The Cloud can be secured, but not by the vendor alone. Machine learning and security automation can help.
Cloud delivery platforms have introduced new risks and compliance requirements, which have an impact on organizations across all industries and geographies, finds a new study by Oracle and KPMG.
Most organizations are struggling to establish cloud security standards and capabilities aligned with well- established internal ones. These strategic and operational challenges compound the risks they face because every cloud platform and vendor has unique cybersecurity standards and requirements. Trying to speed up deployment of cloud services, those business leaders who may lack the cybersecurity know-how often neglect to implement critical controls due to a widespread misperception that the cybersecurity measures provided by the cloud vendor are also sufficient to protect the business.
“Shared responsibility is critical,” states Gabriel Mihai Tanase, the Director leading KPMG in Romania’s Cybersecurity Advisory Services. “As well as making sure that the risks are known and mitigated, and compliance requirements are addressed, business leaders in Romania and everywhere should understand and accept their responsibility for protecting the business. Therefore both C-Level and middle level Finance, HR, Risk or IT leaders should be responsible for ensuring that the organization has a cybersecurity program that addresses risks both in-house and in the Cloud,” Tanase continues.
Cloud vendors have assumed basic responsibility for security but the business is primarily and fundamentally responsible for maintaining its own cybersecurity and managing its own risks and compliance. As the continuous use of cloud services introduces new threats, companies need to continuously reassess how they have implemented traditional security protections, such as firewalls, access controls, event logging etc., and make sure that they remain secure and up to date.
Leaders must face this new reality and act quickly to dedicate a team (or at least a person), understand the shared accountability requirements and put together a framework to meet their responsibilities for securing the organization from cyber threats. Furthermore, to protect the organization, it is paramount that everyone is educated about the inherent risks of cloud services and knows and follows the policies designed to mitigate those risks.
The KPMG and Oracle research found that there may be considerable room for improvement in this area as individuals, departments and lines of business within organizations are often in violation of cloud service policies.
But what about data residing on the Cloud and the regulatory compliance requirements?
“GDPR definitely has an impact on every organization’s Cloud strategy,” comments Gheorghe Vlad, Senior Manager responsible for the Information Protection and Business Resilience services provided by KPMG in Romania. “GDPR introduces complex new regulations and processes for handling personal data of EU citizens and therefore will have an impact on any organization that uses cloud services. In the light of GDPR, organizations will need to understand whether their cloud service provider employs essential data security best practice such as separation of duties (for segregation of duties), data discovery and classification (to enable the right to be forgotten), encryption or pseudo-anonymization and others, as needed,” Vlad continues.
In the light of these issues, Cloud vendors may be required to implement these measures (and more) to achieve compliance not only with GDPR, but with other regulations which are applicable to each type of organization. (For instance, the European Banking Authority has issued a clear set of recommendations that should be followed by banks when outsourcing services to Cloud providers).
External actor versus insider threat
While cybercriminals are the top concern among the survey respondents, the research reveals that cybersecurity professionals are also concerned with the risks associated with insiders. While the insider threat usually includes stolen credentials situations, in which the insider actually acts (unknowingly and unwillingly) as a proxy to an external adversary, the true malicious insider can be more difficult to detect. These individuals, depending on their objective, leverage their familiarity with a corporate IT environment and escalated privileges to steal data undetected and potentially disrupt business operations.
“While we can build a perfect defense structure to protect us from outer cybercriminals of all kinds, there is so little we can do with those living and working next to us,” comments Gabriel Tanase. “First of all we should train people and make them aware of their responsibilities with respect to internal policies and procedures, as the most frequent examples of “insider jobs” occur due to people not being aware of what is right and what is wrong,” Tanase continues. “Afterwards, we can deploy specific technical measures, such as adaptive authentication to trigger a second factor of authentication based on context (in order to prevent such threats from occurring) or carry out continuous monitoring for out-of-the-ordinary end-user activity that will alert our Cyber-Defense teams to possible malicious activity,” Tanase concludes.
Lack of visibility is the main challenge in Cloud adoption
When considering today’s most pressing cybersecurity challenges, the most frequently mentioned concern by far in our study was the ability to detect and respond to security incidents in a cloud environment. Other big challenges when working in Cloud, as cited by survey participants, were lack of visibility across the data center and endpoint attack surface, lack of cooperation between security and IT operations teams, lack of funding for cybersecurity initiatives and others.
Lack of visibility is a common refrain when it comes to securing the use of cloud services. This is because of some (or more) aspects that make security cloud services fundamentally different from on-premises infrastructure, including the inability of customers to access the physical network layer, and the self-service nature of the cloud services.