Cloud Compliance and Security: The Truth Behind 5 Cloud Computing Myths

Cloud computing myths have occupied the IT world since the cloud became a viable infrastructure hosting option a decade and a half ago. Those of us who worked in IT at the time remember the many misconceptions about what the cloud was and whether it was possible to host business-critical services in the cloud while maintaining security and regulatory compliance. 

The IT industry and the cloud have evolved beyond all recognition since those early days, and few people today doubt the value and power of the cloud computing model. In 2022, 67% of enterprise infrastructure and 83% of business workloads are hosted on a cloud platform

Yet cloud myths persist, particularly cloud security myths, although their nature has evolved along with the cloud. In the past, cloud security myths were unduly pessimistic. Today, they are just as likely to be unduly optimistic about cloud security and compliance. 

Myth 1: Cloud Platforms Are Insecure

This is the original cloud security myth, founded on the belief that businesses can’t trust infrastructure they don’t control. However, if we look at the pattern of security incidents involving cloud platforms, it becomes clear that they are rarely caused by vulnerabilities in the platform itself. They are almost always the result of cloud users’ misconfigurations and mistakes; 70% of cloud security challenges arise from configuration errors.

Myth 2: Vendors Take Care of Cloud Security

The opposite of our first cloud security myth is the mistaken belief that the cloud is inherently secure. Believers operate under the misconception that hosting software and data in the cloud is a shortcut to improved security. In reality, all cloud providers use a shared responsibility model for security. 

The provider takes responsibility for some security aspects—the physical infrastructure at a minimum, but often other aspects depending on the service. The user is then responsible for using those services securely. For example, connecting an unencrypted AWS elastic block storage device to an EC2 instance creates a potential data leak vulnerability. Amazon provides secure encrypted block storage, but it won’t stop the user from deploying an insecure configuration. 

Cloud users must understand which security aspects they are responsible for and how to configure their cloud environment to meet security and compliance requirements. If you’re worried that your business has cloud misconfigurations, consider a cloud security configuration assessment

Myth 3: Compliant Services Guarantee Regulatory Compliance

Many cloud providers advertise that their services are compliant with information security regulations. For example, Amazon’s S3 storage service is certified compliant with SOC, PCI DSS, HIPAA, and other regulatory standards. But what does that mean? Most importantly, it doesn’t mean that an S3-based data storage system automatically complies with those standards. 

This is something cloud vendors go to some lengths to communicate. For example, Amazon’s PCI DSS compliance documentation states that “AWS establishes itself as a PCI DSS Service Provider to enable, upon further configuration, the compliance of our customers.” The “upon further configuration” part is critical. S3’s PCI compliance means it can be used as part of a PCI-compliant system, but it needs to be configured correctly to do so. A simple configuration error may render any system non-compliant  that is built on S3, and it’s the user’s responsibility to make sure that doesn’t happen. 

Myth 4: Bad Actors Don’t Target the Cloud

It might be tempting to think that moving to a cloud platform will solve your business’s security problems. You’re at the end of your tether with the constant bombardment of malware, ransomware, phishing attacks, and bad bots. You want a secure infrastructure solution that is immune to the attention of cybercriminals. But the cloud can’t give you what you are looking for. Many of the biggest security breaches and data leaks of the last few years happened on the cloud. 

Criminals go where the data is, and they have become skilled at exploiting cloud vulnerabilities. As we established earlier in this article, most of those vulnerabilities are caused by cloud user mistakes. Does that mean cloud platforms can’t help you solve your security and compliance issues? In fact, they can, but you may need the help of an experienced cloud expert. 

Myth 5: You Don’t Need A Cloud Security Audit

A cloud security audit based on the Center for Information Security Benchmarks will help your business avoid the security and compliance risks we’ve highlighted in this article. Experienced information security experts will examine your AWS, Microsoft Azure, or Google Cloud Platform environment for configuration mistakes, security vulnerabilities, and data breach risks. An audit ensures you have the information to operate a secure and compliant cloud environment. To learn more, contact a cloud security specialist at KirkpatrickPrice today.

5 Reasons to Migrate Your Data Center to the Cloud

Have you considered moving your business’s data center to the cloud? The proportion of businesses operating an in-house data center declined over the last decade. Many—from small companies to multinational corporations—migrated their workloads to the cloud. Estimates suggest that about a third of businesses run more than 50% of their workloads in the cloud, and the majority run at least some workloads on cloud platforms such as Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), or their competitors.

Within this article, we will explore why businesses migrate their data center to the cloud and how it may be the right decision for your business’s long-term technology strategy.

Data Centers vs. The Cloud

Before cloud computing, there were several options for hosting technology infrastructure. A large company might invest in building, equipping, and staffing a data center. Smaller companies may instead use an on-site server room or server cupboard. Alternatively, businesses could buy server hardware and colocate it in a data center managed by a third party.

Over the years, many different data center hosting models developed. Still, they were similar in one way: the user paid for and managed physical infrastructure housed in a data center facility.

In contrast, “cloud” is a broad term for compute, storage, and software services that do not require users to manage or interact with physical hardware, which is managed by the vendor and resides in their data centers. 

Cloud services are typically divided into three main categories:

  • Infrastructure as a Service (IaaS) provides virtual servers, networks, and other infrastructure on which users can host their software.
  • Platform as a Service (PaaS) provides higher-level services for hosting websites and applications. PaaS platforms simplify IT management by combining compute, storage, networking, and related software services into a single platform.
  • Software as a Service (SaaS) provides software hosted on the operator’s infrastructure and accessed by the user over the internet.

Today, there are many additional “X as a Service” cloud modalities that reflect the diversity of products offered via the cloud model. For example, Database as a Service, Disaster Recovery as a Service, Desktop as a Service, and others.

Cloud Migration Benefits

We’ve discussed the differences between cloud and non-cloud infrastructure hosting, but why have so many businesses chosen to migrate their data center to a cloud platform? Let’s explore five benefits that make the cloud an attractive proposition.

Scalability and Elasticity

Scaling is among the most challenging aspects of managing a data center. Infrastructure requirements change over time, but they rarely grow smoothly and predictably, often fluctuating by season or time of day. Traffic spikes may demand resources many times the average, and your data center must cope. That means investing in servers and network infrastructure that will be idle for most of its life.

In contrast, cloud infrastructure scales with demand. A cloud platform’s virtual infrastructure is built on a large pool of computational resources—the physical infrastructure the platform vendor is responsible for. Cloud users can take advantage of as much or as little of that pool as they need. Instead of researching, buying, configuring, and maintaining physical servers in their data center, a cloud user simply deploys more virtual resources—a process that can be automated.

Elasticity is a consequence of the cloud’s ability to scale quickly. An elastic infrastructure deployment can grow or shrink in line with user demand. There’s no need to deploy idle infrastructure in anticipation of traffic spikes. Businesses can instead adjust cloud deployments to match current requirements.

Reduced IT Costs

We have already hinted at one way migrating to the cloud reduces IT costs. The cloud’s scalability allows businesses to adjust deployed resources to match demand. Unlike a physical data center, cloud platforms operate with on-demand pricing: users pay for the resources they consume after they are used. In contrast, data centers require significant upfront investments based on uncertain predictions about future resource requirements.

Other ways migrating to the cloud can reduce IT spending include:

  • Lower staffing requirements for equipment maintenance.
  • Reduced real estate spending compared to owned data centers.
  • Reduction of capital expenses and the transfer of IT capital expenditure to operational budgets.
  • Economies of scale through sharing physical hardware with multiple users.

Although cost savings are a benefit of cloud platforms, it should be pointed out that businesses may fail to save money in the cloud. If cloud environments are improperly managed and monitored, companies may pay far more than anticipated. This is particularly true for businesses that lack experience in managing cloud infrastructure.

Enhanced Business Agility

Extended lead teams are expected when deploying hardware in a self-managed or colocated data center. It’s not unusual for lead times to stretch to months when research, acquisition, shipping, deployment, and configuration are accounted for.

Cloud platforms, in contrast, allow businesses to deploy new infrastructure in minutes, as we’ve already mentioned. But building on that advantage is the ability to automate cloud deployment and configuration. The programmability of cloud platforms empowers businesses to build continuous integration and deployment pipelines that allow developers to iterate on code and push new features into production with minimal delay.

Reduced Infrastructure Management Burden

While every company needs IT infrastructure, it rarely makes sense for businesses to own and manage a data center. Managing data centers, servers, and networks is complex, expensive, and time-consuming. But it is not in itself a revenue-generating activity. Migrating to a cloud platform allows companies to focus on the applications and services that support their operations while leveraging a cloud vendors’ greater data center resources, expertise, and experience.

Improved Security and Compliance

Migrating to the cloud outsources some security issues to the cloud vendor. For example, when you deploy a virtual server on EC2—AWS’s IaaS service—you don’t have to worry about securing the underlying physical servers and networks. Amazon takes care of it. Additionally, all the major cloud platforms offer world-class security tools and services, such as firewalls, network monitoring and alerting, encryption, secret management, and more.

Cloud platforms can also help businesses comply with information security and privacy regulations. AWS, Microsoft Azure, GCP, and other cloud vendors implement compliance programs that support compliant infrastructure environments.

However, cloud vendors operate a shared responsibility model. The vendor has some security and compliance responsibilities, but so does the user. As we’ve previously written, many of the most common cloud security vulnerabilities result from user error and misconfiguration.

Continuing the EC2 example above, AWS protects the hardware a virtual server runs on, but it does nothing to stop a user from installing insecure software or running SSH with the root user’s password set to “pa55word.” Consequently, although EC2 can be HIPAA-compliant, that doesn’t prevent users from making mistakes that result in HIPAA breaches.

KirkpatrickPrice Helps Companies Stay Secure and Compliant in the Cloud

KirkpatrickPrice is a licensed CPA firm specializing in information and cloud security. Our cloud security audits and compliance audits help businesses verify and demonstrate their security and compliance. To learn more, contact a cloud security and compliance specialist or visit our cloud security resources.

5 Cloud Migration Benefits in 2022

Cloud platforms are popular, but they aren’t yet ubiquitous. Six out of ten businesses have conducted a cloud migration, but that implies four out of ten haven’t. If your business hasn’t made the leap to cloud infrastructure, you may be wondering what all the fuss is about. In this article, we explore five reasons you may want to reconsider moving some of your workloads to cloud platform like AWS or Microsoft Azure.

What is Cloud Migration?

Cloud migration is the process of moving data, applications, and computational workloads into the cloud. Because the cloud takes many forms, cloud migration takes many forms too. The classic cloud migration involves moving an application hosted on a physical server to a virtual server hosted in the cloud. But cloud migration may also involve breaking an application into components distributed across multiple cloud services, including database services, storage services, and Platform-as-a-Service (PaaS).

A business may also choose to migrate only part of an application or workload. For example, they may migrate data storage to a cloud platform while hosting the application’s code in their data center. Or they may use on-premises infrastructure as a primary site while leveraging the cloud as a disaster recovery or “cloudburst” location. The combination of on-premises hosting with cloud hosting is often called a hybrid cloud environment. 

Three Cloud Migration Strategies

As we’ve seen, cloud migration isn’t a simple matter, but application cloud migration strategies can be broken down into three broad categories. 

Lift and Shift

Lift-and-shift, also known as rehosting, is the simplest cloud migration strategy. An application is transferred in its current form from on-premises servers to virtual servers running in the cloud. Lift-and-shift migrations involve minimal changes to the application because Infrastructure-as-a-Service platforms such as AWS EC2 or Azure Virtual Machine provide server environments that are essentially identical to physical servers from the application’s perspective. 

Lift-and-shift migrations are faster, simpler, and less expensive than other types of migration. However, they may not take full advantage of the cloud platform’s capabilities. Additionally, businesses should consider the security and compliance implications of even a simple rehosting project. Virtual servers appear similar to physical servers, but moving to an unfamiliar cloud environment may introduce security and privacy risks that a business is not well-equipped to predict or mitigate. 


Rearchitecting transforms an application’s design to take advantage of cloud platform features. A monolithic application might be rearchitected as microservices hosted on containers. Or the application might be modified to work with a managed database platform instead of a self-hosted database. 

The extent and complexity of rearchitecting projects depend on the business’s objectives and often on cost considerations, but all rearchitecting projects must pay careful attention to the security and privacy implications of any changes. 


In the most radical cloud migrations, an application is rebuilt or replaced in its entirety. Instead of moving code and data to the cloud, similar functionality tailored for the cloud is built from the ground. Businesses may take this route to leave behind a legacy application judged unsuitable for the cloud or to embrace new technologies and platforms.  Rebuilding provides a cloud-native application, but it is the most complex and expensive cloud migration option. 

5 Benefits of Cloud Migration

We’ve looked at what cloud migration is and the migration strategies businesses use to achieve their objectives, but why do they choose to migrate to the cloud in the first place. 

Improved Infrastructure Security and Compliance

Cloud migration alleviates businesses’ need to manage some aspects of infrastructure security. For example, the cloud provider manages physical and some network security. It also provides tooling that helps businesses to monitor and secure their infrastructure. 

However, it’s important to emphasize that cloud security is a shared concern. Although the provider is responsible for some aspects of infrastructure security, the user must ensure they configure and manage cloud services according to cloud security best practices. A significant percentage of cloud security incidents result from improper configuration, as we’ve discussed in previous articles

Reduced Infrastructure Cost

Cloud platforms can be less expensive than on-premises or colocated infrastructure if managed correctly. Cloud environments grow and shrink in line with the user’s requirements. For example, AWS EC2 instances scale up and down, and businesses can choose from many different configurations depending on their need. Additionally, cloud infrastructure does not require significant up-front investment; users pay only for the infrastructure they use, as they use it. 

As with the security benefits of cloud migration, businesses must follow cloud best practices to realize potential cost savings. Cloud users may spend more than they expect if they do not monitor and control their environment to avoid wasted resources. 

Enhanced Scalability

Scaling on-premises infrastructure is often complex and expensive. Scaling in the cloud is more straightforward. As we have already mentioned, most cloud services grow and shrink in line with the users’ needs. For example, cloud block storage services provide an almost infinite amount of data storage, and businesses don’t have to manage physical storage devices. 

Scalability is one reason businesses opt to rearchitect applications when migrating. Breaking an app into smaller services allows each component to be scaled and replicated independently, which may not be possible with a monolithic application. 

Increase Business Agility

The flexibility of cloud platforms allows businesses to respond to evolving customer and market demands. They can deploy and scale infrastructure quickly. Larger cloud platforms provide an array of managed services that make it easier to deploy new features. Furthermore, cloud platforms encourage a DevOps approach to application development, allowing businesses to quickly develop and deploy new features. 

Simplified IT Management

Cloud infrastructure can be managed in a web interface or scripted via an API. Modern cloud management interfaces provide a vast array of features that allow businesses to monitor, configure, and adapt every aspect of their environment. 

As with the other benefits we’ve looked at here, there are potential drawbacks where cloud management is concerned. Cloud management is simpler if your business is familiar with the platform and its intricacies. If not, cloud management can be confusing, and, in the worst cases, a lack of expertise leads to cost, security, and compliance issues. 

Verify Your Cloud Migration Security with KirkpatrickPrice

Cloud migration may create significant new security and compliance risks, especially for businesses unfamiliar with the platform. A cloud security audit verifies and tests the controls your company has in place on AWS, Azure, or GCP. Visit the KirkpatrickPrice AWS Security Scanner or contact a cloud security specialist to learn more about cloud security audits.

Best Practices for Using AWS CloudTrail

Every user action can and should be tracked. On cloud platforms like AWS, user actions and service events interact with the platform’s management interfaces, whether with the web console or the API, which allows most things that happen in your cloud environment to be logged. 

The transparency provided by comprehensive logging is one of the cloud’s most consequential security and compliance benefits. Using logs allows you to record all processing data so that you can track access and user actions to identify potential errors. Businesses that use AWS must also understand how to leverage the platform’s tools to achieve the visibility they need to improve security, compliance, and governance through logging. AWS CloudTrail is one of the foremost logging tools offered today to help you achieve that visibility. 

What Is AWS CloudTrail?

AWS CloudTrail is a logging service that records account activity across your AWS environment. When users, roles, or services carry out an action, it is recorded as a CloudTrail event. You can view events in the  CloudTrail console’s event history interface, and, by default, CloudTrail retains logs for the last 90 days. 

AWS CloudTrail Best Practices

As with all AWS services. users must configure AWS CloudTrail correctly to leverage its security, governance, and compliance capabilities. The best practice tips below will allow you to optimize your use of AWS CloudTrail.

Create a Trail

While CloudTrail provides some useful logging capabilities out of the box, creating a trail makes the service far more capable, comprehensive, and configurable. Trails allow you to specify where your monitored resources and recorded events will be sent.  These are sent as log files to an Amazon S3 bucket that you specify.  CloudTrail stores events as a JSON object with information such as the time at which an event occurred, who made the request, the resources that were affected, and more.

This is particularly important for companies that require a permanent long-term record of cloud activity for compliance purposes Without a trail, CloudTrail deletes logs after 90 days. 

Enable CloudTrail in All Regions

Unless a trail is intended to focus exclusively on a specific region, you should enable CloudTrail logging for all regions. Enabling CloudTrail for all regions maximizes insight into activity on your AWS environment and ensures that issues don’t go unnoticed because they occur in an unlogged region. 

Ensure CloudTrail Is Integrated With CloudWatch

CloudTrail is most useful if it is integrated with AWS CloudWatch. While CloudTrail generates and stores comprehensive logs, they aren’t actionable unless they are available to users in a form that is easy to interpret and analyze. That’s CloudWatch’s primary role; it allows users to visualize and analyze logs and provides sophisticated alerting and automation capabilities based on logged events. 

Store CloudTrail Logs in a Dedicated S3 Bucket

CloudTrail stores trails in an S3 bucket. As we’ll see in a moment, it’s essential to control access to this bucket because it contains information that could be useful to a malicious actor. Implementing an effective access policy for CloudTrail logs is easier if they are stored in a dedicated bucket used only for that purpose. 

Enable Logging on the CloudTrail S3 Bucket

Amazon S3’s server access logs record bucket access requests, helping administrators to understand who has accessed CloudTrail logs, information that may be useful during compliance audits, risk assessments, and security incident analysis. We recommend configuring the CloudTrail S3 bucket to generate server access logs and store them in a different bucket, which also has secure access controls. 

Configure Least Privileged Access to CloudTrail Logs

As we have discussed in previous articles on AWS security, S3 buckets are often misconfigured so that their contents are publicly accessible. Exposing sensitive log data in this way creates a critical vulnerability. S3 buckets that store CloudTrail logs should not be publicly accessible. Only AWS account users who have a well-defined reason to view logs should be given access to the bucket, and access permissions should be reviewed regularly. 

Encrypt CloudTrail Log With KMS CMKs

CloudTrail logs are encrypted by default using S3-managed encryption keys. To gain greater control over log security, you can instead use encryption with customer-created master keys (CMK) managed in AWS Key Management Services

There are several benefits to using CMKs instead of the S3’s default server-side encryption. CMK’s are under your control, so you can rotate and disable them. Additionally, CMK use can be logged by CloudTrail, providing a record of who used the keys and when they used them. 

Use CloudTrail Log File Integrity Validation

AWS CloudTrail logs play an essential role in the security and compliance of your AWS environment. As such, you must be able to determine the integrity of log files. If a bad actor gains access to AWS resources, they may delete or edit logs to obscure their presence. CloudTrail log file validation generates a digital signature of log files uploaded to your S3 bucket. The signature digest files can be used to verify that logs have not been edited or otherwise tampered with. 

Define a Retention Policy for Logs Stored in S3

CloudTrail trails are stored indefinitely, which may be the right approach for your business. However, if you have different compliance or administrative requirements, you can set a retention policy using S3’s object lifecycle management rules. Management rules can archive log files to an alternative storage service, such as Amazon Glacier, or automatically delete them once they exceed the required retention period. 

Are Your Business’s AWS CloudTrail Logs Secure and Compliant

As a licensed CPA firm specializing in information security auditing and consulting, KirkpatrickPrice can help your business verify its cloud configurations, including CloudTrail configurations, through the following services: 

  • AWS Security Scanner: an automated cloud security tool that performs over 50 checks on your AWS environment, including controls related to AWS CloudTrail security.
  • Cloud security assessments: expert assessments to verify your cloud environment is configured securely. 
  • Cloud security audits: Comprehensive cloud audits that test your AWS, GCP, or Azure environment against a framework based on the Center for Internet Security (CIS) benchmarks. 

Contact a cloud security specialist to learn more about how KirkpatrickPrice can help your business to enhance and verify the security, privacy, and compliance of its cloud infrastructure.

5 Common Cloud Security Misconfigurations for AWS

Security incidents caused by misconfigurations in the cloud happen every single day. In fact, DivvyCloud reports that over the last two years, 33 billion records have been exposed because enterprises struggle to implement proper cloud security. When you take that number and consider Ponemon’s research, which estimates the average cost per compromised record is $150, that means cloud security misconfigurations have cost companies worldwide nearly $5 trillion since 2018.

Misconfigurations in AWS can have serious consequences, but they’re completely avoidable when you have the right resources to guide you. Let’s discuss five misconfigurations that our auditors see over and over again in AWS environments: IAM policy errors, incorrect security group attachments, deployment pipeline misconfigurations, backup storage location misconfigurations, and S3 bucket misconfigurations.

IAM Policy Errors

IAM is one of the most complex architectures within AWS. IAM controls who has access to which resource, so it’s an incredibly important aspect of cloud security. IAM policies that cause misconfigurations include:

  • Lack of MFA
  • Not following password best practices
  • Keeping unused credentials instead of disabling them
  • Not understanding role assumption or how it’s logged
  • Attaching IAM policies to users instead of groups or roles
  • Not rotating keys every 90 days
  • EC2 instances do not have proper access to resources
  • Running all privileges to all users instead of utilizing the concept of least privileges
  • Resource-based policies are not attached to a defined resource

Incorrect Security Group Attachments

Do you attach the appropriate AWS security groups to the correct EC2 instances? The functionality of security groups is similar to a firewall and filters inbound and outbound traffic based on rules. This is a misconfiguration that shows up especially when default security groups are involved.

Our auditors see incorrect security group attachments often, especially when defaults are involved. To avoid this common AWS misconfiguration, you must fully understand security groups.

Deployment Pipeline Misconfigurations

In the DevOps model, you live and die by your deployment pipeline. When your developers aren’t aligned with security standards or your CI/CD pipeline isn’t implemented and secured properly, it can lead to critical consequences.

Backup Storage Location Misconfigurations

In terms of backup storage locations, we find that people often forget about the security of backups in some instances. Knowing where your backups are going and what security policies you have in place is critical. Let’s say you have a backup storage bucket – are you checking policies on that bucket? Does the organizations encryption policy extend to backups? Questions like these need to be asked to appropriately secure backups.

S3 Bucket Misconfigurations

Symantec reports that in 2018, S3 buckets had with more than 70 million records stolen or leaked as a result of poor configuration. AWS says that the top five S3 security concerns are:

  • Public access to S3 buckets
  • Not utilizing server-side encryption for S3-managed encryption keys
  • Not encrypting inbound and outbound S3 data traffic
  • No familiarity with how S3 versioning works or S3 lifecycle policies
  • No use or analyzation of S3 access logging

Why We Chose These Misconfigurations

In the AWS Shared Responsibility Model, AWS is responsible for security “of” the cloud and customers are responsible for security “in” the cloud. AWS considers configuration management a shared control, explaining, “AWS maintains the configuration of its infrastructure devices, but a customer is responsible for configuring their own guest operating systems, databases, and applications.” This means you, as the AWS customer, cannot depend on AWS’ security practices alone when it comes to configuration. You can avoid the consequences of misconfigurations when you properly understand and configure IAM security groups, deployment pipelines, backups, and S3 buckets.

At KirkpatrickPrice, we’ve created a framework for cloud security audits based on the CIS Benchmark and other industry standards. We hire technologists, then train them to be auditors – and this increases the value and quality of our AWS audits. Contact us today to begin testing your cloud security measures and discover if your AWS environment has any of these common misconfigurations.

More Cloud Security Resources

AWS Security for S3 and EC2

AWS Security Checklist

AWS Security Best Practices