Three winning defence strategies for safeguarding the cloud

What are the biggest threats for cloud environments in 2023? A report by non-profit organisation Cybersecurity Insiders found that over 750 cybersecurity experts around the world cite cloud misconfiguration as the biggest risk they face, followed by data exfiltration – the intentional leaking of data – and insecure application programming interfaces (APIs).

This is why a comprehensive cybersecurity strategy needs to account for the three key phases of the application lifecycle: application security at the building stage, network security once applications are deployed, and web application security when applications are running online.

Here are three strategies that can defend an application at every stage, says Jian Hui Hong, Regional Solutions Architect at Fortinet, who will be speaking at the upcoming Public Sector Day Singapore.

1. Automate security tests

First, organisations can minimise the risk of misconfigurations and secure applications through introducing and automating security tests at the development stage, shares Hong.

Organisations have been emphasising faster software development and agile methodologies, he explains. This means that developers may be pushing changes to their code several times a day, and may be using open source code without first checking for vulnerabilities.

This haste may not be a bad thing. During Covid-19, countries needed to develop contact tracing applications quickly and share source code to mount a global response to the pandemic, he highlights. But working at this accelerated pace can sometimes lead organisations to treat security as an afterthought, resulting in poorly configured controls and risks.

Automated security testing can help keep up with the pace of code change today. When security testing is automated, any vulnerabilities can be caught early before they get replicated or propagated within live environments, he says.

“These vulnerabilities must be caught before the code is even pushed out,” says Hong.

Organisations can turn to application security testing tools like FortiDevSec, Fortinet’s SaaS solution, which can seamlessly integrate into the development lifecycle and help developers identify and prioritise the high-risk vulnerabilities to remedy.

2. Maintain a strong network posture

Next, organisations must maintain a strong network posture to protect their cloud environments and monitor where traffic is flowing in and out, says Hong. This can help minimise the risk of data exfiltration to unauthorised devices.

Cloud computing by nature operates out of multiple availability zones, meaning networks across zones need to be tightly monitored. These environments have only become more complex over the years, as agencies embrace multi-cloud and distributed environments which can include edge computing, hybrid work environments, and Internet of Things devices.

This introduces more points of entry and vulnerabilities into the network, he explains, making network security a priority, even on the cloud.

“Almost all CISOs I have spoken with disagree that firewalls are no longer needed on cloud networks, as there is a greater need to inspect incoming and log outgoing traffic,” says Hong.

One way organisations can tackle this is through implementing next-generation firewalls such as Fortinet’s FortiGate, which can flag and block anomalous traffic, such as malware attempting to send data out of the cloud environment. FortiGate can be deployed as a cloud-native solution as well.

Organisations can also segment their workloads to limit access and ensure only the right users have access to the right workloads, he shares. If attackers identify a zero-day vulnerability to exploit, network segmentation can prevent such attackers from traversing across the network and contain the damage.

3. Safeguard against web attacks

Finally, organisations need to safeguard against web attacks, he shares. When applications go live, they face a new set of threats and risks when exposed to potentially insecure API interfaces, he explains.

For instance, malicious attackers can use the Internet to target undiscovered vulnerabilities in the software supply chain, he explains. Code will never be bulletproof and organisations need to be prepared for completely unexpected threats. 

This is where machine learning that can detect and flag up unusual traffic behaviour plays an important role.

“Is this a new form of attack? Or is this just a malicious user trying to test the limits of my system?” he asks. 

Web application firewalls with API protection capabilities like FortiWeb come equipped with machine learning algorithms that can detect and assess the risk of such web traffic, he shares.

To find out more about how to apply and customise defensive strategies in your own cloud environment, register now for the upcoming Public Sector Day Singapore, where Hong will be sharing on how government agencies can apply cloud security measures tailored to public sector environments.