For small and mid-sized businesses (SMBs), cloud computing services provide an easy and flexible way to access a multitude of applications and the power needed to keep the business running regardless of location. These services provide an environment to rapidly scale and develop new software programs and ecosystems without the need for a heavy investment in infrastructure.
During the pandemic and shift to remote work, cloud-based services enabled SMBs to quickly provide collaboration and conferencing capabilities to employees and customers alike. Additionally, with cloud services, SMBs gained new digital business and e-commerce functionalities.
While cloud computing provides SMBs with new business enablement capabilities they also come with security issues and risks. Unlike enterprise organizations with access to more security resources, SMBs, historically, have the added challenge of facing these threats with limited security budgets and expertise.
Cloud Computing Security Concerns
What are the primary cloud computing security concerns? The Cloud Security Alliance (CSA), an organization that defines standards, certifications, and best practices to help ensure a secure cloud computing environment, identified some of top threats based on a survey of industry experts and the knowledge of its Top Threats Working Group.
These threats include data breaches, account hijacking, insider threats, insecure interfaces, application programming interfaces (APIs), limited cloud usage visibility and nefarious use of cloud services.
Given the threat landscape, organizations across the board are increasing spending to address cloud security concerns. In a recent report, Gartner noted that the growth rate of spending on information security and risk management technology would grow 12% to $150.4 billion in 2021 showcasing continuing demand for remote worker technologies and cloud computing security issues.
“Organizations continue to grapple with the security and regulatory demands of public cloud and software as a service,” said Lawrence Pingree, managing research vice president at Gartner. Cloud security was easily the fastest-growing market segment, according to the report. Spending on the segment is forecast at 41% between 2020 and 2021. That compares with 17% for data security and 17% for infrastructure protection, the next two fastest-growing categories.
While adding the security controls and technologies needed for adequate protection is important, SMBs are encouraged to focus on the right types of products and focus on best practices and processes for building a strong cyber security program.
For example, products not only should offer protection against common threats such as ransomware, but also be easy to use and offer a high level of visibility to servers and user devices. Risk factors such as software misconfigurations should also be identified within these product offerings.
Cloud Security Industry Efforts
Small and mid-sized companies can also take advantage of cloud security industry efforts to protect information resources from attacks. For example in July 2021, the CSA released a guide on Cloud Threat Modeling that provides security leaders and teams with guidance on conducting threat modeling for cloud applications, their services, and surrounding security decisions.
The guide features cloud threat modeling cards (threat, vulnerability, asset, and control) and a reference model that organizations can use to create their own cloud threat model. This model enables companies to refine their risk management processes and enhance their overall cyber security program.
According to the CSA, threat modeling is important for software and systems security, especially for cloud software, systems, and services. The fact that models can be used to develop a structured and repeatable approach to addressing threats—so they can successfully anticipate and mitigate cyber-attacks—should be appealing to SMBs with limited resources. By enabling these models, companies may successfully take a proactive approach in anticipating and mitigating future cyber threats and attacks, instead of reacting once they have occurred.
Another helpful resource for SMBs, provided by the U.S. federal government, is the recently launched StopRansomware.gov security resource hub. The website provides a “one-stop hub for ransomware resources” for individuals, businesses, and other organizations, according to the government. It provides cyber security resources from across the federal government, with the goal of protecting businesses and communities from ransomware attacks.
These efforts and more are all part of the entire cloud security industry banding together to ensure that SMBs are protected from threat actors and cyber-attacks.
Cloud Security Fundamentals and Training
It is recommended that SMBs provide all their employees with cyber security fundamentals and training (on a regular basis) on various aspects of cloud security. This approach should also net the development and enforcing of strong information security policies and best practices. The reason for this being that much of the cloud threat vector links back to the human element citing issues with insufficient access permissions, account hijacking, insider threats, and abuse of cloud services.
The need for training and updated policies is even more important with so many employees working remotely full time or part time as part of a hybrid work arrangement.
Training program focus areas include:
- how to avoid phishing and other email scams
- how to identify and deal with malware
- proper use of passwords and multi-factor authentication
- data management and privacy
- safe use of the Internet
- proper use of social media
- physical security to safeguard devices and other IT resources.
How to Choose a Cloud Vendor
Not all cloud service providers are equal when it comes to cyber security. Some have built highly secure infrastructures designed to withstand a variety of attacks, while others might have slapped together some tools in hopes of not getting exploited.
SMBs need to do their homework in evaluating providers to make sure they have taken all the necessary steps to protect their systems and their customers’ data. It’s important to determine whether the service provider can guarantee continuous network and data availability.
Keep in mind that security is a shared responsibility between the cloud provider and its clients. The burden does not fall solely on one or the other. Contracts and service level agreements (SLAs) should address security responsibilities clearly.
In the end, mitigating security issues and the risks of cloud computing come down to building a strong cyber security culture, where data protection is always a priority. This happens when all employees within the organization take responsibility for leveraging the right tools and employing best practices and protocols. If SMBs take the necessary steps, they can create a security program that would be the envy of a global enterprise.