Combating Security Risks

Various defenses needed to ensure risks, mitigations are under control

Cloud security is an increasing concern as more organizations transition to use public cloud providers in either a hybrid or cloud-native model. The initial step in any information technology security process where new technology is being implemented is to understand the risks that an organization is incurring.

Consider this information as you explore some of the types of risks associated with the inclusion of a cloud provider service (CPS) as part of a company’s infrastructure.

The following areas are considered among the highest associated with cloud computing (Cloud Security Alliance, 2020): Data breaches; Misconfiguration; Lack of cloud security architecture; Insufficient identity and access management; and Insider threat.

The world is experiencing the widespread impact of the COVID- 19 pandemic. This pandemic is causing disruptions and forcing changes upon businesses and individuals. Thus, changes of this magnitude deserve a re-assessment of an organization’s cybersecurity priorities and approaches.

Data breaches. These have often been high-visibility events reported in the news and causing substantial reputational harm. Beyond major data breaches, even low levels of data leakage can cause severe harm to an organization. This can start with reputational and brand injury; however, it can include loss of intellectual property or legal and regulatory liabilities.

When referring to the cloud, the key issues are whethser appropriate controls are in place. Controls should include robust auditing and reporting tools that can be implemented within the cloud platform. Auditing is important to help identify a breach or potential breach early on, which can dramatically mitigate the harm. This area can be a key deficiency in public cloud platforms where an organization may be relying on the provider to implement appropriate tools, and the organization’s existing toolset cannot operate within the cloud. At a minimum, a deep understanding of the environment and tools will need to be developed and incorporated into an organization’s cloud adoption process.

Another important mitigating technology is encryption and its associated key management service (U.S. NSC, 2020). The use of encryption, along with secure key management processes, can provide an additional layer of protection from a data breach event.

Misconfiguration. This is one of the most common security issues in public cloud environments (U.S. NSC, 2020). Security miscon figurations often lead to data breaches.

There are a few significant reasons why this risk is so prevalent. For one, the cloud platform is new for many organizations. They may lack the immediate knowledge and skills to implement con- figurations that approximate those in their existing environment. Secondly, their existing practices may not be appropriate for the cloud. A third reason is the cloud is more dynamic than existing on premise services. The configuration options and implementation can change, requiring more due diligence.

One powerful tool that can be leveraged to increase configuration consistency is automation. Using provisioning and configuration scripts can reduce the opportunity for misconfiguration and improve the rate of implementation and quality checks. Using automation allows additional review and auditing to reduce errors and improve security. A least-privilege practice is recommended as a baseline.


Organizations often seem to stumble into the cloud without a defined and deliberate approach that provides an opportunity to address the foundations. There are many reasons for this, including time constraints or lack of technical understanding. Organizations that engage in “lift and shift” migrations attempting to apply their existing security practice haphazardly, often encounter difficulties (Cloud Security Alliance, 2020).

Cloud security concerns can be addressed by reviewing organizational security policies as they relate to cloud technology. The policies and principles of the organization should be durable, with the implementation being dependent on what the cloud platform provides. Items such as defense-in-depth, or managing privileged accounts are entirely valid; however, they should be mapped to the specific cloud provider capabilities.


Identity and access management require a specific focus in cloud implementations. The first is addressing risks that occur with a large public-facing front door. In hybrid cloud implementations, identity federation infrastructure can be introduced. This is yet another security technology that needs to be reviewed, implemented and monitored. This requires new maintenance operating procedures and role identification. Cloud services may introduce new highprivileged accounts that need to be managed, such as a “subscription manager.” Password complexity needs to be defined, as well.

If an organization is using role-based access, what new roles are required? How will these new roles be managed? In the past, rolebased access had a significant impact on security because of miscon figuration issues. The results of a credential being compromised in the cloud could result in the exposure of information inside the organization’s existing perimeter.

Risks of compromised identities can be reduced by using multifactor identity solutions. Password policies, where applicable, should follow the existing internal standards. Federation and identity solutions should avoid storing or transmitting passwords that are not securely hashed or secured in another manner. Separation of duties can be a significant defensive approach, too. Application developers should not implement their credential stores, which could introduce new ways for credentials to be compromised.


Unlike external threats, insiders do not need to break into an organization’s computer systems. They already have some level of trusted access. Most unwelcome insider risks are due to negligence rather than malicious intent (Cloud Security Alliance, 2020). Insiders can compromise intellectual property, sensitive data, or compromise additional credentials. In some circumstances, there is a data breach; in others, it would be described as “data leakage.” As with any data breach, the organization’s reputation and brand are at stake. Negligence or lack of training can result in a significant negative impact.

The best mitigation for insider threats is the implementation of good role separation, security monitoring and auditing. Additionally, annual security training and education that includes policy, as well as technical material, is essential. Reviewing access and privileges regularly to maintain a least-privilege posture is important.


There has been a dramatic increase in cyber scams and attacks since the COVID-19 pandemic began (Gallagher, 2020). There has also been an increase in spam and phishing attacks that use COVID-19 in their approach, as well. Many of these are being used to spread malware. Most organizations have existing security protections in place against these types of attacks. Still, to be most effective, security personnel should update spam filters, anti-virus signatures, message hygiene solutions and educate their population about these current risks.

The cloud can provide benefits for organizations adapting to the new COVID-19 requirements. For example, it provides a mechanism to increase capacity rapidly. Systems residents in the cloud do not require local operations for maintenance. This removes some planning and logistical challenges. The trade-off is to ensure your cloud service providers have an effective plan for maintaining their operations during the COVID-19 period (Bridgwater, 2020). Since COVID-19 has forced organizations to embrace remote work, the cloud can be an effective platform to ensure business continuity during a global pandemic (Krill, 2020).

With this in mind, the most direct security threat today is how the edge has shifted from inside the organization’s network perimeter into each worker’s household. This threat includes using workstations or mobile devices that are no longer under the enterprise’s direct control.

Employees are accessing and potentially storing the organization’s data. In fact, to help facilitate work-from-home scenarios, some organizations might be forced to migrate systems and data to the cloud that were previously accessible only within the organization perimeter. Applications and services that never contemplated this type of remote access might have exposures (SC Media, 2020). These potential exposures need to be evaluated before hastily migrating to the cloud.

Mitigation risk begins with the acknowledgement of the basics of protecting data in transit and protecting data at rest. Virtual private network technologies or other encrypted communications are essential to protect in-transit information. The use of encryption technologies, along with well-written and enforceable security policies, can be used to protect data residing on devices outside the boundaries of the organization. The use of network access control solutions can further protect an organization from compromised end devices.

These will be trying times for organizations and cybersecurity is more important than ever.

Cloud security risks look like the challenges that IT security professionals have dealt with since the days of big iron. Changing one’s technology platform to the cloud requires a new set of tools to address these longstanding challenges.

There are unique risks, but the most prominent are those that have always perplexed CSOs and administrators: secure the organization’s data, reduce misconfiguration, systematically implement security, manage identities and access, and defend against the negligent or malicious insider.

This article originally appeared in the July / August 2020 issue of Security Today.


  • 12 Commercial Crime Sites to Do Your Research

    12 Commercial Crime Sites to Do Your Research

    Understanding crime statistics in your industry and area is crucial for making important decisions about your security budget. With so much information out there, how can you know which statistics to trust? Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX
  • People Say the Funniest Things

    People Say the Funniest Things

    By all accounts, GSX version 2023 was completely successful. Apparently, there were plenty of mix-ups with the airlines and getting aircraft from the East Coast into Big D. I am all ears when I am in a gathering of people. You never know when a nugget of information might flip out. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity


New Products

  • XS4 Original+

    XS4 Original+

    The SALTO XS4 Original+ design is based on the same proven housing and mechanical mechanisms of the XS4 Original. The XS4 Original+, however, is embedded with SALTO’s BLUEnet real-time functionality and SVN-Flex capability that enables SALTO stand-alone smart XS4 Original+ locks to update user credentials directly at the door. Compatible with the array of SALTO platform solutions including SALTO Space data-on-card, SALTO KS Keys as a Service cloud-based access solution, and SALTO’s JustIn Mobile technology for digital keys. The XS4 Original+ also includes RFID Mifare DESFire, Bluetooth LE and NFC technology functionality. 3

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation. 3

  • Mobile Safe Shield

    Mobile Safe Shield

    SafeWood Designs, Inc., a manufacturer of patented bullet resistant products, is excited to announce the launch of the Mobile Safe Shield. The Mobile Safe Shield is a moveable bullet resistant shield that provides protection in the event of an assailant and supplies cover in the event of an active shooter. With a heavy-duty steel frame, quality castor wheels, and bullet resistant core, the Mobile Safe Shield is a perfect addition to any guard station, security desks, courthouses, police stations, schools, office spaces and more. The Mobile Safe Shield is incredibly customizable. Bullet resistant materials are available in UL 752 Levels 1 through 8 and include glass, white board, tack board, veneer, and plastic laminate. Flexibility in bullet resistant materials allows for the Mobile Safe Shield to blend more with current interior décor for a seamless design aesthetic. Optional custom paint colors are also available for the steel frame. 3