Risks and impact on security as organizations move to the cloud

- [Instructor] Despite its many benefits, the cloud poses unique security risks that cloud customers should understand. Cloud environments are accessible directly from the public internet. While the accessibility of this cloud infrastructure is a benefit to employees and customers, it also makes it easier for an attacker to gain unauthorized access to an organization's cloud-based resources. In addition, because the cloud is still a novel concept to many, organizations are not familiar with how to apply appropriate security in the cloud. While this list is not exhaustive, these are the main high-level cloud security risks. Number one, misconfiguration. Cloud misconfiguration is consistently listed as a top security risk in the cloud. Cloud misconfiguration refers to any security oversight sustained while constructing a cloud environment that could pose a security risk. The cloud is a fairly complex technology, with most cloud customers not familiar with how to secure it. In addition, cloud service providers have a plethora of services, each having its distinct implementation and nuance. As a result, it is easy for misconfiguration to leave an organization's cloud-based resources exposed to attackers. An example of a misconfiguration is inadvertently leaving a cloud-based database as public when you meant to make it private. This makes the database accessible to anyone on the internet. One of the most common misconfiguration is not changing default, insecure settings that are built in by the cloud service provider. Tools exist specifically for searching the internet for this type of misconfigured cloud deployments. Second risk is data breaches. The cloud, by its very nature of being accessible directly from the internet, has made it a prime target for cyber criminals. Cyber criminals are commonly exploiting weaknesses and blind spots in cloud infrastructure. As more organizations migrate to the cloud, it becomes a much more attractive target for cyber criminals and they are devoting more resources to exploiting data accessible via the internet. Facebook, also known as Meta, and Alibaba, two well-known cloud service providers who were breached in recent years. The third risk is cloud skills shortage. Implementing cloud security requires specialized knowledge. Unfortunately, the availability of resources skilled in cloud technologies has not caught up to cloud customers' demand to implement cloud. The heavy demand to migrate to the cloud and lack of cloud expertise causes many cloud customers to migrate to the cloud with less-than-secure implementations, leaving cloud customers vulnerable to cyber attacks. The fourth cloud risk is legal and regulatory compliance. Data privacy and confidentiality is a key risk in the cloud. Regulatory requirements like the California Consumer Privacy Act, also known as the CCPA, the EU General Data Protection Regulation, GDPR, the Payment Card Industry Data Security Standard, PCI DSS, and the Health Insurance Portability and Accountability Act, HIPAA, mandate the protection of customer data and impose strict penalties for non-compliance. Should a cloud customer experience a breach resulting in data exposure, the cloud customer may suffer fines and reputation loss. The fifth cloud risk is cloud visibility and control. Because cloud environments can be accessed directly from the internet, users can easily bypass the organization's procurement process to install the cloud solutions they want. For example, it's very easy to deploy infrastructure and start storing organizational data in AWS Azure or Google Cloud without the knowledge of the organization. This is also referred to as shadow IT. The risk with shadow IT is that it places corporate data outside the protection of the cloud customer's security controls, increasing the risk of a data breach. The cloud customer should perform a diligent analysis of risks that apply to the organization to determine the security controls it needs to implement to mitigate the risks. Risks in a cloud environment will be dependent on the shared responsibility model. We recommend the cloud customer use a cloud-specific framework to assess its risk and required controls. Once such framework is the Cloud Security Alliance Cloud Control Matrix, also known as CCM. Other broad frameworks that cloud customer may use include ISO 27001, NIST 800-53 frameworks amongst others. We will review cloud controls in the next video. In summary, here are the cloud security and audit key points. Number one, is the cloud customer aware of the high-level risks the cloud presents? Secondly, does the cloud customer leverage a risk and control framework to assess risk in the cloud environment? And thirdly, is the cloud customer aware of what laws and regulations are relevant to the jurisdiction where it's cloud systems are hosted?