As security professionals, it’s fair to say we are often risk averse, so what happens when we have no option but to open ourselves up to potential new threats as part of a digital transformation or cloud migration project?
We often find that transformation projects are a brilliant catalyst for cybersecurity infrastructure refreshes and upgrades. So, if you are up to your neck in Cloud Transformation projects or just about to dip your toe in, you’ll find insights and tips in our Guide to Managing Cloud Transformation Risk.
Adoption of cloud computing is at the heart of most organisations – digital transformation strategies. Cloud computing promises increased flexibility, scope for scalability, automatic updates and simplified collaboration.
On the way to achieving these benefits, organisations face an array of new security challenges:
An explosion of cloud-based applications and mobile devices has blurred old boundaries around organisations and network security, resulting in a vanishing perimeter and increased focus on identity based user and device authentication.
To keep up with the pace of change, business users are adopting cloud services; bypassing IT to deploy the applications they need to meet their business objectives, but consequently creating digital islands of data and potential backdoors into the network.
How we access computers and networks hasn’t changed much – passwords are still the dominant user authentication method, and more complex passwords do little to combat identity theft, which has become the number one attack vector.
The 2019 Data Breach Investigations Report confirmed that not much has changed, 80% of hacking-related breaches still involve 80% compromised and weak credentials.
User Experience
78% of security professionals think the biggest threat to endpoint security is negligence among employees.*
User frustration with passwords has reached epic levels. Ensuring your authentication experience is both secure AND user friendly will discourage users from attempting to bypass your security controls. Consider these ways to promote user adoption:
Implement Single Sign-On Technology – Logging into one central hub is more convenient for users which means administrators can apply more stringent controls such as Multi-Factor Authentication or increased password complexity.
Consider Biometrics – It’s incumbent upon mobile manufacturers to establish a verifiable ID, so that application and service providers can extend levels of trust to a device and its associated applications. These devices can also be used for authentication.
Roll out Awareness Training – If end users appreciate why security controls have been introduced and how to identify threats, they are more likely to adopt secure working practices.
Authenticate cloud users, devices and other assets proportionate to associated risks. Endeavour to ensure that security does not negatively impact productivity by only authenticating when it’s necessary.
86% of organisations describe their cloud strategy as multi-cloud.*
An organisation’s cloud ecosystem refers to the hardware, software, cloud providers, consultants, integrators and other third-party partners that work together to form an organisation’s extended cloud infrastructure. As organisations move more workloads and data to the cloud, they grow increasingly dependent on third-party technologies and services to support their businesses. This, of course, increases complexity and widens the risk landscape. But the following actions can help you mitigate ecosystem risks related to your cloud transformation:
Gartner predicts that through 2022 at least 95% of security failures in the cloud will be caused by the customers.*
When it comes to cloud security, cloud service providers and their customers frequently have conflicting ideas on who’s responsible for what. For example, one common misconception among organisations procuring cloud services is that responsibility for securing their data shifts completely to the cloud provider. In fact, it does not. The following governance controls can help your organisation manage security responsibilities with your cloud providers:
Phishing attacks are exploiting the social networking aspects of cloud-based collaboration tools.
Passwords, static identity and access management rules don’t provide sufficient defence against attacks that take advantage of cloud vulnerabilities, and the myriad of employees and third-parties who need access to cloud applications at any time, from any device.
Therefore, secure access to cloud applications requires a high level of assurance that users are who they say they are, and that their access is appropriate given their responsibilities and doesn’t put the business in harm’s way.
While managing access has historically revolved around traditional identity and access management tools, today’s new cloud realities require organisations to go well beyond those basic controls to:
A major European airline faces a record £183.4 million fine after personal details of 500,000 customers were exposed to cybercriminals.*
When it comes to regulatory compliance, organisations need to understand what types of data they have in the cloud and where that data resides. With traditional on-premise systems, auditors can literally see where data is stored. IT can also restrict or segment data based on attributes like geography, group and data type.
In contrast, cloud computing relies on the ability to host data in multiple locations. Multi-cloud environments complicate data privacy and compliance even more because data simultaneously resides in multiple cloud instances. These may have different business purposes and may be bound by different contractual relationships.
Implementing the following compliance controls can help your organisation meet a variety of internal and external regulatory requirements:
There are a number of key challenges and myriad of tools available to support digital transformation projects. Moving to the Cloud is akin to moving home:
1. Take stock of users, applications, location and devices; so you have full visibility of what you are protecting.
2. Understand the impact and value of your data, so you can prioritise and protect accordingly.
3. Put tools in place so you can control of your data, users and policies.
4. Introduce a strong identity-based access policy in place for your users to protect your data and network.
© Copyright BlueFort Security Ltd.