The risks include system vulnerabilities, endpoint user errors, and cyber attacks. The first of these needs to be handled by the IT department, while the second can be mitigated by staff training and awareness programmes. As for cyber attacks, these will only be successful if there are human and technical weaknesses.
For Bethwel Opil, enterprise client lead at Kaspersky in Africa, experience in penetrating IT systems and manipulating staff is what gives attackers the edge.
Retief Zietsman, a senior engineer at Troye, believes SaaS and cloud apps are the primary sources of data leaks and the targets of credential theft attacks. “Users are working on networks IT can’t secure, with devices that aren’t managed; this is a big risk for companies that rely on network-centric solutions like traditional VPN. Insider threats are a major concern for these organisations, where one in three has already experienced a ransomware attack or breach. Most of today’s IT teams are juggling too many security tools to be operationally effective. Unfortunately, it’s more than just corporate apps and data that are at risk. Inefficient security policies can lead to a poor user experience, the kind that turns routine tasks into tedious, time-consuming processes.”
Zietsman says it’s time to find a better way to support secure hybrid work, without slowing down productivity. Although there’s increased cloud adoption, on-prem implementations still play a role. Each implementation, cloud or on-prem, has itsadvantages and disadvantages. Depending on the environment and use case, there is no right or wrong. However, when it comes to security, cloud security has historically been considered less robust than on-prem solutions, she says.
Opil says it all depends on the specific case. “There are threats everywhere and, whether using on-premise infrastructure or the cloud, the client must take care of the security of their infrastructure and data. In today’s hybrid world of work, very few companies are purely reliant on on-premises infrastructure. Cloud-based environments are now part of standard operating procedure. This requires a fundamental change in approach when it comes to cybersecurity, with employees having to be continually educated on what constitutes good cybersecurity hygiene.”
Not necessarily safer
Many security concerns related to on-premise systems are also present in cloud environments, says Jade Michael, head of public cloud at SAP Africa. “Research undertaken by IBM and the Ponemon Institute found that the three main causes of data breaches in South African businesses were malicious or criminal attacks (48%), human error (26%), and system glitches (26%). One of the benefits organisations want to unlock when shifting to cloud providers is that it's in the best interest of the provider to maintain the highest levels of data security. If a cloud provider suffers regular downtime or data breaches due to cyber attacks, customers are almost certain to move to other providers they perceive to be safer. Cloud providers understand this, and invest in cybersecurity teams and technologies at a scale that is outside the reach of most businesses.”
He says cloud providers also have dedicated security teams constantly looking for risks and quickly responding to any threats to their systems, and they have the budgets to implement the latest and most powerful threat detection and risk mitigation technologies.
“This adds up to a level of security that most businesses simply can’t match with their on-premise infrastructure. However, there are also some risks. Cyber attacks targeting on-premise infrastructure, may access company data, but it's only the data of one company. With cloud providers, any successful attack could compromise dozens, even thousands, of companies.”
On-prem isn’t necessarily safer, says CipherWave Business Solutions’ CEO, Wayne D’sa. The same security assessment would need to be applied to on-prem as would apply to a cloud environment. Companies will need to consider protecting the hardware by way of a maintenance agreement, making sure the server is virus-free by employing endpoint antivirus protection, ensuring the accessibility for users of the server by means of a firewall, ensuring there are adequate backups of the data that run frequently, and testing these by means of a data restore solution.
The shifting of business processes to cloud environments also poses additional risks, adds SAP’s Michael. “For example, as the nerve centre of modern intelligent enterprises, ERP systems are increasingly targeted by cybercriminals. Attackers know these systems run business-critical applications and house sensitive information, so any data breach could provide access to information they can later use in the service of a range of cybercrime activities. As these systems increasingly shift to the cloud and integrate a growing suite of business applications, the opportunities for bad actors increase. The amount of transactional data in a typical ERP system represents a gold mine to attackers. So does the information about vendors, suppliers and partners. The more cybercriminals know about the internal operations of a business, the easier they will find vulnerabilities to exploit.”
Gatekeepers
When it comes to controlling who has access to data in the cloud, Opil says it all boils down to adopting a zero-trust model. “Perimeter security is no longer sufficient at a time when employees are accessing the corporate network from different geographic locations and using their own devices. With zero trust in place, the organisation must treat any attempt at gaining access to corporate information as a potential threat until it’s proven otherwise. Therefore, each user, device, and application must pass the authentication procedure before it can access the data at hand, whether stored on-premises or in the cloud.”
Michael says there are two tools worth singling out. One is identity authentication services that simplify and secure cloud-based access to business processes, applications, and data. Such a tool should offer authentication mechanisms, single sign-on, self-service options as well as on-premise integration for hybrid environments. Next, there should be an identity provisioning services that automates the identity lifecycle processes for easy and central provision of identities and their authorisations.
It’s time to find a better way to support secure hybrid work, without slowing down productivity.
Retief Zietsman, Troye
D’sa says there needs to be role-based access management that allows user profiles to be separated and, in doing so, separates access. This can also be addressed through Active Directory integration, which is where the company's system administrator will link a user's profile to their respective profile.
According to Opil, while some organisations are looking for a single solution for all their cloud security needs, others already look at cloud security solutions as not being in separate parts, but rather as cloud security being part of a single security solution for the entire infrastructure, and maybe even not only security. “With this in mind, and from the technical side, cloud security solutions should be built with possible XDR or SASE scenarios on board, and with good integration capabilities because customers are concerned about vendor lock-in.”
The buck stops…
The bottom line? Using public cloud means you’re running on systems with other cloud tenants, under control of software not owned and operated by you, but by the cloud provider, says Zietsman. Even though the cloud provider has secure infrastructure, you bear the primary responsibility for protecting your data. As applications balloon (there are 40 to 60 in use by each department at the average enterprise), so do the complexities. Each service might have its own authentication method, which not only confuses users, but is also difficult for IT to configure. And with the overwhelming majority of organisations hosting at least some of their IT environment in the cloud, there’s an increased risk of a breach. “You need a better way to secure those apps, no matter where they’re hosted or how they’re deployed.”
The same security assessment would need to be applied to on-prem as would apply to a cloud environment.
Wayne D’sa, CipherWave
Ultimately, the underlying cloud infrastructure needs to be secured, says CipherWave’s D’sa. “This is the responsibility of the service provider. When it comes to an individual company's server or service in the cloud, there are two dotted lines of responsibility. The service provider needs to ensure that the services are segregated and no two customer environments are able to access each other. The service provider also needs to ensure that they have the necessary tools to be able to protect the customer's environment from external threats, suchas DDoS attacks.”
Opil believes that while cloud providers are responsible for protecting organisational infrastructure, the responsibility to ensure the cloud is safe should not be solely delegated to the cloud provider by default, but should be shared among everyone involved. “Every organisation that partially or fully migrates their business operations to the cloud – whether it’s a private, public, hybrid or multicloud environment – must understand that protecting their data, processes, and operations in public clouds is their responsibility.”
* This feature was first published in the Dec-Jan edition of ITWeb's Brainstorm magazine.
Share