A decade ago most IT executives were asking whether they could trust the cloud's security. Now many are asking the same question of their on-premises environments.

The shift in attitude regarding cloud security is a testament to a relentless communication campaign by major cloud providers, backed by billions of dollars in investments in security, and spurred on by the knowledge that a successful breach of their cloud environment could be a service-killing event.

That doesn't mean however that migrating workloads into the cloud absolves organisations from risk, especially as the shared responsibility model practiced by providers ensures that some risk is always carried by the user.

The rapid growth of cloud environments, and specifically the trend towards using multiple cloud providers, also brings an additional risk through increased complexity, which increases the possibility of misconfigurations, insecure interfaces, and other gaps within the security framework.

Concerns regarding cloud security are fuelling significant spending to remediate the problems. According to Statista, revenue in the cloud security market is projected to reach US$2.31 billion ($3.5 billion) in 2024, and grow to US$8.36 billion ($12.65 billion) by 2028.

One of the key areas for spending is in access control, in the form of cloud access security brokers (CASBs) which sit between cloud services and their users, and enforce access policies for cloud resources and applications, providing visibility, data control and analytics. According to Grand View Research the global CASB market size was valued at US$7 billion ($10.59 billion) in 2022 and is expected to grow at a compound annual rate of 17.8 percent from 2023 to 2030.

Another tool that is gaining favour is cloud workload protection platforms (CWPPs), which continuously monitor for and remove threats from cloud workloads and containers. CWPPs detect cloud workloads and perform assessments, monitor networks, detect issues, and apply security standards, while providing greater visibility into the overall cloud environment.

While technologies for protecting cloud implementations are evolving rapidly, they are only capable of defending against a percentage of the threats they face, with by far the greatest risk – human error – proving to be the hardest to guard against.

Estimates suggest that up to 99 percent of all cloud security failures will be due to some level of human error. This is because most challenges for cloud security arise not from the security of the cloud itself, but from the policies and technologies for controlling and securing the cloud, with most errors arising through people failing to manage these controls properly.

According to Forrester, this is giving rise to significant spending on cloud workload security (CWS), a cloud security and detection and response platform that incorporates cloud security posture management (CSPM) tools and capabilities to help organisations detect and respond to configuration drifts with cloud infrastructure.

CSPM aims to automate cloud security management across IaaS, PaaS and SaaS deployments, as well as stretching to private cloud environments, with increasing integration of AI capabilities to automate activities and reduce false positives.

Another significant trend for securing the cloud is for developers to consider security earlier in the development of applications. This has come to be known as ‘shift left security’, which references how security is shifted to an earlier stage of the development process, rather than being undertaken at the end, and is represented in the DevSecOps methodology.

None of these measures are likely to deter cyber criminals however, for whom the increasing volume of cloud workloads only translates into increasing value when they find their way through cloud security defences.

As a security services provider in its own right, AusCERT has built offerings on cloud or using subservices from SaaS providers. As such, it has a front-row seat to emerging challenges around securing cloud infrastructure and that data held within it.

Cloud has become such a large, fast-moving and broad ecosystem that tooling has become indispensable in staying on top of security, AusCERT director David Stockdale said.

“We can't have eyes on every little thing these days,” he said.

Tooling fills that visibility gap, but so does skills development. “Cloud is such a rapidly moving area that trying to keep up with it requires developers and infrastructure teams to have a lot of new skills to keep up with the proliferation of cloud services and new techniques like CI/CD and automated build pipelines. It is becoming more and more difficult. The faster things get and the more expansive they are, the greater the challenges become for keeping them secure.”

Tied to cloud security is data security - and, in fact, securing the data held in the cloud is as important, if not more so, than securing the cloud infrastructure.

Mobile virtual network operator Amaysim considers itself a “fast adopter” of cloud. While not “born in the cloud”, as may be the case for more recently incorporated entities, the telco

services retailer has come to operate “a very broad sprawl of a cloud infrastructure”, IT operations director Peter James told the AWS Summit Sydney.

“We’ve got our share of monoliths running on EC2, we’ve got a bunch of containers, and we’ve got some more modern workloads which are running on CDK [Cloud Development Kit] or serverless as well, and everything in-between.”

While its cloud environment - and the number of applications and workloads hosted there - has grown exponentially, the size of the security team responsible for securing the cloud operations has remained relatively small in comparison. This is particularly challenging due to the rate of change in the environment, which supports “200 production releases a month, give or take”, according to James. “[With that], the attack surface changes massively.”

That has led Amaysim to adopt a new cloud security operational model powered by a Cloud-Native Application Protection Platform - or CNAPP.

Gartner defines CNAPPs as a “unified and tightly integrated set of security and compliance capabilities designed to secure and protect cloud-native applications across development and production.” CNAPPs, it says, “consolidate a large number of previously siloed capabilities, including container scanning, cloud security posture management, infrastructure as code scanning, cloud infrastructure entitlement management, runtime cloud workload protection and runtime vulnerability/configuration scanning.”

Amaysim initially used its CNAPP to streamline cloud infrastructure assessment, locating threats and vulnerabilities from misconfigurations to attacks.

“What we’ve focused on so far, which has been really good, is looking at our production environments and what’s actually running,” James said. The next step is to “introduce tools or processes that will help engineers build more secure software”, enabling the company to improve the security of code in the cloud even further.