The keys to the cloud

Don’t expect providers to protect your cloud data, writes Róisín Kiberd. Here’s how to do it yourself

11th October, 2020
The keys to the cloud
The greater the scale of a cloud, the higher the security risk.

In tech, the cloud looms larger than ever. With remote work still in force for many, roughly half a year after the global pandemic first struck, we’re relying on cloud storage and cloud systems to keep businesses afloat.

It’s likely that many among us were unprepared for such a shift. The good news, however, is that it’s not too late to secure your data – and to reap the benefits.

“It’s a strange world, but organisations change,” said Michael Conway, director of Renaissance. “I think the challenge for organisations at the moment, in terms of responding to the pandemic, is that really they don’t have a clue what’s coming next.”

As talk of a second wave gives way to an ongoing, post-pandemic reality, the Irish Government has issued ‘guidance’ rather than rules on returning to the office.

“Businesses have been left to run things as best they can, with very little information and very little guidance,” said Conway. “At least there are some rules in Britain, and some regulations, but it’s only ‘guidance’ here.”

While some businesses were set up and ready to go as soon as the lockdown began, others had to rush to catch up and are suffering for their lack of preparation.

“It’s really just meant that these organisations now have more users try to access their services,” said Grant Caley, chief technologist at NetApp Ireland and UK.

“They have a challenge in terms of security; they need to scale it. Some people have only just moved into the cloud, and are still grappling with how to do that. They’ve taken on something they’re not used to.”

These businesses might also be reckoning with an inconvenient truth; that for all the promises of hyperscale cloud providers, a great deal of the security burden rests on the customer.

“Hyperscalers like AWS, Azure and Google spend billions on cloud security but then they effectively give the users the keys to the door. That’s where it can start to go wrong. If you know what you’re doing, then it’s great, but if you don’t, that’s where the challenges occur.”

The greater the scale of a cloud, the higher the security risk.

“If you have, say, 1,000 users, instead of 10 users, this significantly widens any potential attack,” said Caley.

“It heightens the risk of scenarios like ransomware, where the data is encrypted.”

It might be a case of going back, as soon as possible, and addressing any gaps in security while you have the chance.

“Flexible working arrangements are here to stay, and IT must adjust how they support this. For many organisations, the solution was to extend VPN access to their remote workforce, which actually worked quite well,” said Shane Heraty, regional director of Cisco Ireland and Scotland.

Shane Heraty, regional director of Cisco Ireland and Scotland

“This quick transition was never meant to be a permanent solution. Now businesses are realising that many jobs can be done from home, but this also means that IT faces a challenge in supporting a remote workforce. IT loses the ability to manage connectivity – the employee is at the mercy of their service provider. In some cases, IT loses visibility, making troubleshooting issues when they arise much more difficult.”

Digital transformation, as a phrase, can be misleading; joining the cloud will not automatically transform your business, nor will it make your business a fully digital one.

“I think the biggest mistakes people make going into the cloud is expecting a world that does everything for them,” said Caley. “In reality this is not the case. You have to build those capabilities yourself.”

Companies like NetApp can provide on-premises solutions as well as cloud-based ones to address this.

“When the customer decides to build a new application in AWS, as an example, we can wrap data efficiencies, data security and data protection around it.”

The risks are significant; misconfiguration is a big one, as are internal breaches. External threats like malware, ransomware, phishing and other forms of social engineering also pose a threat – cybercriminals have thrived in recent months on the chaos and confusion created by Covid-19.

“During the pandemic we saw malicious players increase their attacks on organisations,” said Heraty.

“As most organisations moved their activity to the cloud, the level of risk only increased. Cloud security helps our customers better manage their cloud for the way the world works right now. It shields against threats, anywhere they access the internet, and it secures their data and applications in the cloud.”

A great part of why these criminal threats succeeded was that organisations had effectively been forced into the cloud by the global response to coronavirus. In some cases, a decision meant to be made carefully and with consideration, with education and buy-in at every level of a business, was made virtually overnight.

“There’s a haste with which organisations have been forced into digital transformation, a buzzword that a lot of companies have been using for a long time,” said Austin Breathnach, modern workplace security architect at CWSI.

Breathnach noted the difficulty with security personal devices, in particular, used by remote workers.

“A lot of people don’t have the same protection they had previously, being in the workplace on their work machine, that can’t communicate outside that building. Now we’re in a situation where people are using their personal devices. Some companies have done a really good job to enable people to transition smoothly, but now I think it’s probably the right time to think about the cost.”

How to address these risks? It’s never too late to draw up a plan. Heraty listed the features to look for in a cloud security solution.

“It needs to block threats early, and stop malware spreading to the network or endpoints. This helps decrease time spent remediating infections. It should enable more secure cloud use, and help improve security without impacting end-user productivity, and it should extend protection, eliminating blindspots and securing users anywhere they access the internet.”

Post-GDPR, and in a changing climate thanks to the recent overturning of the EU data protection law Privacy Shield (and before it Safe Harbour), Caley believes that people are generally aware of where they can store data and where they can’t store it.

“What they need to do, however, is protect against someone breaking with that decision, and acting on their own. They need to be able to detect any anomalous decisions, which usually lead to a data breach.”

One of the first rules to remember is that you can’t protect what you can’t see; visibility of your data, and a keen awareness of why you’re holding on to the data you have, is the first step to keeping it safe.

“If you don’t know what you have, then you can’t secure it. Then you can’t put the right decisions in place. We provide tools to help customers with visibility, with understanding where their data is, and whether it’s compliant,” said Caley.

Access is another important issue; once you’ve taken stock of all your data, ask who has permission to view it, and use it, and why.

“We’re talking about access control – what’s normal, what’s abnormal, and why the attempts to access this data are happening,” said Breathnach.

“Are they coming from a location you’d expect them to come from? Are they coming at a time that’s normal, too, or from two different locations at the same time? You can put controls in place to address this, and examine the mechanisms through which users try to access your data. If it’s through an unknown device, or seems abnormal in any other way, then you’ll be alerted.”

For many, the pandemic posed a crisis of access; the shift to remote work meant either losing the use of large amounts of data, or leaving it open to a breach.

“Remote workers will need to access counting systems, CRM systems, email systems, SharePoint data, the list goes on,” said Conway.

“There’s a multiplicity of systems people need access to in their ordinary, day-to-day work, stored in either a public cloud or a private cloud.”

Conway stressed the importance of keeping these systems safe, but also keeping access measures relatively simple, so that employees can follow them.

“You need to streamline that experience, making it simpler but also more secure. That’s the challenge; that’s what organisations are trying to get out of their digital transformation.”

Authentication, the process of verifying user identity, poses another challenge. “We’re seeing a trend for single sign-on applications,” said Conway, “which allow you to log on once, in a seamless way, through all the applications you use, cloud-based or otherwise.”

These measures can be increased, or scaled back according to your organisation’s needs, based on an assessment of the risks and your security posture. Conway said, “It’s as easy or as complex a job as you want it to be, depending on your organisation’s priorities. Ordinary authentication is relatively straightforward; we use multi-factor authentication all the time. A password manager on your phone and on your laptop will also give you keys to your applications and cloud-based apps.”

Conway advised choosing simple, straightforward measures which are easy to practise, and easy to understand.

“The more complex the organisation, the more complex the scenario needs to be. But you also need to minimise the number of times people have to reset their passwords – all those cumbersome, challenging things that end up creating added costs. If you can make life easy for them, and streamlined, you’re a lot better off; when things are cumbersome, they become inherently less secure.”

In recent years, perhaps the most talked-about development to cloud services has been automation. Already playing a significant role in how cloud services operate, it’s especially useful when applied to security.

“Automation can block threats earlier – the approach is ‘seen once, block everywhere’. This reduces time spent remediating infections, so you can then use insights to predict what might happen next,” said Heraty.

Automation also powers high-security cloud use. “It improves security while boosting end user productivity,” said Heraty. “This trend is going to continue – our own latest launch, Cisco SecureX, is a cloud-native, built-in platform experience that connects our entire portfolio with our customer’s infrastructure.”

In addition to its vigilance, and the potential to ‘learn’ from insights, cloud automation can help address perhaps the greatest security risk of all, the cloud’s human user. This is an area where robots stealing jobs might just be for the best.

“I think automation is absolutely key,” said Caley, “because it doesn’t just standardise everything, it eliminates human error from the process. This makes it inherently much more secure. The only risk, then, is with configuring it in the beginning; if you don’t get that right, you’re creating more security issues at scale.”

For this reason, it’s also worth considering bringing in a consultant, to get your cloud right the first time around, and to audit it for errors and gaps in security.

“What are the advantages to engaging with CWSI?” asked Breathnach. “We’re a security company – that’s our niche. We look at the transition a company has made, then we go in and assess any risks they’ve introduced. What processes are they missing? What are the risks, and how can we mitigate against them? We create a roadmap for the entire process.”

Even if you’re starting from scratch, or overhauling your existing cloud completely, remember it’s not too late; you can make the most of your cloud, while building the overall resilience of your business by protecting your data.

Heraty listed three key needs that Cisco is helping its customers to fulfil: “The first is, ‘help me extend my network to the cloud’.” This might be a question of simplifying a network of multiple clouds, and bringing the same level of security across every domain.

“The second is ‘help me secure apps, data and users’.” Customers should be able to connect securely to any application, on any device, anywhere.

“The third is, ‘manage my apps and workloads’ – customers need complete business visibility, agility, compliance and cost control.” Cloud use will increase visibility, and this will likely help streamline your costs, but it requires the right tools and the right implementation.

Once the ideal system is in place, Breathnach advised monthly security reviews at a minimum, with additional monitoring solutions in place. “That’s an area that’s really gaining a lot of traction at the moment,” he said, “because the tools are becoming more accessible than they were previously.”

Ultimately, it all comes down to a quality formally known as ‘risk tolerance’ – the degree of uncertainty you’re willing to endure.

“With the tools that are available now as a service, and the cloud solutions, the visibility is there,” Breathnach said.

Automation and smoothly functioning security solutions will also free up your employees’ time for more sophisticated tasks: “You can transition your IT guys away from a position where they might have spent a lot of time producing devices and getting them ready.”

Ultimately, your system will be more efficient, and your (human) staff will be happier: “You can remove those tedious tasks and place them in more high-value positions, where they’re looking at environments and threats.”

Ask not what your cloud can do for you

One of the biggest mistakes people make when it comes to cloud security is failing to ask questions. Angela Madden, managing director of Rits, said that basic errors and omissions are often what lead to serious problems, later on.

“This is where the big threats are, and where people are getting caught out,” said Madden. “They forget to test the security and the controls, especially with online portals and applications. They’re also still resorting to single-factor authentication for user ID and password. At this stage, multi-factor authentication is the norm.”

Due diligence, or lack thereof, is another issue: many organisations don’t know precisely where their data is stored, while the GDPR demands that it’s kept somewhere in Europe. It’s a situation that can work for only so long; the moment one mistake is made, the company and its disorganised data will inevitably attract a lot more scrutiny, and potentially fines.

“People aren’t actually checking the security of their cloud,” Madden added. “There might be a privacy policy included at the bottom of the webpage, but that’s not enough. They’re not doing annual pen-tests. The lack of due diligence is baffling, because they often end up being attacked and don’t even know the security controls for the cloud services they’re using.”

Madden advised organisations to ask questions of their cloud providers, and to ask for proof of the effectiveness of their security measures.

“It’s not about just expecting things to be fine. You need to factor in risk, and security. Checking security is not rocket science; it’s about asking basic questions. Depending on the reply, you’ll either see a red flag, or you’ll know you can trust them. Don’t take them at their word, if they come up with an excuse. Don’t be naive.”

Share this post

Related Stories

Security watch: This is the end(point)

Covid-19 exposes cracks in contact centre services

Connected Ian Campbell 3 days ago