posture Management (CSPM) and Cloud Infrastructure Entitlement Management (CIEM) tools would be vital to understand an organsiation’s current  security posture, gaps, compliance to regulatory standards as well as controls to be put in place. All of the above are combined into a new category called the Cloud Native Application Protection Platforms (or CNAPP) that offer a simpler way to adopt them.

With the complicated and growing array of digital businesses today, the organization’s security perimeter can be unclear as workers access both corporate infrastructures as well as Cloud SaaS and hosted apps. As such, we strongly encourage all organisations to begin adopting ZTNA & SASE frameworks, to help make the transition to Cloud, improving security for the new world. These would also help reduce the attack surface, provide greater visibility control, and enforcement through automated procedures to keep your security at its best.