Cloud platform providers such as Amazon, Google and Microsoft have invested heavily in creating secure environments for customers to operate their networks in by providing more resources and capabilities to keep foundational services patched and operational. This is largely driven by the Shared Responsibility Model, which dictates cloud providers monitor and respond to security threats related to the cloud’s underlying infrastructure.

Despite everyone’s best efforts, cloud security threats continue to impact organizations. Amazingly, 98% of respondents to Ermetic’s 2021 survey reported at least one cloud data breach within the previous year and a half. It’s no surprise 95% of organizations are moderately to extremely concerned about cloud security.

What’s the solution? As threats continue to persist, organizations have a huge opportunity to leverage the power of the cloud and provide greater network security in the cloud than on premises. This can be achieved through cloud security tools that extend beyond the network to also secure organization’s user and endpoint devices.

Let’s take a closer look at three best practices organizations must consider when it comes to orchestrating the security architecture of their cloud environments.

Pillar 1: reducing the risk of cloud misconfigurations

Misconfigurations in cloud environments are major contributors to security issues. For example, a study by Ponemon suggests misconfigured cloud servers cause 19% of data breaches costing half a million dollars per breach, while Gartner estimates misconfigurations will cause 99% of cloud security issues by 2025.

The major cloud breaches we’ve seen such as the Capital One data breach in 2019 have been due to misconfigurations or a malicious actor taking advantage of a configuration. Earlier this year, we saw bad actors expose thousands of student records through a misconfiguration in a Microsoft Azure server. We’ve also seen customers accidentally allow public access to their MongoDB resulting in ransom demands in exchange for compromised encryption keys.

In this example, following recommended best practices in design and a disciplined DevSecOps process on Security Group changes would have prevented the exploit. This would have ensured security was integrated into devops initiatives, reducing risk while minimizing the possibility of attacks.

Pillar 2: securing endpoint applications and users

Although applications create more entry points for attackers into a cloud environment than an on-premises environment, the leading cloud providers have built-in mechanisms and tools to help secure application workloads.

For example, organizations can tightly control and contain the blast radius of application exploits by applying cloud best practices. Application developers specifically need to make security a central component at the start of the development process, rather than an afterthought further down the line. Security vulnerabilities should be addressed during the software development process.

Organizations can’t afford to leave the door open to malicious attacks. By “baking in” security capabilities during the application design and development cycle, businesses will be better placed to continuously audit and optimize their apps, while ensuring proactive protection from the most prominent cyber-threats.

There are also programs available to help organizations keep up with the speed of change in the cloud. For example, some can even help organizations track and improve their workload compliance, empowering them to reduce risks and respond faster to changes which may affect application security.

Pillar 3: patching makes perfect

Cloud environments include many gateways for malicious actors to access systems and data. Organizations that apply timely patches to applications can minimize the impact and remediate active exploits. However, applying patches in a timely manner is still something many organizations struggle with.

Organizations are slow to patch due to a combination of factors, such as the complex nature of systems or overstretched internal resources. Without a strategy for implementing patches or enough personnel to focus on patch management, they can fall by the wayside. This could result in servers remaining unprotected for weeks or even months after an update is released.

So, what goes into an effective patching strategy? The first step should always be to take an inventory of the systems in the infrastructure. Once the organization has a clear understanding of the devices, software and applications being used, they can determine the risk levels of their systems and assign priorities to each of them based on factors such as how long a system has been left unpatched and whether it accesses the internet.

Of course, the most important best practice is to apply patches as quickly as possible. Patches should always be applied in a timely manner – a process which can be automated through tools to leave systems unguarded for the minimum amount of time possible.

The future of cloud security

Ultimately, there is no silver bullet when it comes to securing cloud environments. However, in the short-term, organizations can minimize risk by applying and following the best practices outlined by cloud providers.

Looking ahead, implementing AI and machine learning technologies will provide an opportunity for organizations – specifically hyperscalers and third-party software providers – to innovate in cloud security. These tools leverage automation to provide increased visibility into cloud environments. For example, businesses can create policies to automatically detect misconfigurations, show exactly when a configuration was last changed, and by whom – all without any manual labor or human interaction.

With the cloud threat landscape continually evolving and becoming more complex, next-generation technologies such as AI and machine learning will be key to bolstering security defenses and building truly resilient cloud architectures.


Kevin Davis

Kevin Davis
 is the global CTO of AWS at Atos, a leader in cloud and digital workplace. He previously served in the same capacity at Cloudreach. He is a passionate technical leader who delivers high-quality, customer-driven solutions leveraging DevOps and public cloud technologies

Backup and Disaster Recovery Services: Only as Reliable as Your Network Connection
Most of us are aware of the growing importance of data for today’s information-driven businesses and organizations. Data has become...
Data Privacy & Security
Throughout my entire IT career, I’ve had to deal with businesses needing data protection from external people looking to cause...
Holistic Cybersecurity: How to Bring Security and DevOps into Alignment
Cloud computing today operates at a pace that is almost hard for the human mind to comprehend. In the time...
Data Protection and Cybersecurity Practices to Consider When Running a Small Business
It’s far too easy for small business owners to dismiss the warnings that they need to protect their companies from...