|

How to Keep Your Cloud Security ‘Hygienic’

Roughly 80% of all Google Cloud breaches were caused by poor credentials and misconfigurations in the second half of 2024.

Photo of a speaker at Google Cloud Summit
Photo by Raysonho via CC0 1.0

Sign up for smart news, insights, and analysis on the biggest financial stories of the day.

As more enterprises lean on the cloud, security strategies must go beyond just building higher walls. 

Google Cloud’s recent Threat Horizons report found that close to half of all its attacks in the second half of 2024 were related to user credentials. Misconfigurations, or gaps caused by improper set-up of a cloud environment, accounted for more than a third of attacks. 

The amorphous nature of cloud and the constant movement of data, especially as enterprises navigate their hybrid strategies, can make it difficult for these companies to protect their assets by conventional means, said Trevor Morgan, senior vice president of operations at OpenDrives. To put it simply: Building higher walls against the bad guys’ taller ladders isn’t going to cut it anymore. 

“It’s like building a wall, but if everybody’s on the other side of the wall doing stuff, you haven’t really protected anything,” he said. 

Plus, threat actors, armed with AI, are getting smarter, said Morgan. With each phishing attempt or loose end left behind, these actors are able to pick up “microscopic pieces of information” to build profiles that are eventually used for infiltration, he said. And when users start getting “less hygienic” about their passwords and authentication is when things get particularly risky. 

“If they’ve got a piece of information, they can rapidly iterate through these microchanges that many of us do when we’re not being very hygienic, and quickly break that,” said Morgan. 

Misconfigurations, meanwhile, often are the result of IT departments and developers misplacing their trust – or simply not understanding cloud well enough, said Morgan. 

  • For example, if someone develops or tests an application in the cloud, but didn’t properly set up the permissions for who is allowed to access it (or blindly trusted the cloud provider to handle security) that can create a new attack vector. 
  • This can also occur when a developer doesn’t build security into their cloud-developed applications from the start, he said. 

So what can enterprises do to protect themselves? Start by approaching the problem from a cultural perspective, rather than a technical one, said Morgan. Ingraining good security protocols and password habits into a workforce – especially for large enterprises – will take more than just a 15-minute online course. 

It’s also important to be honest about when someone in your organization gets caught in one of these security breaches, said Morgan. For instance, if an executive can fall victim to a phishing attempt, “tell everybody immediately,” he said. “The social engineering part of this is still what gives threat actors an edge. It’s about the awareness, the culture of good data security … and it needs constant reinforcement.” 

As for misconfigurations, it’s important for developers and IT teams to know what they don’t know. Not every developer is a cloud expert, and often, these specialists are “few and far between,” said Morgan. “Cloud needs to be architected by people who truly know it.”

“If you’re going to continue to move data into the cloud, or architect for the cloud, or build applications for the cloud, you need competent security people and cloud people – and preferably, competent cloud security people,” said Morgan.