Security Watch: Get off my cloud
Cloud services are booming as WFH continues, but security still poses a challenge, writes Roisin Kiberd
The term cloud computing is far from new. Researchers have traced it back to 1996, to internal documents at the offices of Compaq, referring to “cloud computing-enabled applications”.
Others argue that it’s older still; as early as 1977, at Arpanet, the US government’s predecessor to the internet, computer scientists used a cloud symbol as shorthand for networks of computing equipment.
Several decades later, we’re still coming to terms with cloud computing and struggling to understand its complexities and risks. ‘Cloud’ is used as a shorthand; while few might really understand what it means, it’s synonymous with convenience, agility and ubiquity.
Some even argue that the term should be abandoned, because it conjures a sense of the internet as mysterious and intangible, instead of as something grounded in physical infrastructure, wires and data centres and human responsibilities. One thing we can all agree on, however, is that cloud use is increasing; the last 18 months increased digitisation like never before, with businesses struggling to move entirely online while avoiding a wave of highly public cyberattacks.
“The advent of the term cloud named something that was already there,” Donal Munnelly, security proposition manager at BT Ireland, said.
“That’s something people sometimes forget: we think of ‘cloud’ as the big providers like Amazon, but there are also smaller local options.”
BT’s services include cloud phones and contact centres, especially popular since the pandemic began, but also cloud storage, cloud applications and state-of-the-art data centres with global capabilities.
“We’ve been doing cloud since before it was even called cloud; we’ve been a data centre for over 20 years,” Munnelly said.
“We’ve been providing what people would now call private cloud to companies for all that time . . . We can provide cloud services on a global scale. If you’re a small Irish customer we can provide services for you, but we can also do the same if you’re a multinational. We have worldwide reach and a worldwide network of data centres and connectivity.”
It’s important to distinguish between public and private cloud: the former is delivered via the internet, and is shared with other organisations, while the latter resides inside the organisation, is only used by them, and is kept behind a firewall. ‘Edge’ locations, ie hardware ‘entry points’, such as IoT devices, are not part of the cloud but connect to it, controlling data flow between networks.
Marc O’Regan, chief technology officer of Dell Technologies, Ireland, said that customers tend to automatically assume a cloud will be public, when there are also private and hybrid options.
“With cloud, at an industry level, we have this definition of what cloud is, versus what people think cloud is,” O’Regan said.
“As we begin to work from anywhere, we’re opening up a new arena at the cutting edge. As we move towards edge – to people’s homes, to remote locations – we want to take services there, and make those services integral. These aren’t public or private cloud, but edge locations – however, they’re still part of the cloud ecosystem.”
Much like the term perimeter, then, cloud is constantly shifting, and each business will have its own unique experience. This makes securing the cloud a complex task. Cloud customers often wrongly assume that responsibility for security rests with the host company. They’ll also often, dangerously assume that these services come with security baked in.
“Both the controller and processor are directly liable for fines for breaches of the GDPR,” Emerald de Leeuw, a data protection and digital ethics specialist, and global head of privacy at Logitech, said.
“This means that both the company that uses cloud services providers, and the CSPs can be held liable for breaches.”
Threats include ransomware, DDoS, fraudulent logins and even fraudulent apps; criminals can gain a foothold in your cloud with a single mistaken click.
“One of the main advantages of cloud is that it can be accessible from wherever you want it to be,” Jacky Fox, managing director of Accenture Security, Ireland, said.
“But if the access control is not configured properly, this can include criminals. As cloud systems become more complex and interdependent, the complexity of tuning and operating these systems can become a risk to availability and performance. Customers often wrongly presume that cloud security controls that are available to use are fully operational, which is not often the case.”
Sudden online migration
Covid-19 dramatically changed how businesses use cloud, accelerating a migration online which was already taking place, but which switched overnight from optional to obligatory.
“I think the attack surface just became greater, as there is much more online activity now,” de Leeuw said.
“The real world took a back seat for many and we all spent time working remotely and found ways to socialise online and found solace in hobbies such as gaming.”
This rush left many cloud users vulnerable to misconfiguration, bad planning and attacks, but it also inspired business leaders to see the value in cloud, and to take its security more seriously. After numerous high-profile security events we’ve seen playing out in the public sphere, security is becoming a boardroom issue. Chief executives are asking what will happen if their organisations fall victim to attacks. Chief security officers are in the spotlight and need to come up with a plan.
“It’s not a case of finding one thing that runs well, it’s definitely a journey. People are starting to realise what cloud can do for them. This is underlined by how in March 2020, the thing people had the least trouble with was accessing cloud applications,” Loman McCaffrey, head of cloud at Integrity360, said.
“There’s been a jump forward in cloud use, and now that people see it as key to the future of their business portfolio, they’re looking to secure it, the way they traditionally secured their own perimeter.”
At the time of writing, Tánaiste Leo Varadkar announced a “staggered and phased return to the office”, with anything resembling a full return delayed until spring 2022. While working from home and hybrid work continue, it’s crucial for organisations to take stock of how their employees are working day to day, and the risks that are involved.
“If you are using your laptop at home off-network the chances of being eavesdropped are low, as it would be complex. If you send your data across a public network to the cloud, with no controls, the chances are high, but you can reduce the potential impact with encryption and access controls,” Fox said.
“It’s a balancing act between usability and security, which gets more complex the larger the number of components you use to provide the service.”
The risk of shadow IT
Shadow IT, the term used to describe IT systems deployed to improve or patch over shortcomings of existing systems without the knowledge of the organisation’s IT department, poses a rising threat by placing data beyond its knowledge or control.
“Shadow IT has become a big concern for us in the security industry. If one of your users decides that a particular cloud service is really good for a certain process, and they want to make it more portable for mobile users, it’s very easy to spin that up, send it to all the employees, and get them onboarded and using it without the IT department being involved,” Munnelly said.
“Because the cloud is so usable, and the barriers to accessing it are low, you don’t need to get experts involved to roll out an application.” For this reason, Munnelly advised businesses at the start of this process to prioritise visibility: “Your starting point is asking what you have, and where it is, and if you can see it clearly.”
Similarly, for anyone starting out, McCaffrey advised businesses to play to their strengths by using what they already have.
“There’s a nervousness around cloud. People don’t have full confidence in their own ability to secure it. They’re trying to secure a much wider landscape. If you’re running some workloads on cloud, some on-premise, some as a SaaS-based offering, then you have more environment to secure, requiring different skill sets. We’re seeing more of that, but it’s not necessarily more complex,” he said.
“You need to think in terms of using the smallest number of tools to address these issues, the simplest way to get an overall view of these environments.”
Companies like Integrity360 are able to walk customers through the process and offer scalable, customisable options to address these issues: “This brings agility; customers can respond quickly and spin up new workloads in the cloud without worrying about leaving gaps.”
Specific industries are vulnerable in specific ways; devastating, highly public ransomware attacks have lately targeted universities and hospitals, while financial service providers are vulnerable to credential and identity theft and state-sponsored attacks.
“You need to understand your industry and the specific threats that come with it, and coordinate your security spending accordingly. We’ve seen a massive rise in ransomware in manufacturing. In manufacturing, you have two different sets of technology; you have the IT that runs in the office, and the OT, that runs all the manufacturing equipment and output. OT is typically not as secure as IT, which creates a vector that hackers can exploit,” Munnelly said.
“Industrial equipment is by nature expensive, and will very likely be out of date, because they want to get as much value as possible from it before replacing it. Usually they’re old and are hooked up to a modem, and they provide the perfect point hackers can access through.”
Held to ransom
A report published by Microsoft last year indicated that cybercriminals can move from initial entry to ransoming entire networks in under 45 minutes. In organisations and sectors requiring a large number of endpoints (ie devices), the attack surface is vastly increased.
O’Regan stressed the importance of securing edge devices: “Businesses have been using edge for quite some time. Look at any vertical location you’ll find edge there – in autonomous vehicles, in smart cities, traffic systems. Those are what we call far edge. Then there’s the near-edge; hospitals, ICU units and triage,” Munnelly said.
“Delivering services to them, and aggregating those services, involves near edge technologies. In factories, there are tens of discrete machine lines across the location, with millions and millions of data points. Water treatment plants have pumps and actuators, PLCs and all these other things in factories and utility locations. All of that is edge.”
In such a climate, and with so much data moving across networks from diverse endpoints into a cloud, experts advise a “security by design” approach.
“Scalability is the real benefit with cloud computing. If you’re doing it in such a way that the security isn’t there, or is there, but is a barrier to other things happening, then you’ve missed the opportunity. Organisations have moved away from the ”cloud first“ approach, where they don’t care where it is, they just need to be seen to be in the cloud,” McCaffrey said.
“They’re now starting to see the benefits that cloud computing brings, and they’re allowing security the chance to be first. If you allow security by design, that brings agility rather than stifling it, then you’re on the right track.”
Now is a good time to look closely at your new working arrangements (if not the new normal – not quite yet – then perhaps a post-normal), and to work out how security and productivity can sit side by side. Fox made the point that it’s possible to overdo cloud security measures; solutions need to fit your business, rather than making your business change to suit them.
“Too many controls can impact the user experience. Introducing issues like latency or cumbersome user journeys that discourage usage, or encourage people to use workarounds breaking policy-based controls, like taking photos of confidential information on screens.”
Finding specifically cloud-friendly versions of protection technologies will help with this: “The risks associated with cloud are often different to the risks from on-premise services, so it’s not always a like-for-like. Sometimes it makes sense to use controls provided by the cloud service provider, which can be fast to implement, but may not provide the same level of customisation. It’s all a balance.”
Similarly, Munnelly made the case for what BT calls the human firewall; awareness training, regular security testing and good communication.
“It’s still a case of back to basics. There are a lot of employees out there forgetting to tell employees what to do when they receive scam emails,” he said.
“The human firewall means asking employees to pause when they receive messages like this, to take the time and consider it before clicking on a link.”
As ever, getting the basics right will make the biggest difference: “From a risk point of view, it’s the first step. Then you need to secure your network and cloud services.”
Knowing the consequences of a data breach
There’s no clear way of predicting what might happen if you experience a data breach; under the GDPR (general data protection regulation), an organisation can be fined up to €20 million, or 4 per cent of its entire global turnover for noncompliance. The number of fines issued doubled between January 2020 and January 2021, rising to a startling €285 million, with an average 331 data breaches reported per day in 2020.
“The consequences depend on the type of breach, the duration, the scope and the likelihood of harm to those impacted by the breach,” Emerald de Leeuw, global head of privacy at Logitech, said.
“There can be serious financial consequences and these can be multifaceted. Think about things like: operational downtime, fines, legal consequences, damages to the brand and reputation. It can be hard to recover from some of those, particularly the loss of trust that companies might experience.”
It’s difficult to comprehend the damage data breaches can create on the side of the individuals whose data is compromised; the consequences can be lasting, with victims being blackmailed, or becoming the targets of further cyberattacks in turn.
“It could be anything from identity theft, financial loss, fraud and psychological harms such as distress or damage to someone’s reputation,” de Leeuw said.
“Even if we don’t run a legal analysis on this, I think it’s fair to say that it feels really unsettling to know someone else has your private information and you will likely not entrust the organisation with your data in the future.”
In such situations, having prepared and made a plan will serve you well, both practically and in the eyes of the Data Protection Commissioner.
“In terms of actions, have a plan and do a table-top exercise. It should also allow for some actions to be taken in tandem,” de Leeuw said.
“With any type of incident, you will need to act quickly and ensure everyone involved knows what their role is and can be mobilised rapidly.”