rvlsoft - Fotolia
Information security in the cloud was identified as a key area of focus for organisations by former GCHQ director Robert Hannigan at Infosecurity Europe 2018 in London, but many find this challenging.
The speed of technological change is one of the top challenges for organisations in terms of cyber security, attendees of the Alert Logic Cloud Security Summit 2018 in London heard.
Managing hybrid cloud and on-premise IT environments is increasingly a reality for organisations as they start to use cloud-based services to increase agility and efficiency, while potentially reducing costs.
Security professionals at various Alert Logic customer organisations agreed that while the principles of security remain the same, the approach and tools have to be different for hybrid environments.
The challenge is even greater when an organisation is using more than one cloud service provider, said Matt Selheimer, chief marketing and strategy officer at Alert Logic.
“Within the next 18 to 24 months, most organisations using cloud services are likely to have several providers as organisations seek to avoid supplier lock-in and exercise their preferences for suppliers of particular services,” he said.
The threat of cyber criminal activity involving cloud services is no longer theoretical, according to Mike Hulett, head of operations at the National Cyber Crime Unit (NCCU) at the National Crime Agency (NCA). “Cyber criminals will go after data wherever it is, and although cloud services providers typically have a lot expertise in cyber security, no system is ever completely secure,” he told Computer Weekly.
Read more about cloud security
- Amazon CISO shares secrets to building secure cloud products.
- How Microsoft uses secure enclaves to improve cloud security.
- What cloud storage security looks like for small businesses.
- Challenges in cloud data security lead to a lack of confidence.
- The biggest cloud security threats, according to the CSA.
However, Hulett said that in the cases currently under investigation, the vulnerabilities exploited by the cyber criminals lay with the customer organisations, not the cloud service providers.
Speaking at the Cloud Security Summit, Ryan Holland, senior director, cloud platforms at Alert Logic, said a poll of information security professionals on LinkedIn identified misconfiguration of networks and services by end user organisations as the top security risk in the cloud.
This includes giving developers too much freedom in what options and settings they can change and not limiting access to services and data to only those who need it, he said.
Attackers also target vulnerabilities in web applications, APIs [application program interfaces], middleware and third-party plugins, underlining the importance of good coding practices and software patching, said Holland, adding that all of these fall within the responsibility of users of cloud services.
“It is important for enterprises to understand what Amazon calls the shared responsibility model, in which providers are responsible for everything from physical security up to the hypervisor, [virtualisation layer] but responsibility for the security of everything after that lies with the consumer of the services,” he said.
While using cloud services removes the security responsibilities of running a datacentre, Holland said it does not mean that the consumer organisation does not need to worry about security because there are things they still need to do and they are ultimately responsible for their data.
Where IT and security teams are relatively small, organisations are increasingly looking to managed security service providers (MSSPs).
A target for cyber attackers
John Sweet-Escott, CTO at judicial services firm JBW Group, which collects and enforces fines and debt orders and is increasingly moving to cloud-based services to increase work capacity and agility to address business challenges, said the company is a big target for cyber attackers.
“With fewer than 200 employees we have an IT team of just five people, which is typical of organisations of our size, and none of them are security experts. Our risks are huge, but we couldn’t hope to attract the security talent that we need because and we don’t have the staff and skills to run round the clock shifts to respond to alerts,” he said.
For this reason, Sweet-Escott said JBW Group is working with Alert Logic to provide security services across its in-cloud and on-premise infrastructure. “Having that holistic security blanket across everything provides the answer for JBW Group,” he said.
Similarly, Ricardo Brizido, CTO at equity crowdfunding site Seedrs said that while cyber security is one of the company’s biggest challenges due to the nature of the business and the fact that its IT systems are changing on a daily basis, it has limited IT and security resources.
“We quickly understood that as a startup we were not able to do everything by ourselves,” he said. Seedrs is now working with Alert Logic on vulnerablilty management, log monitoring, threat escalation and remediation, and enhancing policies.
“Our partnership with Alert Logic means that I do not have to find and retain people with expensive skills to benefit from a 24x7 360o security model and machine learning technologies to increase visibility and minimise risk, which we could not implement in-house in such a cost-effective way,” said Brizido.