Managed Cloud Services: Why Holistic Security Should be a Top Priority and What it Really Means
By: UPSTACK, in partnership with Dynascale
A top-of-mind concern
For any business or organization with hybrid or private cloud environments, security is a top concern. Recent surveys have shown that most organizations—94%—are “extremely concerned about cloud security” with misconfiguration and unauthorized access among top worries. It’s no wonder, given constant headlines about data breaches and other security incidences and the associated brand and financial fallout businesses inevitably face as a result.
In recent years, the shift to remote work and a growing reliance on cloud environments and solutions have compounded security challenges. Today, the most pressing cloud security issue is identity and access management (IAM). Especially when you consider that 82% of data breaches involve social attacks like phishing and human errors or oversights like weak passwords. Not to mention that phishing attacks are not only trending rapidly upwards (they jumped 61% from May – October 2022) but they are getting more sophisticated.
Overall, securing cloud environments is easier said than done because they involve complex, distributed architectures that necessitate numerous interconnected services and components. Additionally, the shared responsibility model, where both the cloud provider and the user are responsible for different aspects of security, can create confusion and potential vulnerabilities when not managed effectively.
Ultimately, the key to ensuring security in the cloud is adopting a holistic approach. But what exactly does that entail, and how can small- to mid-sized businesses and organizations with limited budgets and IT resources comprehensively address their security needs? In this article, we:
- Delve into the layered challenges associated with cloud security
- Outline 7 key components of an “ideal state” holistic cloud security approach
- Compare the ideal state with potential costs
- Present the unique approach employed by Dynascale, a cloud solutions provider, to make holistic cloud security more accessible and affordable
Cloud security gaps: seeing the full picture
Identifying security gaps in cloud environments of all sizes is like trying to spot a chameleon hidden in a dense jungle. Just as a keen-eyed observer must know the subtle signs and behaviors of the chameleon to detect it, IT teams need in-depth knowledge, expertise, and vigilance to uncover and address hidden security vulnerabilities within complex hybrid and multicloud landscapes. Sure, turning on multifactor authentication (MFA) is an obvious and crucial step in any cloud environment, but it’s only one small piece of the puzzle.
In the public cloud, security can be confusing. While many cloud providers excel at securing their own infrastructure, they usually take a hands-off approach to individual environments within their cloud. Setting up an account may be simple, but the security of your environments depends on the effort you put into configuring them since virtual machine instances, operating systems, and applications in public cloud remain vulnerable to the same risks as on-premises environments.
For example, with respect to identity management, many people think that simply hosting their active directory in a hyperscale environment guarantees a high level of security. In reality, it’s important to take additional steps, such as implementing multi-factor authentication, setting up proper access controls, monitoring for suspicious activity and anomalies, monitoring user behavior, patching vulnerabilities, and regularly updating security measures in line with best practices. Default settings may be a good start, but they are insufficient for many types of data and workloads, especially when customer or patient personally identifiable information (PII) is in play.
Even private clouds, while not publicly accessible like major hyperscalers, are not inherently secure. The problem is that by default, private cloud solutions may allow actions that don’t align with your organization’s security objectives. For example, they may rely on excessively permissive access controls or they may not be configured to enforce MFA or log account activity. That’s why, when running private clouds, it’s important for organizations to invest time and resources in implementing holistic security measures, managing access controls, monitoring account activity, and monitoring for vulnerabilities. Staying abreast of the latest threats and security best practices is equally important.
And these are just high-level considerations before jumping into things like establishing a zero-trust architecture, which is a common goal for many organizations but rarely fully realized.
At the end of the day, if you don’t have a team that understands and is actively managing cloud security, regardless of the type of cloud, you likely have a host of exposures. Even the most mature enterprises have room for improvement and can benefit from tailored strategies to enhance their security posture. Just consider that in 2019, millions of user records from the largest social media provider were found on unprotected cloud servers.
It’s true that managed service providers (MSPs) can help address many vulnerabilities that an overstretched or inexperienced team might overlook, but many MSP security approaches also include gaps, including the following:
- The option to select from security technologies that best meet the unique needs of your organization is critical, but not all providers invest in partnerships and certifications for key technologies.
- Fundamental services or capabilities, such as continuous holistic monitoring and a 24/7 SOC team, may come at a premium price or be unavailable.
- Even if they do monitor, incident management services may not be available.
- During security incidents, handoffs between MSPs and incident response team partners can lead to costly snags or delays.
- Licensing costs for specialized security tools can add up fast.
7 Key components of holistic cloud security
Igor Shalkevich, CEO of Dynascale, a cloud MSP says that cloud security remains a confusing topic because there are so many variables to weigh. “In an ideal world, without budget and skill set constraints, businesses and organizations should consider a host of factors beyond the basic steps of implementing MFA, managing identity, and monitoring for vulnerabilities to better secure their private, hybrid, and multicloud environments,” says Shalkevich. He believes there are 7 ideal-state considerations for achieving holistic cloud security:
1) During onboarding to a new environment include penetration supported by offensive security certified professionals (OSCPs). While there are a lot of toolsets available for penetration testing, they often require manual intervention and expertise that is best provided by trained experts.
2) Manage multiple environments as one extended network rather than separate entities. Hybrid environments are here to stay in most organizations. Rather than managing the data center and public or private cloud environments separately from a security standpoint, it’s important to use a holistic approach for viewing and protecting your entire network and all environments.
3) Augment human expertise with AI and ML. The current generation of augmented platforms, such as endpoint detection and response (EDR) and extended detection and response (XDR), significantly enhance ease-of-use, increasing accessibility to a broader technical audience. However, it’s important to understand that despite their advanced capabilities, these tools should not be blindly trusted without thorough assessment from human experts; it’s true these tools can quickly reach deterministic results much faster than any person – but are these results relevant, accurate, and expected? Whether you rely on experts from your team or from from a professional services organization, their role in vetting results is critical for maintaining a top-tier security posture for your organization.
4) Tap into diverse skill sets to manage your end-to-end cloud environment(s). As your environment grows in complexity, it’s important to have quick access to specialty skills, such as OSCPs and compliance experts to ensure that your environment is as secure and compliant as possible.
5) Ensure you can choose from security tools that best fit/address your specific needs. It’s critical that the cloud providers you rely on can provide whatever security products and solutions you might need, no matter the size of your business.
6) Use a SOC team to continually monitor behavior patterns and data movement 24/7. Alerts can be overwhelming and too easy to ignore for overstretched teams, so when turning to cloud providers it’s well worth looking for options that can provide right-time attention to credible and known threats and important alerts.
7) Think beyond basic compliance considerations. Even if your organization is not in a heavily regulated industry, it’s worth thinking about security from a regulator’s perspective. For example, something as simple as uncontrolled or monitored access to a server room or closet could introduce significant vulnerabilities, so it’s important to take a granular look at both sensitive physical and virtual environments and protect them using best practices and KPIs.
Balancing security essentials and budget realities
If you’re thinking that the ideal state sounds prohibitively expensive, you’re mostly right. At least if you pursue it yourself or rely on the services of most cloud and managed service providers. In fact, most providers can’t deliver this comprehensive level of security support. In many cases, they simply don’t have the resources or partnerships themselves. In cases where they offer some of these capabilities or services, they are typically add-on costs that add up fast. For example:
Market rates for vulnerability scanning and internal/external penetration testing prior to a migration can run between $6,000 and $10,000 for a typical small business. Big brands will pay tens of thousands of dollars per instance. It is not unusual for Enterprise customers to pay north of $50,000 per engagement that is a simple point-in-time assessment.
While the costs and challenges of cloud security for small and midsize businesses can clearly add up fast, fortunately there are options that balance out the costs and logistics of a comprehensive approach.
For example, Dynascale adds a modern touch to penetration testing. Many firms primarily aim to capture vulnerabilities at a point in time to fulfill compliance needs. However, given an organization’s attack surface is often in a state of flux, Dynascale believes vulnerability management should be ongoing. In response to the dynamic threat landscape, Dynascale introduced their Recon Red Continuous Vulnerability Managed Service, which provides:
- Monthly vulnerability scans
- Internal and external penetration testing
- Tracking of an organization’s cyber maturity and remediation cycle
For small businesses, this comprehensive service typically costs less than $1,000 per month.