The cloud: a cybersecurity catalyst
More than just a tech trend, for the last five years, cloud computing has become a catalyst for digital transformation which is now reaching maturity. Nevertheless, the adoption of this technology is casting threats over the security of hosted data. Resistance from security managers persists. But the cloud could well be more secure than traditional systems, provided that good practices are opted for.
Cloud computing: the new norm for information systems
Cloud market explodes by +20% in 2018
The cloud market is currently surpassing all predictions. The Gartner barometer predicts global market growth of more than 20% for 2018 – a pace that should endure.
The cloud is about to become the obvious choice for storage, recovery and even archiving strategies. Companies have never spent so much on cloud computing technologies as they have during these last two to three years, with particular priority given to Cloud Public or Multi-Cloud environments.
The advantages of the cloud for businesses
By providing businesses with a low cost, flexible environment, the cloud can offer the best response to the growing needs associated with the democratisation of collaborative working, the explosion of big data or easier access.
For more mature companies, serverless approaches will enable them to use the processing power offered by the cloud alone. Eventually, the democratisation of the cloud will lead to simplified information systems and simplified management.
Security as the top challenge to the cloud for businesses
Regardless, there continues to be several hurdles standing in the way of cloud adoption. Security remains the top concern for new-comers. According to the latest RightScale report in 2018, 77% of companies consider security as being a challenge to the cloud. This rises to 85% for new-comers to the cloud. In addition, heterogeneous environments related to integrating the cloud are complex to operate in terms of IT, as they create new vulnerable zones. Recent news confirms that these vulnerabilities should not be taken lightly.
Confront new risks
Security hits the headlines
Yahoo, Instagram, LinkedIn and more recently British Airways; all these companies have made the headlines following data violations. The main providers of Cloud Public have not been spared either, leading them to continually revise and improve their cloud infrastructures.
Data hostages – a fearful threat for companies
However, the main source of concern for companies is still ransomware, the malware that will take your data hostage. A Checkpoint survey has shown that 80% of security professionals are concerned about the phenomenon. As a matter of fact, their companies often have no other choice than to pay the ransom to recover their data. Ransomware should continue to increase, targeting cloud-based storage solutions in particular.
The hackers’ target of predilection
But why does the cloud in particular seem to be targeted by hackers? Simply, because they can access a high volume of (sometimes sensitive) data, located in one single place.
The data allows hackers to lay their hands on a lot of money in a short space of time. It carries a higher risk in comparison to traditional information systems because hackers can take advantage of an IT failure or a human error in order to hack a far higher volume of data than ever before.
With the cloud, classic security measures are no longer sufficient. They are not suited to this new technology which makes easy work for hackers.
Using the annual Cloud Security Alliance report (The Treacherous 12, Top Threats to Cloud Computing), we can draw up the main threat categories:
- Threats to data: the leak, loss, violation or governance of data are a nightmare for IT Directors or private individuals.
- Threats to identify theft: with the cloud, interconnecting identity systems reinforce the exposure of identification data.
- Threats to unsecured APIs: these interfaces allow clients to interact with cloud services
- Threats to availability: Ddos type attacks (distributed denial-of-service) are drawing media attention. These are even appearing on the dark web (DDos as-a-service)!
- Threats to cloud technology: these are potential failures in the isolation between clients sharing the same infrastructures, platforms or applications.
Traditional threats: these are all the APTs, application vulnerabilities or systems that are identical in traditional information systems (such as Spectre and Meltdown). Most of these threats are not new and can be found in traditional infrastructures, but exposing cloud environments will increase the level of risk.
Human rather than technological failures
Beyond technological risks, it is the lack of adequate skills, most particularly in matters of security, that remains one of the cloud’s biggest threats.
Generally, security breaches do not come from providers but rather from users who fail to set up adequate measures to protect their data, either out of negligence or due to a lack of information. By 2020, Gartner predicts that 95% of security breaches will be due to client errors!
So, is the cloud a no man’s land for security? Perhaps! But applying good practice can reduce the threat level and make it manageable for companies.
Good security practices to guide Cloud adoption
Establish a Cloud strategy company wide
To limit the risk of a cyber attack, it is crucial to set up a global cloud strategy, supported by all decision-makers within the company and not just senior management, the IT Director and security. It must include a risk-evaluation based-approach:
- What threats do we want to be protected from?
- What services or data can we put in the cloud (or not)?
- What is the level of sensitivity of the data or service?
- What are the potential risks associated with cloud services?
- What regulatory or compliancy restrictions must I abide by?
- How can I manage continuity or resume operations in case of damage?
The aim of this diagnosis is to bring the right level of security and to adopt a data security approach security rather than focussing on its hosting infrastructure, as was the case for traditional information systems.
Develop a risk and control culture
One of the classic mistakes a new-comer can make is to keep the same security governance model as for traditional infrastructures. Instead it must be adapted, and the sharing of responsibilities will change according to the model of deployment (private, public, etc.) and service (SaaS, PaaS or IaaS).
The governance model(s) that need to be applied must allow cloud providers to be periodically assessed or to extend the company’s security requirements to the cloud.
Fully understanding the impacts of cloud computing on the governance model and developing a risk and control culture must allow the business to get out of old bad habits. The company must change its paradigm and focus its operations on security; a small revolution that has to come from different levels of management but also from all employees who can be trained on these matters regularly, for example.
Towards a democratisation of security with the cloud?
With security being one of the primary concerns for companies wanting to adopt the cloud, providers are going to make it major element of differentiation. Security, then, is becoming their priority. They are constantly improving the security level of their infrastructures and offering security services to their clients: filtering, patch, strong authentication, access control, encryption as well as identity federation management solutions.
These services are available to clients like any other cloud service. But implementing such services would require heavy investments for most companies that have traditional infrastructures. The cloud therefore favours security democratisation.
This entire security culture will mean that they can improve their level of security. Gartner predicts that more than 60% of companies implementing suitable security measures will face fewer incidents than with a traditional model. Just like GDPR, the cloud must not be seen as a threat but rather an opportunity to finally put data security at the heart of the strategy.
The cloud, an important opportunity
The cloud is on the verge of receiving its contract of confidence, or trust agreement. Nonetheless, a certain number of vital prerequisites are needed before it can obtain the agreement, namely developing a security-by-design culture, a risk-based approach as well as adapting the governance model.
Whilst there is no such thing as zero risk, proper management will make it possible to seize all development opportunities associated with the cloud and digital transformation.