A double-edged opportunity for cloud
Cloud-related security incidents are rising along with the use of cloud applications. Saf Malik looks at whether revised industry standards can combat this increasing threat to enterprises
Security is a foundational pillar for networks as they continue to evolve at a rapid pace. And as businesses look to streamline operations, the cloud is becoming an attractive setting to test and build applications.
Cloud computing offers businesses the ability to store data off-site as opposed to the traditional method of storing data on their premises. This has many benefits – reduced IT costs, higher scalability and collaboration efficiency to name a few - but comes with risks that must be considered.
New research from cybersecurity firm Venafi has revealed that 81% of organisations have experienced a cloud-related security incident during the last 12 months, with almost half (45%) suffering at least four.
“Attackers are now on board with business’ shift to cloud computing,” says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi.
The survey of 1,100 decision-makers found that, on average, companies host 41% of their apps on the cloud and plan to increase this to 57% during the next 18 months. This means that cloud complexity (the result of rapidly accelerating cloud migration and net-new developments without considering how it complicates operations) will rise significantly.
More than half (51%) of those surveyed by Venafi said security risks are higher in the cloud than on-premises. They cited several issues that contribute to this, including security incidents during runtime, unauthorised access, misconfigurations and failed audits.
This goes hand-in-hand with the rise in cloud complexity, which Venafi’s study labels as an underlying issue of security incidents, given the vast number of firms moving to the cloud.
“You hear executives saying we’re moving our business to the cloud, and I know they believe that this can be done with a well-intentioned magic wand,” Bocek says. “While the cloud presents an incredible opportunity, for built-in simplicity and built-in risk reduction, there isn’t that magic wand.”
The rise in complexity presents more opportunities for cybercriminals to take advantage of. Research from Canalys indicates that up to 30 billion data records were stolen in 2020 – more than the previous 15 years combined. What fascinates Bocek is the way cybercriminals adjust their actions to account for the conditions they encounter.
“I’ve heard cybercrime described as a river,” Bocek says. “We, or the markets, put rocks into the river and cybercriminals just go right around and they adapt.”
5G and the cloud
As operators across the globe adopt 5G networks at scale, security will continue to remain of paramount importance.
“As the world becomes more interconnected and the size and speed of data flow increases, the challenge becomes greater, and the stakes get higher,” says Chris Pearson, president of 5G Americas.
As a result, the world’s networks are more prone to additional risk and attack vectors. Therefore, Pearson says, more secure deployment methods are required as providers are more likely to be attacked.
Pearson says some of the world’s largest companies have experienced setbacks due to sophisticated attacks in the past few months, so remaining vigilant is increasingly important, “whether you’re a small organisation or a behemoth enterprise”.
“Cloud-native 5G networks are important for our expanding ecosystem to efficiently provide new use cases,” says Pearson. “It’s vital that 5G cloud infrastructures be built and configured securely with capabilities in place to detect and respond to cyberattacks, providing a hardened environment for deploying secure network functions.”
5G Americas’ latest white paper – Evolving 5G Security for the Cloud – examines how 5G security continues to improve as security controls, tools and standardisation evolve, and the 5G ecosystem extends to include virtualised and cloud-based radio access networks.
The paper describes cloud security as a “foundational pillar” for the mobile communications industry, as it protects against increasing threats from nation state and non-nation state actors, while enabling new applications and use cases. But it also says that a stepwise approach is needed to achieve zero trust architecture for 5G deployments in the cloud in order for network functions, interfaces and data to be protected from external and internal threats.
“Rome wasn’t built in a day, and neither is cloud security in 5G networks,” says Pearson.
Pearson believes that the emergence of cloud computing can present an expanded attack surface for both internal and external threats to 5G networks, requiring a zero-trust mindset to secure them.
“The cloud holds great promise for new 5G use cases when software has security built in upfront and deployments are securely configured to establish a safe foundation,” he Pearson.
As wireless telcos evolve, the mobile industry will continue to embrace advancements in cloud computing and virtualisation to take advantage of the efficiency and deployment flexibility this approach brings.
Pearson says a lot of work has been done to integrate cloud principles into wireless networks, including developing 5G standards that enable the separation of core and edge compute network functions, which has created opportunities for automation and improved user experience.
The 5G supply chain is another major issue, and has increased in importance following Russia’s invasion of Ukraine.
“For network operators, a secure 5G cloud deployment must be built upon a secure 5G supply chain that includes software vendors and cloud service providers, because cloud deployments may increase risk due to virtualisation, increased use of open-source software and a larger array of third-party vendors,” says Pearson.
5G Americas’ president adds that due to the continuous improvement nature of cloud computing, operators must ensure 5G software vendors implement secure software assurances that integrate security within the software development process.
But even though security is of utmost importance, connectivity remains crucial for globally connected societies and essential to human and economic progress.
“We understand the need to address national security interests along with the need to balance international leadership and cooperation among allied nations,” Pearson says.
Fortunately, he adds, advances in 5G security include a host of improvements that allow public land mobile networks to interconnect with each other across borders – more so than any previous generation of wireless cellular.
The Venafi study also looked into how responsibility for securing cloud-based applications is currently assigned among internal teams, and found there was no clear consensus on this. At present, there is no clear industry standard for responsibility over cloud security, with just 25% of companies allocating it to their security team.
The challenge connected with shared responsibility models is that security and development teams often have different objectives. The research showed that developers need to move quickly to accelerate innovation, while security teams are often unaware of what development teams are doing. This makes it difficult for security teams to evaluate how new controls stack up against security and governance policies.
“Security teams want to collaborate and share responsibility with the developers who are cloud experts. But all too often they’re left out of cloud security decisions,” said Bocek.
This means developers are making cloud-native tooling and architecture decisions without involving security teams, resulting in a separation between traditional infrastructure security teams and security engineering teams focused on cloud-native technology.
As the industry moves forward, Bocek believes that companies will have two security teams, trained to deal with different fields of expertise.
“You’ll have a traditional infrastructure team and then a new engineering-focused, cloud-native security team,” he says. “They’ll work on two different types of threats – the traditional infrastructure team may work in the endpoint, while the new team will focus on all customer-facing business AI applications that are running on the cloud.”
Bocek thinks that as the risk of security incidents in the cloud continues to grow, the industry must reset its approach to cloud security in order to create consistent, observable and controllable security services across clouds and applications.
“Architecting in a control plane for machine identity is a perfect example of a new security model created specifically for cloud computing,” says Bocek. “This approach embeds security into developer processes and allows security teams to protect the business without slowing down engineers.”
Bocek is keen to stress that the rise in cybercrime experienced by businesses does not spoil the opportunities the cloud presents. The added agility and flexibility the cloud provides during times of economic uncertainty is vital and present “tremendous advantage”, he says.
“We just need to be able to address the complexity and those risks,” Bocek says. “Particularly as we head into a riskier time over the next few years from a security perspective.”