Am I secure in the cloud?
What is causing South African organisations to step up their focus on IT security?
Increased awareness around cyber security as a result of a variety of high-profile breaches is playing a part. But, there is also the growing concern of risks associated with moving an increasing amount of workload into cloud computing.
This was one of the findings of a recent survey by Fortinet around global enterprise security. Having chatted to 1 800 enterprise IT decision-makers in 16 countries, the IT security firm found the transition to the cloud as part of a company's digital transformation journey was a catalyst for an increased focus on security.
"Some 71% of South African IT security decision-makers believe that cloud security is becoming a growing priority, with 56% of the respondents planning to invest in cloud security in the next 12 months," notes Paul Williams, country manager for southern Africa at Fortinet.
It doesn't help that IT security threats are seemingly everywhere. From virtualisation and hypervisor-based attacks, malicious insiders and phishing attacks, to legal and jurisdictional risks, as well as threats to physical and shared infrastructure, these security threats occur across all verticals and affect businesses of all sizes.
Cloud and securing the data is no longer about the network, but rather around the actual user.Nastassia Finnegan, DRS
For Peter Flischman, lead for Business Development at Contineo Virtual Communications, the threat landscape is constantly evolving, and rather than worry about a select few security concerns or issues (like cloud security), we need to worry about all of them. As a prime example, consider some of the recent ransomware attacks; in the time it takes for the industry to issue a fix, the far-reaching effects of these incidents have already hit the market.
Configure the cloud
Despite this, Neil Cosser, identity and data protection manager for Gemalto Africa, has seen many businesses becoming increasingly worried that in moving to the cloud, they would be making it more difficult for them to protect their data.
Concerned business leaders, however, should not treat cloud security as if it's different from other forms of IT security, as the cloud can be breached using many of the techniques employed to break into more traditional IT infrastructure.
Remember, the cloud is fantastic, but a badly configured cloud is not.Indi Siriniwasa, Trend Micro
Nastassia Finnegan, enterprise sales director at DRS, for instance, says it comes down to managing the user behaviour and access, regardless of what platform is used. Keeping in mind who has access to the platform is important because there's a danger that in focusing on the technology, too little emphasis will go into managing the people using it. "Cloud and securing the data is no longer about the network, but rather around the actual user."
But, even if people's access to the platform is managed well, precautions still need to be put in place to make sure the basic security is there. "Remember, the cloud is fantastic, but a badly configured cloud is not," notes Indi Siriniwasa, VP for Sub-Saharan Africa at Trend Micro.
Cloud needs to be treated the same as your business and has to be secured with real security, such as identity and access management, says Siriniwasa. "Truth is, cloud providers give you the tools to do this for free, but the onus is on the user to secure themselves effectively."
In fact, all attackers need is access to your credentials and it can turn your world upside down if they manage to get this, regardless of the platform.
The dangers ahead
Jeremy Capell, a cyber resilience executive at Internet Solutions and ContinuitySA, and Tim Quintal, a senior product manager for cyber resilience at Internet Solutions, maintain that while most cyber security threats today relate to the traditional security problems, they anticipate that cyber criminals will be much more sophisticated in the coming two to three years, with access to all the latest emerging IT trends.
The pair highlight artificial intelligence (AI) and blockchain as two trends to watch from a cloud security perspective. With AI, in the same way a self-learning robotic car can learn the dimensions of a room after a few hours of bumping into walls and furniture, hackers find their way around anti-virus software by testing different payloads until they get through.
As an example, Capell and Quintal highlight the WannaCry ransomware attack that made headlines last year. It was one of the biggest in recent years, infecting hundreds of thousands of machines in over 150 countries around the world. Sure, patches have been developed to handle WannaCry, but if this malware could self-learn using AI, it could also self-adjust until it found a vulnerability. "The scary thing is that it would only need a small amount of processing power to learn each 'lesson'."
For Capell and Quintal, the emergence of blockchain brings an even more devastating element to the mix. A transaction is completed and balanced across multiple ledgers around the world and then updated. Just imagine if an army of self-learning worms unleashed onto their own blockchain network. They would wreak havoc. Each worm would update lessons onto ledgers and disseminate these to millions of other worms, perpetually. Soon, there would be millions of lessons updating every second, breeding the smartest attack, and no security system exists today that can defend against it.
Cloud security: how to be effective
What you need to know.
Q: What policies and processes should a business have in place to ensure cloud security?
Alessandro Postiglioni, head of IT security, BT in Africa
By understanding both the potential imminent threats - as well as any threats the business may only be faced with in a few years' time - businesses should look at protecting each layer of the endpoint. This would include the network, applications, critical data and identity security, where businesses can then build this out across all their endpoints and business environments.
However, for an endpoint-driven security strategy to be truly effective - and particularly as businesses employ mobile/digital workforce strategies - the following needs to be top of mind:
- Endpoint security needs to be fully integrated into an overall cloud computing/security strategy of the business.
- Have a known common security goal for the business - this reduces the potential risk of dislocation in security processes, which can also create unnecessary vulnerabilities.
- 'Bring together' the beginning, middle and endpoint under a single, central endpoint protection infrastructure and policy enforcement mechanism that does not hamper users, or impact the performance of their machines.
Q: A business' data is actually more secure in the cloud. Do you agree or disagree?
Dragan Petkovic, security product leader ECEMEA at Oracle
It is more secure, but cloud requires both the vendor and customer to implement policies and processes to be more effective when it comes to security.
We have seen a shift in the security landscape and in our customers' needs. Not only do we need to protect our own cloud, but our customers are looking for modern techniques to help them provide consistent security controls across cloud and in on-premises environments. More than ever, coordinated security management is needed.
A recent Oracle survey of 730 IT professionals saw almost two-thirds (63%) of South African respondents agreeing that cloud adoption offers the ability to better meet customer demands, enables greater collaboration, improves scalability and agility. However, concerns over security remain a barrier: 39% feel there are major security issues in moving IT operations and data to the cloud.
Contradicting this, however, nearly half (46%) of South African IT professionals say they believe application security in the cloud is better than previously.
In addition, the research found that, globally, respondents with a higher level of cloud maturity and exposure revealed themselves to be more confident in their cyber security capabilities than companies less ingrained in cloud - 65% rated their cyber threat detection as good to very good. Only 38% of companies with limited cloud exposure rated their cyber threat detection as good to very good.
This article was first published in the April 2018 edition of ITWeb Brainstorm magazine. To read more, go to the Brainstorm website.