Making the cloud a safe space: Organisational security, identity, and more

The cloud has brought about many benefits for organisations and adoption is understandably increasing. Gartner earlier this year projected that the worldwide public cloud services market would grow 21.4 percent in 2018 whilst Forrester has found that global cloud services revenues totaled £112.5 billion in 2017, and is predicted to grow up to £137.2 billion by the end of 2018. With this huge growth in cloud adoption, effective security is paramount. Recent cyber-attacks have highlighted that organisations across all industries and of all sizes are the target of ongoing attacks.

With all the advantages that cloud brings including flexibility, efficiency and strategic organisational value, it is certainly a development many ambitious businesses are looking to utilise. It can provide the platform that enables a modern organisation to grow, expand into new markets and coordinate their strategy and plans. With many organisations now encouraging remote and home-working and operating internationally with diverse, multi-cultural teams the cloud is increasingly important to helping organisations collaborate, organise, share information (securely) and scale up.

Some of the biggest companies in the world, for example Google, Microsoft and Amazon are committing massively to the cloud, underlining the belief that the technology has huge commercial potential. These companies expect to see significant growth in the market which will fuel their future financial performance. Indeed, in Microsoft’s most recent financial result in July cloud was credited as driving a record fourth quarter result for the company.

It is another indication that the cloud is growing and adoption is increasing. Even Luddites will – perhaps slower than most – come to realise the huge benefits cloud can bring to an organisation, provided that security is kept front of mind. Ineffective and security-compromising use of the cloud is worse than not using the cloud at all. As such, proper planning is crucial.

With any new technology and system, it is vital that proper procedures are put in place to keep data safe and secure and to ensure employees use the system properly and maximise the impact it can have. Training needs to coordinate these efforts. The cloud is no different. It is IT’s job to make sure that the cloud creates the ROI and efficiency gains that senior executives will be looking for. This means taking the time to plan the implementation and then invest in training and support for employees.

Security has to be one of the main considerations when it comes to using the cloud. As with any IT system it can lead to a breach and loss of data. The cloud does not eradicate this vulnerability, it changes the dynamic, meaning CISOs and their teams need to be on the front foot when it comes to keeping the cloud secure. A successful breach will be a major setback for adoption of the technology within an organisation, especially if the context in which the breach takes place is a management that see it as a cost rather than an opportunity and a gain.

To ensure cloud has the backing of management therefore, there must be a laser focus on security. There won’t be much credit when the cloud remains secure – that is expected – but there will be a major downside if it goes wrong. With all this in mind let’s focus further on some of the key issues and questions around cloud security:

What is the impact of the cloud in terms of organisational security?

Cloud introduces new security risk to organisations because publicly exposed APIs are the underlying infrastructure that makes the cloud and cloud applications run. Unlike the http/s view of websites, which is largely choreographed for user experience and constrained on what is exposed or exploitable, APIs are built with fully exposed controls to support orchestration, management and automated access to the environment and applications. APIs provide a rich target for exploitation and introduce another dimension the challenges of expanding boundaries that were not seen in traditional enterprise on-premises perimeters.

Is security in the modern digital world like an open city, as opposed to traditional corporate computing, which is more like a castle?

Attackers will take the path of least resistance, and employees – and IT in many instances – will unwittingly help them. There will always be employees who will fall prey to phishing, surf exploited sites, or use free Wi-Fi from a coffee shop to open the door for the attacker. Also, common infrastructure weaknesses are the ‘exploit of choice’ to land a beachhead within an organisation, such as using an SQL query to find cached credentials, or finding a publicly exposed unpatched server to exploit. And then there is always the fallback to first-initial-plus-last-name with password1234.

How do we stop hackers from taking over the identities of victims in order to gain access to systems? Any real-life examples that demonstrate this?

There is no way to prevent intrusion through exploiting identity. The best that can be done is to slow attackers down by using good identity hygiene: implementing multi factor authentication, using longer pass phrases over passwords, deprecating expired employee accounts and monitoring access logs. However, the industry is making improvements in identity around trust by using multi-context analysis strategies that include time of access, country of origin, host computer in use, and other behavioural analyses to add weight to identity.

At the end of the day, organisations need to put in place robust procedures and make employees accountable for keeping networks safe and secure. The cloud introduces new security risks for organisations that will need to be managed effectively by the CISO; failure to do so could be very costly to an organisation both financially and reputationally. We have seen cyber-attacks generate headlines around the world recently – think WannaCry and Petya – to see notable examples of this.

Then you have the recently implemented GDPR, effecting any company who works within the EU. Inadequate data protection procedures under this regulation leads to increased penalties and fines for companies. This should focus the minds of executives on the challenges of implementing robust cyber defences, but too often this is not the case.

I would not want to see the adoption of cloud held back by fears over security, instead I believe cloud should be adopted by organisations that are ambitious to grow and effectively collaborate to solve problems and drive business performance. The penalties resulting from GDPR for example and from other regulations should not be a deterrent to implementing new technologies and systems. To me the focus should instead be on planning effectively and then implementing a solution that works and by this, I mean it is safe, secure and enables improved operational performance.