No other technology revolution has induced more fear, uncertainty, and doubt for so long than the cloud. With all its growing variations (e.g., SaaS, IaaS, PaaS), just trying to define it has driven confusion. That’s before you attempt to apply it to your business or secure it.
Cloud confusion has a long history. Back in 2015, I first tackled this issue in an article entitled “20 of the Greatest Myths of Cloud Security.”
“I think they’re actually all linked,” said Mark Nunnikhoven (@marknca), vp, cloud research, Trend Micro. “They have the same underlying root cause; an assumption that ‘traditional’ security approaches worked and were optimal.”
The cloud myths that persist today are rooted in the belief that security is a siloed activity within an organization, added Nunnikhoven. And as we all know, that’s far from the case.
Here’s where we stand today with the misguided perceptions of the cloud.
Watch our CISO Series Video Chat “Hacking Cloud Security Myths”
Huge thanks to our sponsor, Trend Micro
Editor’s note: While the article sponsor, Trend Micro, and our editors agreed on the topic of “cloud security myths,” all production and editorial is fully controlled by CISO Series’ editorial staff.
Got feedback? Join the conversation on LinkedIn.
Myth 1: The cloud is inherently insecure
This myth holds the number one spot because it’s endured the longest and many of the other myths are just variations.
The opposite is often true, claimed Nick Espinosa (@NickAEsp), chief fanatic/CIO, Security Fanatics, “Oftentimes the cloud platforms update themselves for security with more frequency (faster than an IT team can often get to it) and they usually offer more redundancy in terms of infrastructure failure and replication.”
The cloud’s security problem is us. When there is a breach in the cloud “there is a good chance it is not because of the cloud provider but customers not adopting and following security best practices as part of their shared security responsibility,” said Ahsan Mir (@AhsanMir), CEO, co-founder, Rapticore.
Myth 2: The cloud can never truly be as secure as on prem
“It’s much easier to believe that servers and hardware can protect your data than it is to believe that a cloud-hosted network you can’t see or touch will do just as excellent of a job,” said OpenVPN’s Dinha.
Reality is “security today is more about visibility (allowing for detection, assurance, validation, etc.) and programmatic (or automated) control than it is about a physical wall around a physical server,” said Zach Powers, CISO, Benchling.
With more layers of data protection and stronger compliance capabilities the cloud is more prepared for today’s security demands, said Garrity. In addition, it can be configured to track attack scenarios that can wipe out your defenses.
“[For example], if an attacker gains access to the on-prem solution (easily through a stolen password), they can delete all evidence of audit trails and their attack. A cloud-based SIEM provider stores and encrypts the raw data collected (separate from the client’s environment) to keep the integrity of logs intact, important for forensic and investigation purposes,” explained Thu Pham (@Thu_Duo), head of content and product marketing, Blumira.
Myth 3: The cloud is more secure
The cloud being less secure is not one-sided. Saying the exact opposite is also a myth. The platform in itself doesn’t inherently make you more or less secure.
Yet, with all the wonderful speed and scalability capabilities of the cloud that makes it so attractive for business computing, those same features can be used against you.
“The biggest breaches in history are cloud. The least notification and least preparation have been cloud. It’s failed at bigger scale than any failures before,” said Davi Ottenheimer (@daviottenheimer), vp, trust and digital ethics, Inrupt. “Even migration to cloud itself has been the cause of breaches.”
Myth 4: The cloud makes security easier
At the start, you may be fooled into believing that. But once your developers get involved, their services need custom security solutions.
“Traditionally, organizations can put a web application firewall (WAF) in front of a web server (EC-2). However, if developers use AWS Lambda and use Edge to host the application in AWS Cloud Front then the data is stored in a content delivery network. This means any other WAF is ignored unless you use AWS’ WAF.”
Myth 5: The cloud is more secure out of the box than traditional data center security models
“There is a misconception that just because an application has been redeployed from on-premises to cloud that it automatically receives a level of protection just by doing so,” said Mitch Parker (@mitchparkerciso), CISO, Indiana University Health.
“The pendulum has swung from ‘don’t put your data in the cloud it’s not secure’ to ‘it’s so secure we can blindly transfer all the risk with no work on our part,’” said Jerich Beason (@blanketSec), svp, CISO, Epiq. “This myth is resulting in multiple cloud misconfigurations which is now the number one reason for data breaches in the cloud.”
Myth 6: If you spin up the cloud you can secure the cloud
“Cloud has created a lot of unjustified obfuscation, and puts novices in the driver seat of unsafe machines without any warning signs to the people affected the most,” said Inrupt’s Ottenheimer, who added, “I’ve seen some of the worst system administration mistakes ever by cloud operators who beg to be ignored just by nature of the fact that they hope/expect nobody can understand what they’re doing.”
Myth 7: There is no way to really trust a cloud provider or know what they’re doing
“Many cloud providers have also adopted ‘transparency’ as part of their ‘trust strategy,’ leading them to show their customers documentation and data on external audits, security assessments, vulnerability management, and incident response,” said Benchling’s Powers. “Cloud providers are far more likely to show you what is going on and what they are doing than a non-cloud company will. I find it easier to ‘trust’ a cloud provider than I do other companies.”
Myth 8: The cloud’s got AppSec covered
“OWASP vulnerabilities such as SQL injection and cross-site scripting (XSS) are exploited far too often,” said Palo Alto Strategy Group’s Kail. “The major security attack vectors are at the application level, and the tried and true ‘defense in depth’ approach needs to be applied to both cloud and on-premises solutions.”
Myth 9: The SOC2 report from the cloud service provider (CSP) covers my applications and says they are secure
“The SOC2 report is a report on the service operating controls relative to privacy and security in place for the cloud services provider itself. When you look at the scope of the detailed report for a cloud services provider or colocation facility, they will specifically call out that the applications run by customers are not in the scope of the audit,” said IU Health’s Parker. “It will take additional analysis, including vulnerability scanning and pen testing, to prove that the applications that sit on top of these services themselves have had the proper due care.”
Myth 10: Cloud providers are responsible for all data security
“Cloud security is a shared responsibility between the user and the service provider because both parties suffer when accounts are taken over,” said Ted Ross (@tedross), CEO, SpyCloud who noted the credential stuffing attacks at Zoom, Nintendo, and Spotify hurt everyone.
Myth 11: Shared responsibility model is the same across all clouds
“At the SaaS layer the responsibility for infrastructure and application security is almost entirely managed by the provider. Whereas the responsibility for application management and data security is exclusively provided by the customer,” said Coates. “In a world where an authorized SaaS user can, with one click, share critical company documents to the entire world, it is imperative that SaaS customers understand this falls squarely in their realm of responsibility.”
Myth 12: Don’t worry, you don’t need to manage the cloud
This myth is a classic and continues to linger.
“As you move from IaaS, to PaaS, to SaaS, and even to containers, microservices, and serverless environments, the organization is still responsible for managing the controls under their purview, such as hardening, patching, password policies, and auditing/logging,” said Sean Walls (@sean_walls2000), vp, pillar CISO, VSP Global.
“The cloud providers’ highly partitioned services are excellent for security but not ideal for governance and management,” said Rapticore’s Mir. The problem stems not from the lack of services from cloud providers, but rather a skilled workforce with cloud knowledge and engineering skills.
Myth 13: I store therefore I’m secure
“I can’t tell you how many times we have run vulnerability scans, internal audits, or performed penetration testing on AWS or Azure and other platforms, only to see tenancies that are wide open with the client running under the assumption that Amazon/Microsoft was actually securing them,” said Security Fanatics’ Espinosa. “If you’re not spinning up perimeter threat detection, real time monitoring, encryption for your data, advanced identity management, and more, you’re asking for trouble.”
Myth 14: I’ll just extend my on-prem controls
Technically, you can do that, but it’s not going to make you secure in that specific cloud environment.
Yes, you can get the car on the track and drive it around. “But the reality is you won’t win,” added Benoit. “Each environment requires a review specific to its purpose and use.”
This is why cloud architects who know each cloud environment’s unique capabilities are in such high demand.
Myth 15: Cloud providers’ security services are a game changer
“In the last few years cloud providers have been releasing security services for monitoring, posture management, and control. They market them as game changers,” said Nir Rothenberg, CISO, Rapyd. “Many times these solutions are only half-baked. Cloud security is a relatively new discipline, even cloud providers are figuring it out.”
Even though these ‘game changing’ security services are initially easy to use, you’ll still need to hire a skilled engineer to get value out of them, added Nir.
Myth 16: Diversify and go multi-cloud
“There are very specific cases where it makes sense to be multi-cloud. In most cases, security leaders should do their utmost to avoid it, as it just raises complexity exponentially,” said Rapyd’s Rothenberg.
The valid arguments for multi-cloud (don’t rely on one provider, avoid vendor lock-in, go for ‘best of breed’) are often severely outweighed by the complexity to manage a multi-cloud environment.
For example, noted Rothenberg, “If you and your customer are utilizing the same cloud, it is often easier to create a backend connection through the cloud provider, rather than over the Internet / VPN in case you each have a different provider.”
Redundancy can be had with a single provider. And having the expertise to handle all these cloud environments, especially when they issue new releases and new services, can be daunting enough with just one provider, added Rothenberg.
Myth 17: We don’t have to worry about availability because it’s running on the cloud
That doesn’t necessarily mean you have to go multi-cloud.
Myth 18: You don’t need to worry about backups in the cloud.
“While it’s much easier to manage backups in the cloud, this is still something that must be planned carefully, and monitored,” said Rapyd’s Rothenberg.
Cloud providers do have data center incidents that can impact your data. Most recently, cloud provider OVH had a fire at one of its locations resulting in some of their data being unrecoverable and there wasn’t (to the consternation of many customers) a de facto backup on all accounts.
Myth 19: Developers understand how to securely configure the cloud
“The truth is there really isn’t enough good cloud security training classes which developers can take to correctly learn how to configure cloud settings to meet common security requirements such as least privilege,” said Caterpillar Financial Services’ Young.
The reality is developers give away admin access or give applications, added Young, “We are creating technical debt that will take years to fix.”
Myth 20: Secure cloud access is the same as on prem
Credentials that don’t expire is never a good strategy. On premise it’s bad, in the cloud you’ve just magnified the issue as “credentials that never expire become a nightmare to manage in a cloud environment that can have many entry points,” explained Bojan Simic (@bojansimic), co-founder and CTO, HYPR.
Myth 21: Change your password every XX days
“Mandatory password rotation seems smart until you realize that people end up using variations of passwords over and over,” said SpyCloud’s Ross.
You know the pattern, and many of us our guilty of creating Password1, Password2, and Password3 after every rotation.
“It’s better to force password resets only when the password is actually compromised,” said Ross to avoid inevitable credential stuffing attacks.
Myth 22: You’ll save money in the cloud
“Total cost of ownership of cloud systems can be less expensive than owned systems, only if managed properly,” said VSP Global’s Walls.
“If you bring poor asset and configuration management practices to the cloud it will cost you more in the long run,” concurred Epiq’s Beason.
It’s better known as “‘cloud sprawl,’ where many unnecessary production, test and dev systems remain perpetually online burning dollars unnecessarily,” added Walls.
“Moving to the cloud to save money in and of itself is a failed business strategy. Companies should be moving to the cloud because of some inherent value, such as rapid scalability, unmet computing power, or ease of deployment for simple applications. Corporate IT strategy should push cloud deployment, not a perceived savings or a desire to adopt a new technology,” advised John Overbaugh (@johnoverbaugh), vp, security, CareCentrix.
Myth 23: Cloud providers spend more money securing their environment
Part of that story is true, but the reality is “it adds more complexity as there are shared responsibilities that each company needs to assume, which requires a paradigm shift in the technical skills,” explained Nir Valtman (@ValtmaNir), vp, head of product and data security, Finastra.
Valtman believes that more money will be spent on cloud security, but that’s because the situation becomes exponentially more complex.
Myth 24: Cloud is more prone to attacks given that it’s exposed to the Internet
“The attack surface nowadays are the identities, which can access both cloud and on premise assets,” said Finastra’s Valtman.
Myth 25: Security team will slow down cloud-based expansion
In an effort to rapidly develop applications, a myth has perpetrated among software developers and DevOps engineers that security will just slow down their continuous development and production process.
“Doing things right the first time is always more efficient,” said Doug Cahill (@dougcahill), vp and group director, cybersecurity, Enterprise Strategy Group. “Integrating security via integration with the tools that manage the software development lifecycle (SDLC) improves security posture and operational efficiency.”
Myth 26: Bad security outcomes happen when you move too fast
“Iterative and thus constantly improving is not dangerous,” said ESG’s Cahill, echoing the basic principle of DevOps. “By integrating security into DevOps and SDLC, security too can improve iteratively, and by doing so, keep pace at scale.”
Myth 27: Your cloud provider has you covered for compliance
It’s false to believe you do not need to worry about compliance with those regulations for which your CSP can provide attestation.
“Compliance does not transfer from CSP to subscriber but rather extends to the subscriber in the context of the cloud security shared responsibility model,” said ESG’s Cahill. “The subscriber is responsible for meeting and maintaining compliance with those above the water line parts of the stack headlined by identity and access management and data security.”
Myth 28: Customer’s won’t trust us in the cloud
“Depending on your product, if you are not cloud native or cloud ready, some customers may believe your team isn’t staying current with tech trends and that could be a notable risk in their due diligence process,” said Ty Sbano (@tysbano), CISO, Sisense.
Myth 29: Firewall and network security principles will protect data in the public cloud
“We still see very mature enterprises put faith in network related controls as a primary means of security in the public cloud,” said Sandy Bird, co-founder and CTO, Sonrai Security. “A single action by an attacker or configuration mistake may bypasses everything your network controls were set up to protect.”
Myth 30: I am going to manage identities in the cloud using my enterprise IAM governance process
This would be true if online identities were only people. But that’s no longer the case.
“In the public cloud, identity and access controls build non-people identities (NPI) that are used by ephemeral compute, containers, functions, and services,” said Sonrai Security’s Bird. “These identities can be automatically approved by code based on governance policy, monitored to ensure the least privilege, and cleaned up when no longer in use.”
CONCLUSION: Both business and security evolve when you move to the cloud
At their core, the reason many of these cloud myths persist is because cloud solutions have often been sold as turnkey. That doesn’t necessarily translate to security.
“The reality of cloud security is you have to deal with it,” said Trend Micro’s Nunnikhoven of the many cloud myths that fall into the ‘oh the cloud has got that covered’ department.
“Just because you can’t see the cloud doesn’t mean you can let your guard down,” added OpenVPN’s Dinha.
“The cloud typically signals a large transformation in the organization,” said Nunnikhoven, “which is a massive opportunity for security to change how they work, both technically and process-wise.”