The visibility and control across applications and workloads are expected to get worse as most organisations race to move to the cloud amid the scale and complexity of cloud attacks, a senior security expert said.
“Firms are storing data in more than one environment and due to that, the hybrid IT environment is challenging existing security standards and creating complexity while making the existing legacy cyber defence tools and processes obsolete,” Sunil Varkey, Chief Technology Officer and Security Strategist for Middle East, Africa and Eastern Europe at Symantec, told TechRadar Middle East.
“Organisations lost visibility and control of the environment completely by moving to the multi-tenanted cloud providers and heterogeneous environment of the cloud. They cannot manage the identity and authentication of the organisation properly due to the highly fragmented set of security and compliance controls,” he said.
Fundamental of security
He said the fundamental of security is that firms must have visibility and control of the environment they are in.
“Traditionally, we worked on a protrust model where we know where the data and security are stored and which devices and IT is accessing it, and, moreover, we had control over it. As we moved to the cloud, we lost all these aspects. Earlier, the control was under the CIO or an IT manager where the infrastructures use to run,” he said.
Moreover, he said that businesses run their own IT and users have their preferences or choices in apps and CIOs run their apps, so, the cloud is extremely decentralised.
“So, accountability is not getting established. The control over the environment is lost and that is why the number of attacks in the cloud is also increasing,” he said.
CIOs are not able to get a firmer grip on the cloud apps used by their organisations as any department can use a public cloud app service, he said.
Unless CIOs don’t get a firmer grip on the apps, he said that it will lead to “unwelcome surprises” in both the scale of the problem as well as how threats enter the environment.
When you look at security in the cloud, he said there are four components:
• Security while accessing the cloud
• Security of apps and information that are in the cloud
• Security of the cloud
• Proper governance and accountability
Quality skillset is a pressing challenge
So, who is the actual owner of the data in the cloud? Is it the developer who pushed the apps to the cloud or the entity?
Varkey said that it is a shared responsibility, right from the senior management to the cloud providers.
“There are centralised solutions for the cloud to get visibility and control but the quality skillset is a pressing challenge. There is no traditional way to do that but there are automated solutions and analytics services, including AI and machine learning, to help identify and prioritise risky behaviours, identify malicious users and escalate crucial security alerts,” he said.
It is not the lack of technology that is the hurdle and it is also not a costly affair, he added.
Provisionally, he said there is a way of encrypting the data in the cloud but is it widely accepted, no. “Ideally, it is required as we have unauthorised access in the cloud. Majority of attacks are happening due to the overexposure of data in the cloud. The question is should we do encryption or masking. There are different ways depending on the environment and the regulatory compliant. To begin encryption, you need to know what is the data you are talking about and where it is being stored,” he said.
Insider threats are becoming an issue
Organisations must realign and reinvent their security programs for the new era, he said, as external bad actors are not the only cause of security incidents and data breaches, the root cause of an attack in the cloud could be an insider also.
“Insider threats are becoming an issue; it is purely accidental and not malicious. Malware is another big issue in the cloud,” he said.
According to a survey conducted by Ponemon Institute in the Middle East, the most significant threats to the exposure of sensitive or confidential data are employee mistakes and temporary or contract workers.
Immature security practices such as weak passwords, using personal devices for work and shared single credentials are creating serious gaps in an organisation, he said and added that users need to take ownership of avoiding bad practices in data hygiene.
“Organisations need to redesign their security architectures and policies while embracing automation in a bid to face the challenges posed by the evolving cloud threats,” Varkey said.