1 year ago


cloud security UNCLOUDED

cloud security UNCLOUDED THINKING WITH THE FINANCIAL PENALTIES AND LOSS OF REPUTATION FACING COMPANIES THAT FALL VICTIM TO A DATA BREACH, MOVING YOUR PRIVATE DATA TO AN EXTERNAL PROVIDER IS EVEN MORE CHALLENGING It's a given that a well-established cloud computing vendor will ensure they have the latest sophisticated security systems in place to defend against the threats that any business might now face. But how does any organisation know which vendor to entrust its priceless data to? What are the criteria they should use to establish the credentials of those that come courting you? And how do they spot the ones that will most likely fail them? As Piers Wilson, head of product management at Huntsman Security, points out, Clouds come in many different shapes and sizes. "But despite their undoubted business and IT benefits, security still tops the list of barriers to adoption. These concerns frequently revolve around the multi-tenancy nature of many cloud set-ups. Can you be sure your sensitive customer data and/or IP is protected from the virtual machines (VMs) of other tenants, some of whom may be competitors? Is your supplier certified to comply with relevant industry standards and regulations like PCI DSS and ISO 27001?" These are all valid concerns, of course, especially in a world where the means to launch successful attacks in the cloud have been democratised, thanks to tools and knowledge widely traded on the dark web, he adds. "Those who try to 'shoehorn' traditional security products and techniques into their cloud environments are doomed to fail - leaving gaps which the bad guys are only too willing and able to exploit. "The reality is that, when it comes to the cloud, you can't outsource accountability. You need to be proactive about vetting your provider, understanding what security controls they have in place, and where and how data is stored at all times. But, most importantly, you need to work out what protections you're expected to contribute to keep key data and systems safe from harm. Central to your plans should be reducing the attackers' dwell time - how long they're allowed to roam inside your systems without detection - which currently stands at a 14 computing security July/August 2017 @CSMagAndAwards

cloud security whopping 146 days. Threat intelligence needs to be consolidated in one place to be genuinely useful. And it must be able to baseline what's normal, in order to better spot unusual behaviour that could indicate a breach. "Applied in the right way, machine learning can help by automatically prioritising only the most ESSENTIAL CRITERIA With the wave of digital transformation sweeping over enterprise and industry, business is revelling in the efficiency and added value gained from cloud computing. However, with these benefits comes the tricky question of how to secure access to data on these scalable, remote and flexible platforms, argues Ofer Amitai, CEO & co-founder, Portnox. "Whether your business uses a public, private or hybrid cloud environment, there are some essential security criteria to be aware of when choosing a cloud vendor. There are numerous benefits of taking onpremise IT functions off-premise and up t o the cloud - such as cutting costs, maintenance efforts and upgrades - but a major downside is the lack of control, and therefore visibility, of the network and who is accessing it. If a cloud vendor isn't willing to provide visibility into your network, how can your IT team be sure that they're covered against potential cyber threats?" Another important criterion is compliance, he adds. Who is responsible for ensuring security compliance or industry-specific standards (such as HIPAA in healthcare and PCI-DDS in online retail)? "Asking to see a cloud vendor's compliance certificates is a good place to start. If they can't guarantee compliance, steer clear." LEAKS AND BREACHES Cloud computing benefits the mobile workforce and remote access, but proper authentication and authorisation of users/endpoints accessing the corporate database is essential to prevent data leakage and potential breaches. "Multi-factor verification together with logical and physical access controls are your best bets for cloud environments," says Amitai. "If the vendor expresses hesitancy about allowing your organisation to apply its own network access controls, you should be worried about their basic level of security. Another important criterion to verify is the vendor's data leak prevention (DLP) protocols so that, in case of a breach, the responsibility for remediation is shared between parties." Finally, an emerging challenge for cloud computing security is 'Shadow IT' or the unauthorised use of cloud applications, platforms and services. "Some of these platforms may expose corporate information, so it's important to have strict network security protocols and network visibility tools in place," he points out. "More than this, organisations should be upfront with cloud computing/security providers about the extent of Shadow IT to fairly divvy up security responsibilities. To conclude, while it's worthwhile to embrace the benefits of cloud computing, don't let enthusiasm for cloud solutions overwhelm your network security priorities." SOFT UNDERBELLY According to Marc Sollars, CTO at Teneo, organisations often focus on the network perimeter to prevent access to more vulnerable elements within it, despite cyberattacks being commonplace. "Essentially, they're trying to protect a soft interior with a hard shell, like an armadillo. But it's beyond doubt that criminals can easily penetrate the network and view what's inside it. "US cyber security officials have noted rising numbers of attacks that penetrate industrial control systems, as the Internet of Things is adopted; just one example of organisations that are embracing new technologies and exposing soft network 'underbellies'. Networks are no longer armadillos with hard Brian Chappell, BeyondTrust: you cannot abdicate responsibility or pass it on to someone else. Ofer Amitai, Portnox: if a cloud vendor can't guarantee compliance, steer clear. @CSMagAndAwards July/August 2017 computing security 15