With cloud now playing a critical role in most organisations, potential vulnerabilities must also be acknowledged and closed, says Rob Smith, CTO at cloud firm CloudClevr.
The increase in cloud adoption means that companies are now having to deal with a growing number of services and licenses. The UK’s cloud industry body, the Cloud Industry Forum (CIF) has said that 78 per cent of UK organisations have stated that they have adopted at least one cloud-based service. Whilst this is encouraging and a positive step for companies to embrace the advantages cloud brings, this influx of new services can bring negatives.
Potential consequences of increased cloud use
Some risks associated with an increased use of cloud services result in financial conse-quences. Companies who do not have a grip on their licence usage for example can lead to inefficient licensing and wasted budget. The nature of cloud services means that services can be turned off and on relatively easily. However, systems can be left on by mistake meaning an unnecessary use of licence budget and as the cloud real estate grows, so does the potential for waste.
However, it is the security risk that cloud sprawl brings that can cause the most damage to an organisation, in terms of financial, reputational and infrastructural cost.
Why cloud sprawl is bad for security
It’s important to note that having a lot of cloud services is in itself not inherently a security risk. The risk comes from when IT teams have to deal with a growing number of services, each a potential risk for organisations and a potential ball to drop. For every system brought online quickly, there’s another potential risk to consider.
And while end users operate more and more in the cloud each day and often not in a centralised office, organisations can’t afford to take their eyes off endpoint security – with risks there potentially being a chink into a wider security breach. Indeed, remote or hybrid workers can too easily ignore or forget corporate security policies and get caught out by cyber-criminal attempts to gain access.
Platform sprawl
Every system is generating its data. Sometimes, too much data. Among the myriad dash-boards and reports and alerts it’s easy for teams to not see the forest for the trees. With each system demanding attention in its own way for whatever it deems important, as the number of systems grows so does the noise.
Excess and unused cloud resources
What systems are actually being used? What licences have been assigned but are just sit-ting idle? These are the key questions that IT teams need to be continually asking. Each system adds its own attack vector, so understanding what is needed – and if it is still actively used – is vital to begin to mitigate risks. This includes getting a grip on shadow IT.
Managing access control
It’s all too easy to give sign-in permissions for a mailbox, or to a user for a temporary need, then for it to be forgotten about. Accounts may simply be left with access long after they are needed. With every single account a potential risk to your IT infrastructure, ensuring accounts are properly configured, secured and then removed when not needed is vital.
End point security remains important
In some ways the adoption of cloud has made the end user safer and more resilient. A cloud service isn’t going to feel the pain of a local virus outbreak. If a user’s machine is compromised, they are likely to able to jump on another machine and continue where they left off. But with security threats becoming increasingly sophisticated, and data often being the end goal of cybercriminals, the user and their end point security is just as important as ever. A study by the Ponemon Institute indicated that 68 per cent of organisations experienced an end-point attack resulting in compromised data or IT infrastructure in 2023.
So, while not a cloud issue specifically, end points remain a risk – and with a dispersed workforce you can’t just rely on network security. A laptop without its firewall enabled, an out-of-date virus scanner, or an unsupported laptop all may seem small issues on the scale of a large organisation, but it takes just one breach to ultimately lead to larger consequences.
Remaining in control of your estate
For SMEs with small IT teams or enterprise-level companies struggling with skill gaps and a lack of basic cybersecurity skills means that companies of all sizes are at risk. All companies now hold valuable data and cybercriminals have no issues in attacking organisations no matter their size or in which sector they operate. Ensuring that security becomes integrated into ‘everyday’ work is important to ensure vulnerabilities are closed, or indeed, not opened in the first place. Some are also turning to solutions that you keep secure and better manage your cloud estate.
Some solutions provide a unified dashboard to bring together the various technologies in use within organisations. IT teams can see, in one place, require actions and quick wins to improve the security of your organisation whilst deploying industry best practice. This can include:
• Understanding teams and how many have owners and members.
• Devices where MFA (multi factor authentication) are not enabled.
• Accounts that have been subjected to excessive levels of ailed login attempts.
• Shared mailboxes that have sign-in enabled.
• By highlighting these clearly in one place and ranked by severity, IT teams can act faster and more decisively on what needs to be done and then free up time for higher priority projects.
With cloud now established as a key business tool companies can enjoy the undoubted benefits. However, like any new technology it has to be carefully managed. Using a hub that helps to manage security and cost means organisations can move forward confident that the migration to the cloud does not come with a financial or security cost.
