Security Watch: Safely migrating to the cloud

Companies have reprioritised their needs and expectations in the wake of Covid-19, especially when it comes to the cloud. The exodus to virtual work last year underscored the urgency for scalable, secure, reliable and cost-effective off-premise technology services.

Businesses and government entities alike will need to continue to plan for a more agile business environment going forward.

Cloud computing has become mainstream over the last year. The challenge, however, for companies is how best to manage operations and security in a multicloud environment.

Research commissioned by Microsoft Ireland last November, and conducted by Amárach, highlighted that 57 per cent of remote workers said their attitude towards the use of cloud-based services had positively changed since the start of the pandemic. The study also found that most companies would focus future digital investment on equipping, upskilling and protecting remote workers.

So why are organisations having a difficult time securing their cloud environments? And what challenges stand in their way?

“If you look at security of the cloud, the key areas are both operational security and business-level security. Organisations moved rapidly to the cloud last year to ensure they were able to continue business,” said Mark Brown, managing director of BSI.

“This meant that they were not in control of their own destiny, so rather than having on-premise systems where they could control the security and availability, there was perceptively an increased risk of data breaches and that resulted in an absence of a proven framework for security.”

Brown said that there are several different components to cloud, so companies need to be cognisant of various factors.

“Companies need to look for the integration between on-premise security solutions and the cloud security solutions. Do they actually work in tandem with each other or do they create conflict for organisations?”

The pandemic has forced companies to become more acquainted with the cloud and therefore it is paramount that companies can automate a lot of security control, so the whole premise of cloud is built around agility.

“Being able to use it as an elastic model where if you need more cloud power, you can subscribe to it – or if you need less, you can reduce your subscriptions,” said Brown.

“The key here is that you want to be able to take the policies that you have developed and very quickly deploy those on to new environments.”

In terms of empowering employees to be less of a threat, Brown said that training is essential.

“Training, training, training. The importance of cyber security training for employees cannot be underestimated. Employees are employees for a reason and should be trusted.”

The recipe for a secure cloud is relatively straightforward, according to Peter Rose, chief technical officer at TEKenable, but he said the single biggest challenge with the cloud is phishing for credentials.

“The effectiveness of credential phishing relies on human interaction in an attempt to deceive employees – unlike malware and exploits, which rely on weaknesses in security defences,” said Rose.

“It’s becoming more and more prevalent, especially with remote working, and some companies may not be given as much attention as they normally would be due to being absent from the office.”

Grant Caley, chief technologist at NetApp, said the cloud itself is a very safe environment as billions have been spent on cloud security. Caley said one factor companies need to consider when going to the cloud is that it will be breached in some form.

“Possibly a hacker gains a password to a valid account that has rights to access data in the cloud. In that case, customers need to consider how they detect that type of anonymous access and shut it down straight away,” he said.

Last June NetApp acquired Spot, a leader in compute management and cost optimisation on public clouds, to address the challenge of achieving the best possible level of performance and cost for storage and compute while maintaining contracted service-level agreements (SLAs).

NetApp develops application-driven infrastructure that makes it easier to move more applications to the cloud more quickly. Part of the process is data classification, working out which workloads can move, and where they should move to.

Caley said having the correct level of skills to maintain a high level of security is crucial.

“Knowledge and correct training are essential, understanding data and the classification of data. Employees should be made aware of what should and should not be stored in the cloud,” he said.

“Knowing that you have an issue is the first thing, while also putting in the correct monitoring and alerting capabilities that can detect suspicious activity is essential, because if you don’t know it happened then you’re in a very bad place in terms of being able to control it.”

Caley said there has been a huge rise in companies requesting how to build remote tools in the cloud since the pandemic started.

“The shift to work from home due to the Covid-19 pandemic has accelerated enterprises’ switch to cloud-based computing. The surge in demand for cloud infrastructure tools is indicative of a much more significant change in how organisations operate.”

An O’Reilly Research Group survey of more than 1,200 businesses conducted just before the pandemic and its attendant lockdown found 88 per cent of respondents use cloud in one form or another. A full 25 per cent were planning to move all of their applications to the cloud.

Research by Microsoft Ireland last found that just 26 per cent of remote workers had experienced a cyber-attack personally, while 45 per cent of employers had asked their employees to use their personal devices for work since the start of the pandemic.

Cyber hackers are opportunistic, skilled, and relentless, said Des Ryan, director of solutions at Microsoft.

“They have become adept at evolving their techniques to increase success rates, whether by experimenting with different phishing lures, adjusting the types of attacks they execute or finding new ways to hide their work,” he said.

“While our physical work locations may have changed, our responsibilities in protecting organisational data and complying to data regulations have not. Now is the time to address this with an increased investment in cybersecurity, secure devices, tighter policies, increased support, and education for employees so they can play an important role in not only protecting themselves but also their organisations.”

Ryan said that moving to the cloud can bring fantastic additional security benefits.

“If you look at the physical security in any of the data centres, it’s dramatically more than you would be able to afford if you were staying on-premise,” he said. “Likewise, depending on what services you are buying, there are incredible security capabilities built into a lot of the services.”

While Ryan is a cloud-first advocate, he said that there are things all customers need to be very conscious of, particularly the human element of moving to the cloud.

“All of the tools are there in order for you to be secure, but you need to turn them on and own your own security posture. If you don’t consider security, it can be a problem for you. Equally you need to make sure you are talking to the people that are using your cloud platform,” he said.

Those words were echoed by Robert Stockburger, an information security manager at Almac.

“Organisations like ours have invested heavily in the past decades in creating that secure on-premise environment, to make sure that their own on-premise systems can only be accessed by their employees,” he said.

One challenge faced by almost all businesses in the last year was how to enable employees to work safely outside of that secure perimeter.

“The cloud by its very nature is designed to be accessed from any device, location or person. However, that’s not what we want as an organisation,” said Stockburger. “We would prefer that our information is accessed by our employees from our equipment in a safe and secure environment.”

Stockburger said the global accessibility that you can get with the cloud environment is sometimes both a blessing and a curse. “You have to make sure that you put appropriate controls in place and that those controls are implemented in line with your security postures.”

Moving to the cloud does not mean that someone else is taking care of that problem for you, according to Mark Mitchell, practice lead at CWSI. “You still need to think about security and to leverage the tools and platforms that are available to do that,” he said.

“There is an educational aspect to it as well when the managing devices and users within a perimeter go out the window. You need to be able to provide functionality and capability to the users, but not compromising security at the same time.”

The accelerated transition to home working placed pressure on organisations to support the unavoidable blending of personal and professional lives more than ever before.

This naturally created new risks, but there is an array of things that companies can watch out for and be mindful of into the future, according to Mitchell.

“Don’t assume that moving to the cloud is going to fix all of your problems. If you don’t classify your data today on-premise in your own file servers, then don’t assume that’s automatically going to be fixed by moving to the cloud,” he said.

“You still need to consider your processes, the way you’re going to adopt this and educate users, in addition to migrating to these new services.”

Mitchell said that now is a great time to think and plan ahead to improve posture and cloud security.

“The pandemic has caused many organisations to accelerate their cloud adoption. Having that capability and scalability has been a great benefit, but a lot of people have made tactical decisions during Covid-19, but those decisions don’t have to be set in stone into the future,” he said.

“Just because Zoom was used extensively over the last year doesn’t necessarily mean Zoom has to be part of your organisation’s objectives going forward.”

Michael Conway, director of Renaissance, said security has had to evolve from on-premise to 100 per cent off-premise. Most hacks and most attacks are around compromised credentials.

“In a way, the current situation has helped complicate things with people working remotely and new measures required to ensure safe working,” said Conway.

“Migrating to cloud services and being more reliant on unified communication tools can lead to greater productivity, but a balance is needed between this and security.”

Ryan emphasised that data classification is one of the most important things regarding security and it is essential that companies understand what data they have. “Once you know what data you have, you need to decide what is the right level of security.”

Almost everything in the digital world is connected to the cloud in some way or another, unless it’s specifically kept in local storage for security reasons. As companies find new ways to organise, process and present data, cloud computing will become a more and more integral part of our lives.

Companies need to focus on their strategic goals and what they want to do in the future, according to Mitchell.

“Now is the time where you can start to look through all of the decisions you made during Covid-19 and prevent any future risks,” he said.

“The growth that we’re seeing with our customers, especially customers that we’ve been working with for a long period of time and would be aware of their strategic goals, what their business transformation plans were that were looking at some form of cloud adoption.”

The last 12 months has accelerated a move to the cloud, but it’s also shown where the shortfalls lie.

“A company may have had an incredibly well managed and secure internal environment, but they had gaps in capacity or scalability or moving out to the cloud,” said Mitchell.

“At the moment, we have an organisation that has done what they planned to do over the next two-and-a-half years, and they’ve accomplished their goals in the last six-and-a-half months. I think everyone is more comfortable with the cloud now as a concept, but it’s a case of making sure you plan it thoroughly and adopt it properly.”

There is no question customers are embracing the cloud, some industries at different rates than others.

“It’s important companies think about security in the cloud as it’s constantly evolving,” said Ryan. The threats continue to evolve, the tools that are at your disposal continue to evolve, so you need to make sure you stay on top of what the threats are and continue to tune your environment accordingly.”

Microsoft’s research found that 58 per cent of Irish companies believe they will have a hybrid workforce in future as more staff work from home more of the time and others are in the office.

“Customers that I’m speaking with are not looking to go back to the way things were. They are now thinking about hybrid environments, which means that the security posture is changing again,” said Ryan.

“Your security posture will change consistently and regularly, and people may now need to revisit some short circuits that were made in the rush to respond to Covid-19, but also now to build an environment that is sustainable for a hybrid environment.”

There is also an onus on employers to empower their own staff to be less of a threat when it comes to the cloud. Often, an employee’s focus is primarily on their own work. The last thing they’re thinking about is the security of their services.

Many don’t realise that they may be violating security policies or that there are potentially critical security flaws in widely used cloud services.

Additionally, employees are often reluctant to ask the IT organisation whether certain cloud applications can be used for fear that they will simply be told no.

Companies have a responsibility to empower their employees to use flexible cloud services to get their work done as effectively as possible, according to Stockburger.

“From my perspective what employers need to do to reduce the threat level of their employees is to put in preventative and protective controls, and you must make sure that the controls follow the data,” he said.

Ryan concurred and said there needs to be greater focus on employee education.

“The threat changes and so it is incumbent on all of our customers and Microsoft to continue to educate people as to what the threats are. Almost all the significant security breaches that happen start with someone clicking on a link somewhere,” he said.

“It’s usually blatantly obvious that it’s not the right thing to be doing – but people don’t think, so education and awareness are crucial.”

Mitchell takes a broad view and said that security is now the responsibility of everyone in an organisation.

“The key things that they need to watch is managing the user behaviour and the authentication. User behaviour and education are key, particularly with Covid-19. Companies should have an active role in helping employees to be aware of the latest scams, which is a core part in protecting cloud security,” said Michael Conway.

“Working from home made this more difficult as people had no peer assistance regarding checking if something was safe to open, so it opened up the way for endless phishing attacks,” he said.

As cloud migration gathers pace, Conway said training, behaviour, awareness, and education are essential for employees. “Employees need to be trained not to click on the wrong things, but not all companies make these investments,” he said. “User awareness training and security awareness training is absolutely core.”

The world has experienced one of its most significant crises in recent times, courtesy of Covid-19. Notwithstanding the health impact, the pandemic has provoked a massive disruption to global economic activity, supply chains and businesses.

Rising global digitisation has been a catalyst for companies in the cloud computing and data analytics space, as fresh avenues provide new growth opportunities.

Information classification

There are some things that you may not want to move to the cloud, but most organisations have not taken the time to classify their data – and that is an impediment in really tightening up security.

Ryan said the task of classifying your data and discovering data is getting much easier, due to evolving tools and resources.

“There are tools now that allow and support you to identify what kind of data you’ve got in the first place, and there are some fantastic tools built into Microsoft solutions that – once you’ve classified your data – allow you to apply the right levels of control,” he said.

“Once information is classified, you can protect it. If it’s not classified it’s very difficult to know, and you definitely don’t want to be in a scenario where you lock everything down, because that means people will go around your controls.”

Information classification and applying the appropriate controls is a hard exercise for organisations that haven’t had to deal with it in a secure on-premise environment, according to Stockburger.

“A cloud adoption process is a perfect time to take a pause, look at your information and security posture and make sure that you’re going into the cloud with your eyes wide open and that controls are in place to protect the things you want,” he said.

“When we started our cloud adoption process, the guidance from Microsoft was very clear: turn on multi-factor authentication. When we turned that on, we saw alerts on an almost daily basis.”