We asked our CISO Don Mills to explain the biggest cloud security challenges and how they might affect your business.
What are the most common challenges organizations face when it comes to cloud security today?
Getting enough bodies and money behind it. Security is like a black box inside a lot of corporations—they know the money goes in, but they don’t really know what comes out. Now I’m not saying there aren’t metrics that can and should be available... you can measure the success of your efforts, but there’s no product or service that the company gains.
If security is doing its job properly, there isn't much to notice. Security is spotlighted when it’s not as successful as planned or has come under attack in some way. Organizations invest and open their wallets to security when they’ve been hacked, audited, or when they must follow new regulations or compliance guidance.
So, whether an organization is in the cloud or not, the most common challenge is getting the proper attention and resources paid to security efforts.
What lessons can be learned from the biggest cloud-related breaches in the past year?
Don’t forget to cover all your bases or you could be hit where you least expect it. One of my security axioms is “the weakest link can break the chain.” What I mean by that is all it takes is one minor slip (an old VPN account, a phishing incident) for the major damage to be done, as we saw with the Colonial Pipeline.
Ask yourself, what are we not looking at security-wise that we should be? For example, it often seems outbound data traffic is ignored. Information that leaves is just as important as what’s coming inside.
A company that recently got hacked, Electronic Arts, had this exact issue. If they monitored the outbound data transfer rates and had stricter outbound (egress) firewall rules, it would have been much more difficult for the hackers to exfiltrate 250+ gigs of proprietary data.
Looking ahead, what’s the biggest piece of advice for organizations looking to improve their cloud security in 2021?
Plan for failure because things happen. Planning your cloud security strategy is just as important as executing and maintaining it. Even if a failure isn’t 100% security-related, you should still plan for that failure because it applies to the availability and your infrastructure as well. Expect the worst and plan for that.
Another important piece of advice: protect your cloud control plane. Everything in the cloud is set up and managed via the cloud control plane... so if someone accesses it, they pretty much own you for all intents and purposes.
What security incidents should companies anticipate seeing an increase in?
Years back, we typically saw people trying to make names for themselves by breaking into and defacing websites. Sometimes this was done as part of a political or social movement.
Nowadays, security incidents involve more methodical, strategic, and long-running attempts, and often are sourced by organized crime or state-sponsored groups. These groups are either concerned with quiet infiltration (state-sponsored) or are attempting to make money.
These criminal organizations are not just single sources... they operate as service providers, middlemen, and business-to-business facilitators. You can rent infrastructure and tooling for money or percentages of profits and get tech support responses via cell or chat features.
So, I’d easily predict we will see more of the same commoditized attacks that we’ve seen over the past couple of years... but that doesn’t mean the old classic stuff is going away. Somebody will still be happy to deface your website for you.
How do hackers make money, or keep you from earning it?
Hackers make money in two ways:
- Preventing organizations from getting access to their information, systems, or data. Or, the groups find data they can use to blackmail organizations. This is the current “ransomware” flurry we've seen lately, but it also goes back to the DDOS (Distributed Denial of Service) attacks that were in fashion a decade ago. An interesting twist is criminal organizations now attempting to blackmail companies to prevent public release of data vs. the standard “pay to restore access".
- More traditionally (and seen very often), hacker groups simply get into your information, customer information, and/or intellectual property and figuratively walk right out with it. Then it becomes bought and sold like any other product online. This is the standard customer data theft that is still going on and always will. In my opinion, data theft is still your most likely and persistent threat.
We offer security assessments and expertise to protect our clients and provide peace of mind. Whether you’ve been audited, hacked, faced with new regulations, or frankly just worried about increasing cybersecurity threats—we can help. Reach out if you have questions or want to discuss how cloud security challenges might affect your business.
