I’ve spent the last few months chatting with all manner of information security professionals in developing my next agenda. Over the next few weeks, I’ll be dig a little more into some of the topics and themes brought up during this research period, and share some uninitiated yet sanguine opinions.
The Challenges of Cloud Security
Most organisatons have a cloud strategy in place and are slowly migrating to a full or hybrid cloud model. According to a 2018 IDC survey, 77% of US based enterprises have at least one application or a portion of their infrastructure in the cloud; the statistics for South Africa are likely lower, but not too dissimilar in the step-by-step approach to migration.
With the high investment going into cloud services – inversely driven by vendors only offering cloud based services – the main challenge, closely associated ROI and overall risk, is the complexity of security policies and procedures. Part of this is vendor integration with various cloud platforms and security gaps that occur when moving between different cloud environments.
From a lay perspective, I will investigate some of the biggest challenges to cloud security. The experts out there will fill in the gaps, but these are the fundamental issues I’ve picked up during my research for CISO Africa 2020.
Current Security Architecture
With many large organisations, especially our federated financial services firms, having a baseline understanding of security architecture can sometimes be as clear as mud. With decentralized management, and siloed entities, having a holistic view of security sprawl is the first step in building a centralized strategy.
Are all policies and procedures in line with one another and adaptable to the future environment? Have you conducted a gap analysis on the impact of cloud to your current security programme? What are the perceived risks to a distributed cloud-based network? What should remain on premise, if at all? What concerns are there around data protection, storage and back-up?
Compliance And Data Regulations
One of the bigger seeds of doubt is around compliance and data protection/privacy laws. The big question can be simplified as: If you opt for a cloud provider with servers based in Europe, what compliance issues are there? Now with the establishment of local data centres in South Africa, this streamlines matters to a degree. Add to that, the compliance issues around moving data from physical to cloud. What is the relationship like between the risk and compliances teams? Do you have a GRC manager imbedded in IT, indeed within the security team? On the face of it, this seems a given, but the headaches start when trying to translate strategy across these roles.
As touched on earlier, there needs to be consistency across multiple environments covered by security solutions and policy enforcement. There are solutions out there to govern this, but the fundamental understanding of security change policies, scaling and dynamic provisioning needs to be considered. Mapping this out and putting it into practice may become a head scratcher at times, so ensure you are adequately prepared and find the solution that works best for your environment.
New System Vulnerabilities
Nothing is ever 100% secure, and cloud brings its own challenges mainly due to complex infrastructures and multiple third-party risks. Consistently monitoring the network, upgrading protocols and ensuring proper patching is critical to mitigate third party threats; make sure your contracts are carefully examined too. Data protection solutions are vital in protecting against loss and security threats – again, find the right partners for loss prevention and data back-up.
What About Employees?
The reality is that tech can only do so much in the face of human competence. Employee negligence will always be the biggest threat to all systems.
Numerous education programmes and constant awareness training are a must, but there is always that one slip of a mouse button and all hell breaks loose. Strict Zero Trust and IAM policies need to be in place and well monitored, especially with regards to the plethora of personal devices connecting to networks as well as the potential hazards of remote working.
People steal information, people can be bribed or manipulated, people can be vengeful – understand the psychological risks to access and act accordingly. Malware and phishing attacks are on the rise, growing in sophistication and deliberately targeting employees either directly or through outside websites such as YouTube and Facebook. There is a fine balance between draconian enforcement and driving a harmonious company culture.
I bring this up mainly due to the news recently of the bombardment the City of Johannesburg experienced. The severity of DDos attacks is compound by the additional devices attached to a particular network. Yes, there are several vendors out there providing solutions to mitigate these threats, and they should be consulted at some stage. The immense scale of a cloud network turns these attacks into a hungry beast that could well bring the entire system down.
The benefits of cloud are too numerous to ignore. From scalability, reduced operational and infrastructure costs, through to data recovery and multi-layered security, the move is beyond inevitable. Whichever cloud migration strategy is followed in your organisation, security needs to be at the top of the priority list. Effectively weaving through the minefield of compliance, vendor-risk, compatibility and control issues can be more complex than expected. It is one of the biggest broad topics that keeps creeping up in my research, which I suspect will continue to be a thorn in the side of security practitioners for the next few years.
Don’t forget to join us at CISO Africa 2020 from 18-20 February. With keynotes from leading CISOs, interactive streams, including a dedicated Cloud Security stream, this is one you cannot afford to miss. Click here to learn more.
Ryan J. Matthews