The cloud has brought about many benefits for organisations and adoption is understandably increasing. Gartner earlier this year forecast that the worldwide public cloud services market would grow 18 per cent in 2017 whilst Forrester has found that global cloud services revenues totaled $114 billion in 2016, up from $68 billion just two years ago -- that's annual growth of 30%. With this huge growth in cloud adoption, effective security is paramount. Recent cyber-attacks have highlighted that organisations across all industries and of all sizes are the target of ongoing attacks.
What is the impact of the cloud in terms of organisational security?
Cloud introduces new security risk to organisations because publicly exposed APIs are the underlying infrastructure that makes the cloud and cloud applications run. Unlike the http/s view of websites, which is largely choreographed for user experience and constrained on what is exposed or exploitable, APIs are built with fully exposed controls to support orchestration, management and automated access to the environment and applications. APIs provide a rich target for exploitation and introduce another dimension the challenges of expanding boundaries that were not seen in traditional enterprise on-premises perimeters.
Is security in the modern digital world like an open city, as opposed to traditional corporate computing, which is more like a castle?
Attackers will take the path of least resistance, and employees - and IT in many instances - will unwittingly help them. There will always be employees who will fall prey to phishing, surf exploited sites, or use free Wi-Fi from a coffee shop to open the door for the attacker. Also, common infrastructure weaknesses are the 'exploit of choice' to land a beachhead within an organisation, such as using an SQL query to find cached credentials, or finding a publicly exposed unpatched server to exploit. And then there is always the fallback to first-initial-plus-last-name with password1234.
How do we stop hackers from taking over the identities of victims in order to gain access to systems? Any real-life examples that demonstrate this?
There is no way to prevent intrusion through exploiting identity. The best that can be done is to slow attackers down by using good identity hygiene: implementing multi factor authentication, using longer pass phrases over passwords, deprecating expired employee accounts and monitoring access logs. However, the industry is making improvements in identity around trust by using multi-context analysis strategies that include time of access, country of origin, host computer in use, and other behavioural analyses to add weight to identity.
At the end of the day, organisations need to put in place robust procedures and make employees accountable for keeping networks safe and secure. The cloud introduces new security risks for organisations that will need to be managed effectively by the CISO; failure to do so could be very costly to an organisation both financially and reputationally. We have seen cyber-attacks generate headlines around the world recently - think WannaCry and Petya - to see notable examples of this.
With GDPR coming into force across Europe in 2018 the penalties for non-compliance is about to go up, making cloud security all the more important. In late 2016 the Payment Card Industry Security Standards Council (PCI SSC) warned that UK businesses could face up to £122bn in penalties for data breaches when the legislation comes into force.
The increased penalties which will be fines for groups of companies of up to €20m or 4% of annual worldwide turnover, whichever is greater - should focus the minds of executives on the challenges of implementing robust cyber defences, but too often this is not the case. Many companies still seem to be unprepared for this important upcoming legislation.
I would not want to see the adoption of cloud held back by fears over security, instead I believe cloud should be adopted by organisations that are ambitious to grow and effectively collaborate to solve problems and drive business performance. The penalties resulting from GDPR for example and from other regulations should not be a deterrent to implementing new technologies and systems, to me the focus should instead be on planning effectively and then implementing a solution that works and by this, I mean it is safe, secure and enables improved operational performance.