Cloud migration has surged in recent years, with an estimated 94% of companies adopting cloud services as of 2022. Predictably, cybercriminals have capitalised on this rapid shift to the cloud, and have turned their attention to finding ways to infiltrate the cyber security defences of cloud service providers.
Unfortunately, as their sensitive data, applications, servers, and other assets are stored off-site in the cloud, companies can’t maintain the same level of visibility over their resources as when they were stored on-premises. Monitoring cloud security metrics is an effective method of tracking and assessing the cyber security posture of your cloud environment.
Let’s look at some of the most important cloud security metrics that your security teams should monitor.
Why do businesses need to measure cloud security metrics?
Here are three key reasons your company should track its cloud security metrics:
- Increased visibility into cloud environment: despite the many benefits of migrating to a cloud environment, companies still face the challenge of maintaining visibility over their cloud-based assets and resources. Security metrics give you critical insight into the security posture of your cloud environments and the efficacy of your security controls.
- Improved insight into potential security threats: cloud security metrics compel companies to keep up to date with current and emerging cyberthreats and if their present security measures are equipped to mitigate them.
- More effective mitigation of cyber security threats: the combination of increased visibility of the cloud environment and greater awareness of the threats it faces allows security teams to devise better cyber risk KPIs and mitigation strategies. Metrics also give security teams clear indications of which policies and controls they should prioritise.
What are the common cloud security metrics?
Some of the most commonly used cloud security metrics include:
• Traffic volume: rapid increases can point to data exfiltration.
• Requests per minute: sudden increases can potentially signal distributed denial-of-service (DDoS) attacks.
• Failed login attempts: repeated unsuccessful attempts could point to stolen access credentials, i.e., a phishing scam.
• Session length: extended session lengths, particularly if they deviate from the norm, could indicate a VPN tunnel set up for data transfer.
7 essential cloud security metrics to measure
Here are some security metrics examples that will help you measure cybersecurity performance and assess the cyber security posture of your cloud environment.
The number of botnet infections on every device
A botnet is a network of malware infected-devices, whether workstations, servers, mobile or IoT devices, that can be remotely controlled collectively by a hacker. Once a device has become part of a botnet, it can carry out distributed denial of service attacks (DDOS), exfiltrate data, send large amounts of spam messages, and other malicious activity. Worse still, this can all occur without the device’s owner knowing they’ve been compromised, i.e., have become a “zombie device” and are part of a botnet.
This cloud security metric allows you to determine if a botnet has breached your network and its suspected activity, such as installing malware or stealing or compromising data.
The number of SSL certificates
A secure socket layer (SSL) certificate is used to secure web servers and create an encrypted session whenever a user accesses a cloud-based application or service. The SSL certificate encrypts the data stored by the cloud servers and facilitates its encrypted transfer, which prevents cybercriminals from intercepting and exfiltrating it.
By monitoring this security metric, you can help determine if the servers in your cloud environment are adequately secured. Having fewer SSL certificates than active servers could indicate that some are invalid or a server is misconfigured or compromised. Subsequently, an invalid certificate or misconfigured server creates a potential vulnerability for a malicious actor to exploit, so tracking this cloud security metric could bring it to your attention faster.
The amount an employee’s access credentials are re-confirmed
The number of times a user’s access is re-authenticated is an insightful cloud security metric. On one hand, not frequently re-confirming a user’s credentials, as takes place in a Zero Trust architecture, can be a security risk. For instance, a user’s session could be hijacked between re-confirmations, resulting in a cybercriminal infiltrating your network.
On the other hand, if a user’s credentials are re-confirmed too frequently, this could indicate they’re repeatedly trying to access a resource they don’t have access to – which could signal infiltration from a malicious actor or a threat from an insider.
The number of super users
A super user refers to a user account with privileged access and is typically reserved for members of a company’s IT or security teams. The more super users that are active on your network, the greater the chance of your company falling victim to an insider attack. Consequently, the first thing to do to mitigate this threat is to re-evaluate all current users and determine if their advanced levels of access are still warranted.
Alternatively, a sudden increase in the number of super users and/or increased super user account activity could be cause for concern. This could indicate a threat actor infiltrating the system or malicious insider activity.
The number of open ports
While open ports are necessary for cloud-based applications and services to run effectively, they can present a security risk. Firstly, ports that aren’t supposed to be open give cybercriminals a potential backdoor into your cloud ecosystem. Similarly, if the applications or services running on the open ports are misconfigured or unpatched, they also provide malicious actors with vulnerabilities to exploit.
By monitoring the number of open ports in your cloud environment, you can determine if someone within your company, or a third-party software supplier, is leaving ports open and, subsequently, leaving you more susceptible to cyberattacks.
This security metric measures the number of parties outside your company, i.e., suppliers, partners, etc., who have access to data, systems, and other resources. An unexpected spike in the number of external collaborators could indicate a breach by a hacker – or a botnet.
Additionally, it’s vital to ensure that access privileges granted to external collaborators are kept to a necessary minimum.
Number of high-risk cloud apps
A high-risk cloud app can be defined as software that:
- lack adequate security policies and controls
- claim ownership of data it collects and stores
- aren’t compliant with data compliance regulation
- are known to have suffered a security breach.
A rapid increase in the number of high-risk cloud apps could indicate a malware infection. Alternatively, a steady rise in the use of high-risk apps could point to a prevalence of shadow IT: the installation and use of applications that haven’t been approved by IT. Although many applications installed by employees may assist them in doing their job, they pose a security risk for your company for one of the reasons mentioned above. Shadow IT applications also pose a security risk because if your security teams don’t know about a software asset, they can’t monitor it – and have no way to prevent cyberattacks against it.
Ways you can help measure the above cloud security metrics
If you’d like more information on measuring your company’s cloud security metrics – or any other aspect of your cyber security, contact RiskXchange. Our free attack surface risk assessment will help to pinpoint your cyber security vulnerabilities and determine which cloud security metrics are most crucial to your company.