Navigating cloud risk in an unpredictable threat landscape

If recent events have taught us anything, it’s that Australia has become a hotbed for malicious cyber attacks, with one attack reported every seven minutes. This threat is exacerbated by poorly managed cloud environments, which are negatively impacted by factors such as human error, a lack of training, and outdated systems and processes.

While cloud is widely recognised for the benefits it can bring to an organisation, an improperly managed cloud environment can quickly become a liability. For instance, a lack of visibility and control can result in multiple issues, such as security exposure, program risk and technical debt. To maximise their cloud investment, enterprises need to strengthen their cloud governance, and ensure it remains up-to-date to avoid cloud risk.

The current threat landscape

According to the ACSC, cybercrime reports increased by close to 13% in the 2021–22 financial year. In this more vulnerable environment, businesses not only need to step up to safeguard their enterprise, but also reconsider how they broadly view cybersecurity, especially cloud security.

With enterprises increasingly using public cloud infrastructure to store and manage large quantities of organisational data and critical applications, issues like coding flaws, open gateways, or misconfigurations within their cloud can elevate the potential threat from cybercriminals.

Businesses that engage in improper or outdated use of cloud are enhancing the target on their back. Malicious cybercriminals bank on organisations to not treat their cloud environment with care and create vulnerabilities, so it’s imperative that organisations avoid that trap at all costs.

Decoding the public cloud risk model

While the public cloud offers numerous benefits (lower cost, scalability, reliability, etc), its heavy usage makes the role of cybersecurity even more pertinent. Cloud misconfigurations alone can cost a business dearly. Research from Trend Micro indicates that a whopping 65 to 70% of cloud security issues start with misconfiguration. Based on the IBM ‘Cost of a Data Breach 2022’ report, the average cost of a data breach in Australia in 2022 was US$2.92 million, up from US$2.82 million the previous year.

According to Gartner, the public cloud risk model has four characteristics that make management of the cloud environment more challenging — complexity, huge scale, dynamic, and self-service provisioning. But it also states that the public cloud has an excellent track record for security and reliability, and when problems do occur, it’s typically down to an organisational failure to use the public cloud appropriately. These characteristics depend on a multitude of factors, such as the number of users, diminishing uptime, number of business units or the nature of applications.

Over time, as businesses grow, their cloud environment grows with them, necessitating an upgrade from legacy infrastructure. When these issues are not dealt with promptly, businesses are left to deal with limited visibility and weak cloud controls that often lead to issues such as overspending and security exposure. In short, businesses need to be adaptable and show agility in their cloud management to address such challenges.

Responding to public cloud risk

To ensure good cloud governance, organisations should invest in culture- and knowledge-building efforts that highlight the value of security. This can be delivered through onboarding procedures and ongoing staff training. While basic security training is essential for meeting compliance obligations, organisations should also consider teaching best practice for managing data, using cloud-enabled systems and provisioning new applications.

Ahead of teaching such practices, organisations also need to ensure that their underlying cloud infrastructure is properly configured with the help of guardrails. Guardrails (also known as guiding principles and boundaries) help provide more visibility, prevent misuse or misconfiguration and maintain platform integrity. With the right guardrail management tools in place, like cloud management platforms for example, organisations can feel more confident that their teams are building and using the cloud in line with pre-determined, sector-compliant requirements.

Of course, the elephant in the room in many security and cloud risk conversations is the pressing issue of retention and the ongoing talent shortage. While these challenges persist and are expected to for many years into the future, some enterprises may lack the technical expertise and resources needed internally to manage complex cloud environments. In such cases, a cloud management platform that offers a secure-by-design model would be the best approach. Such a platform can ensure that your cloud environment is protected with industrial-strength security and risk management measures. It also ensures that all cloud vendor updates are integrated on time. Having such a platform in place means never having to worry about risk monitoring on an ongoing basis.

There can never be a one-size-fits-all solution to managing cloud security. The cyberthreat that Australian (and global) businesses are facing today is very real and is posing a significant risk to our processes, and by extension, our business growth potential. Managing this risk requires viewing cloud as an intrinsic part of IT management. This means leaving behind outdated thoughts and legacy infrastructure and embracing new ways of governance. A well-configured and well-managed cloud environment ensures that your foundation as a business is strong and resilient and that there are no gaps left for cyber attackers to seep through and penetrate.

Image credit: iStock.com/Just_Super