Designing the idiots out of cloud security
27 April 2018 | Natalie Bannerman
Over 60% of organisations in Europe and the Middle East admitted to being victims of cyber-attacks and, according to Alex Hilton, CEO of Cloud Industry Forum, a further 26% are waiting or expecting them to happen.
Speaking on a panel discussing multi-cloud security, Hilton was joined by Adrian Roberts, director of global cloud solution architecture at VMware, Edward Rowley, SE manager of EMEA at Proofpoint, James Brown, global vice president of technology solutions at Alert Logic, and Sean McAvan, managing director of Navisite Europe.
Infrastructure, applications and people
A huge 56% of organisations say there is a lack of skilled personnel when it comes to cloud security, something that the panel members said needs to remedied.
“If you don’t know how to manage and how to architect security into your application, no matter where you host them, if you haven’t got the skills, you’re going to run into problems,” said Roberts.
“There are a lot of the concerns around the threats delivered via email to individuals. They used to say ‘you can’t catch stupid’, but that’s no longer the case,” explained Rowley.
“I think one of things cloud has done is democratise access to technology,” added McAvan. “Automated threat prevention systems that were only really available to enterprises a few years ago are now available to most organisations. It now becomes a question of knitting those skills and tools together so that you design security into platforms from the start.”
“There is a skills gap, but I think it’s slightly more nuanced than that sometimes,” chimed in Brown. “A lot of our security professionals come from a networking background, so you can construct a very secure network environment in the cloud – but when you open port 80 and let web traffic through to your server, then what? So I just think that skills required are changing and it’s moving much more into applications security.”
Cloud-based technology allows organisations to get up and running very quickly “but that same technology also allows criminal gangs to get up and running very quickly”, explains Rowley.
But overall he says it varies from very widespread targeting to very precise targeting built on lots of online research, sometimes specified by things like language and job role.
“Millennials in particular have never been so free to give their information away, but you can’t patch stupid. I think evolution will generate more idiots than technology can catch up with,” joked Roberts. Brown on the other hand doesn’t think any one group is more susceptible than another.
But what our technology has done is “reduce the gap between a criminal producing the attack and then actually monetising it”. He added that cryptocurrencies and specifically cryptocurrency mining is the quickest way to do that.
Complexities of multi-cloud environments
“I think organisations use multi-cloud to achieve security, so to classify different types of applications and data on the most relevant and secure platform available,” said McAvan.
“The complication comes because you need to deliver a holistic end-to-end security regime across all those platforms, and to do that you need tools that will connect to all those platforms in order to be able to manage security across all those platforms, and you also need people who have the skills to manage across all those different platforms.”
But there is hope, said Rowley, that – with the level of automation that exists in the cloud – that in the future there will be ways to make things easier to manage.
Backing up for business continuity
We now live in an age where we instinctively back things up to the cloud – everything from the photos on our iPhone to the remote access logins we use for work – but Brown pointed out a crucial flaw that many overlook in that plan, although he thinks backing up in the cloud has some definite advantages if you’re still moving things off-site.
That same agility, automation and scale, you have in that cloud environment can also go wrong. “In the cloud you can automate failure at scale,” said Brown. “You just need to run the script incorrectly and you could have deleted a year’s worth of backups.”
But for those of you clutching at your pearls, fearing for the safety of your data in the cloud, Brown said that, although we do see routine attacks in the cloud environment, it is secure. The risk is being on the internet as a whole.
“If you put something online, and open an IP address – whether is in a cloud environment or on a server underneath your desktop – someone will take a poke at it within a few hours.”