Businesses across the country have bought into the extraordinary benefits of cloud computing. Senior executives have become passionate advocates, attracted by the promise of greater agility, cost savings and convenience. It is no surprise that global spending on public cloud services will reach $141bn by 2019. But business leaders are less well informed when it comes to the risks the cloud can introduce to enterprise environments.
That’s why IT needs to take ownership of cloud security. This will certainly require specialised tools designed to detect the “needle in the haystack” of cyber threats across this type of IT service delivery. It will also demand that IT functions articulate those threats in a language the business understands. Without cyber risk being articulated in the familiar lexicon of business risk, senior management and board-level engagement is difficult to secure.
Scoping the threat
Clouds (and cloud services) come in many shapes and sizes. But despite the undoubted business and IT benefits, security still tops the list of barriers to adoption. These concerns frequently revolve around the multi-tenancy nature of many cloud offerings. The question as to whether you can be sure your sensitive customer data and/or IP is protected from the virtual machines (VMs) of other tenants, some of whom may be competitors is a reasonable concern? Others include: whether your supplier is certified to comply with relevant industry standards and regulations like PCI DSS and ISO 27001? If you know where your data is being stored and how it is being handled by your CSP? Do you know what kind of security measures are in place, and what you are expected to provide?
These are all valid concerns, especially as the means to launch successful attacks in the cloud are increasingly available on the dark web. Anyone trying to “shoehorn” traditional security products and techniques into their cloud environment needs to be confident that they are not compromising their security preparedness.
Zero-day threats are particularly difficult to detect, yet critical to defend against. Signature-based anti-virus solutions, traditional firewalls and even intrusion defence systems are fine when dealing with known malware. But they become problematic when they present as something that hasn’t been seen before. A zero-day threat in your cloud environment could enable attackers to access your sensitive customer data and trade secrets, or simply give them an opportunity to spread ransomware.
A determined hacker will always find a way into a system. The important thing to focus on is detecting this as soon as possible. The longer you allow an attacker to stay active, the deeper they can go and the more damage they will inflict.
Taking control
Business users keen to accelerate moves to the cloud can sometimes risk paying insufficient attention to safety or security, so it is important for IT leaders to take control. The reality is that when it comes to the cloud, you can’t outsource responsibility, so businesses need to be proactive about vetting providers, understanding what security controls they have in place and where and how data is stored. But most importantly, they need to work out what protections they still need to put in place “over the top” to keep key data and systems safe from harm.
Central to any security strategy should be to reduce the attackers’ “dwell time” – the time between infection and detection – which currently averages an unacceptable 146 days. Some organisations set up alerts to help them spot unusual behaviour. Unusual, however, is not necessarily a problem but it can swamp teams with too much data to investigate, inevitably leading them to spend so much time fire-fighting that they can miss the all-important needle in the haystack.
Threat intelligence needs to be consolidated to be genuinely useful; part of this is being able to baseline normal behaviour in order to better spot unusual activity that indicates a breach. Applied in the right way, machine learning can help by systematically prioritising only the most critical threats to maximise your response team’s effectiveness. Given the more exposed and accessible nature of cloud systems, these approaches become even more important.
Talk, talk, talk
Detecting threats is one thing, but taking action on major issues typically requires wider understanding from technical and business teams. That means being able to describe threats and impacts in a way that is meaningful beyond security operations. It doesn’t matter how impassioned you are about threat vectors, unsecured APIs, or inter-VM attacks, it will mean nothing unless they are translated into the right risk lexicon.
Highlighting a compliance failure may be met with blank stares but if it means no revenue because the business can’t process payments it takes on a greater significance and will be rectified quickly. Similarly, a report of a security issue affecting a number of virtual servers may not be seen as a priority until the associated business impact and the potential loss of customer data and resulting financial and reputational impacts are clearly understood by management. To support this, companies are increasingly investing in intelligent systems that can articulate the specific business risk to the organisation of a given cyber threat.
Cloud computing is here to stay, and is transforming organisations across the globe. But it has also introduced new challenges that many organisations are still coming to grips with. IT teams, security functions and business stakeholders need to communicate effectively, in a common language, to understand and manage cyber risks in this new outsourced world.