One of the most common questions from the early days of cloud computing was: 'Is it safe?'

Fast forward a decade and millions of successful implementations later, the dangers of cloud environments are as real now as they ever were, and in many instances the threats are now actually greater.

According to Venafi Research, as many as 81 percent of organisations have suffered a significant security incident related to their cloud environments in the past year, with the most common being security incidents during runtime, unauthorised access, misconfigurations, unpremeditated major vulnerabilities, and failed audits.

In addition, Verizon’s 2022 Data Breaches Investigations report notes that, as with most other forms of cyber incidents, 82 percent of cloud breaches arose from human-related factors, such as social engineering, errors, and misuse.

Taking a different approach

While the cloud might be a common aspect of enterprise computing today, that doesn't mean it can be treated the same as traditional on-premises infrastructure.

According to Kate Healy, an independent cyber consultant and former executive with NAB and Google, three factors set cloud security aside from regular cyber disciplines.

The first arises from the way cloud services are released and updated, where new releases can be issued frequently, and vulnerabilities patched instantly.

“That means you need to keep up not just with the functionality that each update offers, but what this means for your security posture,” Healy said.

The second factor is keeping up-to-date with cloud skills, especially when embracing “true cloud technologies such as containers and services”.

“Traditional ideas like IP addresses cease to exist, and the way environments are monitored also changes,” Healy said, adding that this is one of the key factors driving the high propensity for vulnerabilities to arise from misconfigurations.

Healy said the third consideration relates to cloud providers’ shared responsibility security model, which generally involves the provider taking responsibility for the cloud service, with users responsible for protecting the security of their data and identities, on-premises resources, and other cloud components they control.

"Control of data needs a higher focus," Healy said.

An ever-growing honeypot

These challenges are doing little to dampen the enthusiasm for cloud migrations, however.

According to Statista, as of this year some 50 percent of enterprises have workloads in the public cloud, with seven percent planning to migrate additional workloads in next 12 months.

The volume of workloads that each organisation hosts in the cloud is also growing rapidly, with one-third of organisations hosting more than 50 percent of workloads in the cloud in 2021, rising to more than half this year.

The cost of keeping workloads safe in the cloud is not cheap, however, with Forrester expecting the cost of securing cloud workloads to increase by eight percent to 13 percent in the next 18 to 24 months. Forrester's recommendations include using automation to take away some of the human costs of cloud security, and highlight a need to better coordinate between on-premises and cloud technologies.

This second point speaks specifically to the complexity of many cloud environments, which can include cloud-based infrastructure, platform- and software-as-a-service, in addition to on-premises infrastructure – each configured and managed differently, and which may be accompanied by a bewildering array of security management tools and processes.

Many clouds, many users, many problems

One of the greatest challenges arises from the propensity for organisations to adopt multiple cloud services (often outside of the defined IT strategy), making previously simple tasks such as providing secure user access problematic.

For Karl Houseman, chief technology officer and security specialist at the electrical and communications installation and service contractor Stowe Australia, his company’s cloud-based application environment now includes 25 SaaS applications – each of which needs to be accessed securely.

To solve this problem Houseman is investigating several technologies, including SAML (Security Assertion Markup Language) to onboard and offboard users across multiple web applications, and CASB (Cloud Access Security Broker) technology, to ensure network traffic between users and cloud services complies with security policies.

"CASB is going to be a really good way of managing corporate devices and providing cloud brokerage for known devices, and SAML will be managing users when they are not on corporate devices," Houseman said.

For CASB specifically, Hausman said its value extends beyond just its security controls by providing a much clearer picture of device usage across the organisation.

"Once you know what the devices are, the security is pretty straightforward," Houseman said.

Houseman is not alone in investigating the benefits these technologies can provide, with Future Market Insights projecting the market for CASB to hit US$10.7 billion in 2023, rising to US$39.3 billion in 10 years' time.

Market revenue for SAML solutions follows a similar trajectory, albeit from a smaller base, with Research and Markets estimating its market value as US$2.47 billion 2022, heading to US$4.57 billion by 2028.

Solid foundations

While the race to the cloud has created new headaches for security professionals, solving these challenges may ultimately rely on principles which have been fundamental to good security practices since the dawn of the computing age.

According to Forrester, that means making security the first consideration in cloud implementations, as without a robust cloud governance framework and implementation expertise, cloud infrastructure can become a hodgepodge of disparate workloads that lack real visibility.

The result is a massively insecure cloud presence that can expose the organisation to even greater security risks than on-premises hosted workloads.