Moving systems and services to the cloud can provide numerous business benefits. Cloud environments offer greater scalability and flexibility than traditional on-premises environments and may be a more cost-effective solution as well. Software as a Service (SaaS) solutions also provide access to a wide range of specialized functions that aren’t practical to develop or maintain on your own. Most organizations are recognizing these benefits and are increasing their footprint in the cloud: according to a recent Check Point survey, 58% of companies will have more than half of their workloads in the cloud by the end of 2024, up sharply from 39% in 2023.
However, the way that an organization makes its move to the cloud has significant security implications. A “lift and shift” approach to digital transformation may seem like a tempting strategy to pursue when adopting cloud services… but as we’ll explore today, it’s an approach that carries significant risks to the business if not planned and executed properly.
Key Differences between On-prem and Cloud Security
Some fundamental cybersecurity issues exist whether you’re on your own premises (“on-prem”) or in the cloud. Compliance and regulatory requirements exist no matter where your data resides. The cyber threats that you worried about with your in-house systems – issues like ransomware, web application exploits, data breaches – are still concerns with cloud implementations. Recognizing the differences in the environments and understanding the unique security challenges of the cloud is essential. Only then can you implement an effective cloud security strategy to manage your requirements and mitigate your risks. Here are five key areas to consider:
1. Understanding the Shared Responsibility Model
One of the most important differences between on-prem and cloud environments is understanding the shared responsibility model. Depending on the cloud model used — SaaS, IaaS, PaaS, etc. — the cloud customer and provider divide up responsibility for managing the cloud environment. This division of labour has its advantages for the cloud customer, as the cloud provider is responsible for at least the physical infrastructure, and likely other levels of the IT and application stacks as well.
But while the foundational security is up to the service provider, it’s important to remember that the customers’ cloud security responsibilities include configuring security controls and tools specific to the cloud environment. Using cloud services does not mean you can abdicate responsibility to the cloud provider. Simply accepting default settings is a recipe for disaster, as failing to properly secure cloud services and data is a leading cause of data breaches and security incidents.
2. Multi-cloud Environments
According to a recent report, 79% of organizations surveyed use more than one cloud environment, and that number is climbing as different providers may offer cost savings or optimized capabilities for various applications. Consequently, cloud customers take on the responsibility of managing and securing a variety of vendor-specific environments, potentially with different cloud service models. In each environment, the company needs to understand each relationship and the vendor-specific controls that it is responsible for managing.
Additionally, the existence of on-prem and multiple cloud environments means that an organization is responsible for securing cross-environment data flows. On-prem, an application and the database that it uses may have both been in a protected environment behind the corporate firewall or isolated network. In the cloud, they may be located in different environments connected by the public Internet, making it critical to implement encryption, additional access control, and secure remote access solutions to connect them.
3. Cloud-specific Architectures
Cloud environments offer numerous advantages; however, these benefits may only be available to cloud-native applications. For example, cloud environments offer massive scalability, but serverless and microservices architectures are more able to take advantage of this than traditional, monolithic applications.
A “lift and shift” approach to cloud adoption means that an organization won’t be able to take full advantage of these cloud security benefits. However, it does have the advantage of avoiding the unique security risks associated with serverless and containerized applications. Cloud-native applications require securing not only the application itself but also the environments where it runs (cloud infrastructure, container orchestration platforms, etc.). It’s important to understand what opportunities exist to structure and secure the data or service appropriately.
4. Shadow IT Risks
Shadow IT is a potential problem in any IT environment. If the organization doesn’t provide the tool that an employee needs — or wants — to do their job, they may install it themselves. This is particularly true if corporate security policies and controls create friction within an employee’s workflow, encouraging them to find “creative” solutions to get work done.
Cloud environments exacerbate the risk of shadow IT by making it much easier for employees to set up new, unapproved resources. Within a cloud environment, it’s easy for someone with the right access to deploy additional cloud storage, virtual machines (VMs), or other applications to perform tasks traditionally done in-house. Additionally, many SaaS applications use “Sign in with Google” and other SSO tools, so employees can begin moving sensitive corporate data to unapproved applications with just a few clicks – whether they realize it or not. With the rise of Large Language Models (LLMs) and generative AI, it’s even possible that third parties will use this data to train their AI models and tools, as companies like Samsung found out the hard way.
5. Regulatory and Compliance Challenges
Cloud environments also introduce a range of regulatory and compliance challenges. To be compliant, organizations need to know where their data is, what regulations apply, and how to achieve and prove compliance.
In cloud environments, it can be difficult for customers to pin down exactly where their data is being stored and processed. This can create issues with data residency requirements, such as the GDPR’s cross-border transfer restrictions. If an organization has EU citizen data, it needs to ensure that data remains within countries with “adequate” data privacy laws, something that is much harder to track in cloud environments. Even in jurisdictions where cross-border data handling is permitted, it is still essential for customers to understand the risks or potential exposures.
Cloud computing also makes it more difficult for an organization to demonstrate compliance. Unlike on-prem environments, a cloud customer often doesn’t have the right to audit the cloud provider’s infrastructure. Instead, they must rely upon and verify the provider’s own compliance with SOC2, PCI DSS, and other regulations.
The limited visibility available in cloud environments also complicates the process of proving regulatory compliance. Without access to and control over the underlying infrastructure, an organization can’t use certain security controls and monitoring solutions. As a result, they may need to implement new processes and tools to achieve the required visibility to show compliance. Audit and access management issues are just as critical in the cloud as on-prem, as was illustrated by the recent Snowflake breach.
Securely Making the Move to Cloud
When making the move to the cloud, be wary of the temptation to simply “lift and shift”. While it may seem straightforward to transfer existing on-prem applications to cloud environments, this approach doesn’t take full advantage of cloud capabilities and can introduce various security risks.
When adopting cloud infrastructure and solutions, organizations should have a clear plan in place to optimize the benefits of the cloud and manage its associated security risks. ISA Cybersecurity has deep expertise in cloud security and can help your organization to develop a cloud security strategy that both protects the business and enables it to maximize the ROI of its cloud investment. Contact us today to learn more.
