Although cloud computing first started the 1960s, it wasn’t until Amazon launched AWS in 2006 that people start talking about the cloud as being something other than white, fluffy wisps in the sky. Even then, companies were slow to adopt the cloud, to some degree because there were insufficient applications available. That is no longer the case and, in part, because the pandemic forced us all to change the way we work, cloud adoption has almost doubled in the past four years.
With nearly 90% of companies around the world already using the cloud to some extent in their businesses, you would think that cloud migration would be old hat by now, yet cloud usage and security remain hot topic. Why is that?
It’s because although cloud usage is table stakes in business today, less than half of all organisations are cloud-native, or fully cloud-enabled. For instance, only 60% of corporate data is currently stored in the cloud, and less than 30% of corporate processes reside aloft.
From our partners, we know that nearly 60% of companies are seeking to optimize their cloud use over the next 12 to 18 months, while migrating more workloads to the cloud.
There has also been an increase in North American companies moving from on-premises software to SaaS, because many of these applications have had time to mature. For these reasons, predictions are that cloud-related services will have doubled from 2023 to 2025, to reach about $830 billion by 2025.
As more truly useful, robust, cloud-native applications are developed, more and more organisations are adopting cloud solutions. There are two reasons for this. One is that it enables any type of firm to easily, confidently and cost-effectively improve its corporate capabilities. The second is that by using SaaS options, OpEx budgets can be leveraged, rather adding to capital expenditures.
As more organisations subscribe to cloud-based services, the more these applications proliferate. Unfortunately, this also expands the attack surface, along with vulnerabilities that cyber criminals are increasingly learning to exploit. Yet many companies believe that the cloud is safe.
For the most part, the major cloud providers, Amazon Web Services (AWS), Microsoft Azure and Google Cloud, which BTW provide two-thirds of corporate cloud services, and control 71% of the public cloud market, are pretty secure. Actually, the top eight are, but this doesn’t mean they are invincible.
Companies are far less likely to encounter security problems with a major provider, but too many companies have become complacent when using the cloud, expecting the cloud provider to be fully responsible for security.
In actual fact, the onus is on the individual companies to protect their perimeters.
Unfortunately, most of the cloud-related problems stem from improper or inadequate security practices on the part of the users.
If you are actively involved in your company’s coding, I would suggest looking to see if your credentials have been hardcoded into your source control management systems. Unit 42 recently surveyed thousands of organisations around the globe and found this to be the case for 83% of This is a huge vulnerability because these kinds of credentials can be used cloud-centric cybercriminals to move laterally and vertically within the organisation. For this reason, cybercrooks quickly learn, or are taught, to ferret out susceptible cloud environments.
It’s huge vulnerability, but one that is easy to shore up.
Another big problem is improperly configured cloud environments.
In fact, nearly two thirds of cloud security incidents in 2022, and over 50% of security problems in 2023, were the result of misconfigurations related to permissions granted to individual or groups – most being granted far too much latitude. . In fact, research suggests that 99% of cloud identities are overly permissive.
It critical enough that it bears repeating: Investigations by multiple partners indicate that a major problem is providing too much access, to too many people For this reason, Identity and Access Management (IAM) is crucial so that administrators can determine which users should be authorized to modify or otherwise engage with specific resources.
To adopt and use Identity and Access Management effectively
At very least, you should separate administrator and user credentials and limit access within the cloud based on roles, following the “Least Privilege” guidelines, which are considered “best practice” today. You should also ensue all identities are de-provisioned when they are no longer needed and or the stakeholder is no longer associated with the company.
To make this process more efficient and effective, it’s good to centralize the management of user credentials. This is sometimes referred to as centralized IAM.
What is it, and How does Least Privilege differ from Zero Trust?
In essence, zero trust means that no individual user or group is granted access until their entities bona fides have been verified. Once trust has been established, then Least Privilege, also known as Minimum Privilege, should be applied , because it restricts access rights to the minimum required for that user or group to do their job.
Unfortunately, in the vast majority of organisations permissions related to cloud access and usage, often exceed what needed for the user’s role. By restricting access, you also limit where threat vector can go if an individual’s credentials are compromised.
Multi-Factor Authentication (MFA) is an important tool in cloud security
MFA is an excellent first line of defence. Unfortunately, it is not routinely enforced for cloud users. Approximate three-quarters of organisations do not have MFA on their consoles, and… console access is more susceptible to brute-force attacks, and these are still responsible for 10% of successful breaches. Also, over half of all firms do not require MFAs for their system administrators.
As a starting point, it is highly recommended that MFA software, such as Duo, be adopted for all remote access. Research shows that 89% of organisations that fell victim to hackers through compromised emails, had no MFA protection on key Internet-facing systems, including their VPNs.
It is also important to implement MFA internally, so that the user needs to be verified each time he, she or they move to a system or platform with a different trust level, based on your company’s permission policies. This will give you a layered defence, making it harder for threat vectors to successfully worm their way to deeply into your network – especially if you implement a Least Privilege approach.
Bottom line: Most organisations need to revisit their cloud protocols and practices and ensure they are up to date.
If you’d like a no-obligation assessment, or simply to talk about your situation, please feel free to contact us: 416.429.0796 or 1.877.238.9944 (Toll Free) or email us: [email protected]