There are many implacable truisms about the cloud that can run any systems administrator’s day, but two that keep CISOs and SOC administrators up at night are:
- Bad actors will find their way into any network, regardless of how well you think you’re defended your network
- No matter what the cloud provider tells you about how great their security is, it is up to you to protect your data; their concern is protecting their infrastructure, not your data
Good cyber hygiene begins with solid asset management. You must know what assets you have in the cloud, including where data is stored to currently used and unused computing assets such as virtual machines.
Look for rogue cloud accounts that were spun up in departments that did not require or obtain approval from the IT department. This is not unusual when such accounts fall within the approval levels of department managers. You also want to know where you have cloud storage buckets and that they are secured — vulnerable S3 bitbuckets are commonplace — as well monitoring your app engines.
If your organization is subject to regulatory compliance, you should have records of where and how your data is stored. However, never rely exclusively on compliance documents, as sometimes departments or individuals spin up cloud storage or applications to ease their workload without reporting these assets to the compliance department.
Remember too that the owner of cloud-based data is responsible for protecting it, not the cloud provider. While you provider might offer some cybersecurity controls to protect their infrastructure, your service-level agreement and contracts will describe what the provider is responsible for and your organization’s responsibility. More often than not, their responsibility ends at protecting their assets, not yours.