3 lessons from a top infosec specialist
By Secure Agility
Recently, we were pleased to host Steven Woodhouse, a respected CIO with a wealth of Cybersecurity and Cloud experience. We discussed several issues that are pertinent now in information security.
In this blog, we will cover the cloud as it specifically relates to information security and offer some best practice advice.
Cloud computing certainly gets a lot of attention, but what is it about cloud security which makes it such a significant factor? Here are three pieces of advice Steven was able to offer:
1. Cloud is easy, so take care
One of the new and significant differences between cloud security and traditional on-prem or in-house security is the availability of cloud services, which can be a problem if not managed proactively.
In most organisations, it’s human nature to take a path of least resistance without taking into any consideration any security requirements, and with the cloud so accessible this can easily translate to short and long-term problems.
Woodhouse recounts a situation of one CIO, who shared his experience with the organisation which completed a big Azure deployment and was breached only after six weeks.
“This was simply because a lot of developers and people in the business made cloud security an afterthought,” Woodhouse said.
Cloud security can be like the “wild west”, but the same policies should apply on or off-premises.
Part of the problem is if people are allowed to manage the cloud, they will go and do what they want even if they have little or no knowledge of the security implications.
2. Beware of new threats, risk transfer
Cloud brings new ways of managing IT, and with this change come new security threats.
For starters, if it is too easy to spin things up in the cloud it easily leads to an unsecured state.
Typical security considerations, including:
• Authentication
• Access control
• Encryption
• Data transfer
• Data protection
All might be managed very differently in the cloud, depending on the service and provider. It is therefore important to consider the native, or third-party, capabilities available to your organisation to fit in with cloud workflows.
A simple example is a cloud provider not offering two-factor authentication, which is something that can be enforced with on-premises apps.
Another new threat is time-to-market. Cloud enables development teams to produce apps and services faster, and the security implications can go unnoticed.
Woodhouse believes a common misconception about the cloud is that it allows an organisation to simply transfer its risks to a third party.
“If you manage cloud well, it can be a real boon to your organisation and will help you accomplish speed-to-market, DR, and short-term needs,” he said. “But you do need to manage it, you can’t say it is just someone else’s problem.”
“I’m a big believer it will be a hybrid world in future, and how you use and manage cloud is the important part.”
3. Don’t forget due diligence
Other emerging information security implications of cloud adoption include contractual agreements and data sovereignty.
All the technical security can be rendered irrelevant if a cloud provider suspends a service or terminates a contract.
And likewise with data. It’s easy for data to be born in the cloud but making sure it is available to the business over the long term is vitally important.
Prudent DR and contingency plans are important to ensure your organisation is not left without a migration path.
Get to know cloud security and data protection from the start and your journey will be more considered with a much lower risk.
