When clouded judgment puts data at risk

The chief executive and finance director of film company Pathé’s Dutch operation were fired last month after criminals stole €19 million in a sophisticated email scam.

Let experts do it for you, so you can focus on your core business

With increased media attention and more stringent regulations, data breaches now have far-reaching consequences, in terms of financial loss, reputational damage and even employment security as someone needs to be held accountable.

As most data is located in the cloud, the impetus on cloud security as a business function is more important than ever.

The cloud was first met with general apprehension as questions were asked how it could be made secure.

Stakeholders believed that traditional IT systems consisting of a few servers were far more secure than an array of virtual servers. However, large on-premise systems can be accessed by many people, while cloud systems can provide different levels of access to individuals.

“When considering data security, if enterprises point to where the data is versus how the data is secured, I know I have a big problem,” says David Linthicum, chief cloud strategy officer at Deloitte Consulting. “The ability to restrict access using the proper security mechanisms is far more important than location.”

Despite this, security concerns in the cloud are on the rise. The cloud revolution brought new security threats and privacy challenges, both during and after cloud migrations.

The security landscape has changed as cybercriminals shifted their attack techniques. Now hackers are moving up the virtualisation stack in search of vulnerabilities that can deliver the prize of data followed by a hefty payout.

The biggest threats to cloud security, as identified by Alert Logic’s Cloud Security Spotlight, are the misconfiguration of cloud platforms, unauthorised access through misuse of employee credentials and improper access controls, and insecure application programming interfaces.

In the last 12 months, there has been a significant increase in cloud security incidents. Coupled with inadequate legacy tools and a lack of qualified security professionals, this has left some organisations overwhelmed.

The security challenge of the cloud is becoming more complex as data is hosted on multiple clouds and in different regions simultaneously. This fragmentation means that organisations are struggling to manage visibility into infrastructure security, compliance, and setting consistent security policies across cloud and on-premise environments.

Businesses across the world, however, are adopting the cloud at unprecedented levels, driven by the necessity to digitise operations and output.

Research from the Cloud Industry Forum in 2017, for example, found that the overall cloud adoption rate in the UK stood at 88 per cent. Globally, it stands at around 70 per cent.

Any barriers that do exist surround security and data protection, while a lack of employee training and reliance on legacy tools, combined with data privacy concerns, increase the security risk and the stakes.

Personalised training of staff is essential as currently most programmes are one size fits all. The majority of data leaks are caused by human error and so this is an area that business leaders must invest in.

Furthermore, organisations that adopt the cloud are not cloud experts, nor are they security experts. Their traditional tools are not up to modern cloud security challenges.

It is advisable, therefore, to use the security tools built by cloud providers, while deploying third-party security software to ensure effective cloud security controls are implemented.

Mark Corley, chief technology officer at Avanade, says organisations shouldn’t manage cloud infrastructure in-house, unless there is a very clear business case and reason to do so.

“External specialists are already investing heavily into improving cloud infrastructure, so it’s always advisable to outsource. Let experts do it for you, so you can focus on your core business,” he says.

Evolving impetus on cloud security, with market value predicted to hit $13 billion by 2022, according to Market Research Future, calls for a constant stream of technology solutions, each more versatile and battle hardened than the last.

The latest technologies incorporated in these solutions centre around artificial intelligence (AI), machine-learning and automation.

Security orchestration, automation and response, or SOAR, for example, is a growing area of security being leveraged by security information and event management (SIEM) providers.

This technology describes the convergence of three technology markets: security orchestration and automation, security incident response and threat intelligence platforms. It helps organisations enhance threat detection and response through the aggregation and correlation of data, and the automation of routine security tasks.

Vendors, such as Bitglass, are using AI and machine-learning to identify new applications in the cloud automatically and predict vulnerabilities through cloud access security brokers (CASBs).

“Though it was first introduced in 2012, CASB is showing signs it is ready to mature,” says Jon Wrennall, chief technology officer at Advanced.

“CASBs sit between cloud and on-premise infrastructure to manage threats that organisations are unable to deal with. New CASB tools are providing constant views of cyberthreats from various channels in an ongoing, real-time way. Enterprises are increasingly looking for solutions that do not stifle mobile workforces or productivity, but provide detailed insight into and instant protection of cloud activity.”

In 2018 the spotlight has been fixed on the issue of cybersecurity and data protection. As a result of this changing landscape, those at the very top of organisations are becoming responsible for data, most of which is held in the cloud.

Cloud security, therefore, should remain an absolute business priority. Enterprises and business leaders need to be aware of the threats leveraged against the cloud, and take proactive and innovative steps to address them.