Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Cloud Security Risks and Responsibilities

DZone's Guide to

Cloud Security Risks and Responsibilities

This overview tackles security in the public cloud with a focus on the current risks faced by IaaS and PaaS adopters — and some advice for success and safety.

· Security Zone ·
Free Resource

Discover how to provide active runtime protection for your web applications from known and unknown vulnerabilities including Remote Code Execution Attacks.

As public cloud utilization — specifically Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS) — continues to surge, questions around cloud security responsibility linger. Though public cloud vendors such as Amazon and Google emphasize customers' shared responsibility in securing cloud workloads, too many organizations continue to place the onus on their infrastructure providers.

Organizations that rely solely on a cloud vendor's built-in security potentially expose their organization to unnecessary risk and painful lessons have been learned. This is particularly true for the credentials and secrets that proliferate in cloud environments and automated processes. These secrets are dynamically created and assigned to provision, configure and manage hundreds of thousands of machines and microservices-but many are never secured. If they are compromised, these secrets and credentials can give attackers a crucial jumping-off point to achieve lateral access across networks, data and applications, and ultimately, provide access to an organization's most critical assets.

In fact, the Cloud Security Alliance "2017 Treacherous 12" report notes insufficient identity, credential, and access management as one of the top threats to enterprise cloud computing today. Without proper privileged account security in place, organizations can face potentially catastrophic damage. The report states that this can be caused by "malicious actors masquerading as legitimate users, operators or developers who can read/exfiltrate, modify and delete data...snoop on data in transit or release malicious software that appears to originate from a legitimate source."

Underscoring this problem, our recently published Global Advanced Threat Landscape Report 2018 revealed that while 50 percent of IT professionals say their organization stores business-critical information in the cloud and 43 percent say they commit regulated customer data to the cloud, nearly half (49 percent) have no privileged account security in place for the cloud.

These findings indicate that while security teams may be comfortable with securing certain, more traditional components like the cloud admin console, when it comes to securing dynamic cloud environments, further education is critical and there is much more work to be done.

Now is the time to take ownership of your organization's responsibility for protecting critical information in the cloud. One proactive step your organization can take to bolster its cloud security posture is to conduct Red Team exercises, in which ethical hackers simulate the techniques and behaviors of likely attackers. These exercises can help to uncover critical vulnerabilities in cloud (and on-premises) environments, identify effective responses and understand the motives and techniques of potential adversaries.

For additional information about security vulnerabilities associated with cloud-based infrastructure, download they CyberArk eBook that highlights six use cases and best practices organizations can follow to mitigate cloud risks and maintain a consistent, enterprise-wide policy throughout the cloud journey-regardless of the compute environment, development philosophy or complexity.

Find out how Waratek’s award-winning application security platform can improve the security of your new and legacy applications and platforms with no false positives, code changes or slowing your application.

Topics:
security ,cloud security ,dynamic events ,iaas ,paas

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}