Fouad Khalil, VP of Compliance at SecurityScorecard, who assesses the continuous oversight in the cloud and how to improve cloud security, privacy, and compliance.
When contemplating the word “cloud”, it is hard not to associate it with something that is ethereal, delicate and can be affected by the smallest gust of wind. Yet when considering the “cloud” in relation to IT, it needs to be the opposite – strong, robust, certain and controlled – particularly when it comes to security, privacy and compliance.
The problem is that for many enterprises this is not the case, but it needs to be. Modern enterprises now use the cloud for a significant portion of their IT infrastructure. Data storage, SaaS, BYOD, big data analytics and so on can all be provided through the cloud, often more efficiently and cost effectively than on/off-premise solutions.
With so much of a corporate network and data assets potentially based in the cloud, IT teams need to take cloud security more seriously. According to the Checkpoint 2019 Security Report as much as 65 percent of IT professionals do not think cyberattacks in the cloud will have as much impact as reality shows.
Also of interest: Protecting your organisation from insider threats
Businesses are storing more and more data in the cloud, much of which can be sensitive, proprietary or personal, all of which need to be protected. However, when deploying a data infrastructure in the cloud, an organisation could find that their chosen provider’s security and privacy solutions are not adequate and will have to incur the cost and disruption of moving to another.
The Internet of Things has been and continues to be an area of risk for businesses in the cloud. IoT devices are unsecure by design and they offer an almost unlimited amount of entry points for threat actors.
Employees using their own devices for work purposes is the new norm, with 85 percent of organisations allowing BYOD. Unfortunately, only 59 percent of organisations have BYOD policies in place. Lack of an official BYOD policy indicates a lack of control and insight into how employees are leveraging their devices to do their work - this creates a huge security risk.
For example, 43 percent of businesses do not know if employees’ personal devices have downloaded malware before accessing the corporate network. Not knowing such basic information can provide threat actors with an easy route to stealing an organisation’s data which may result in a breach.
Finally, the rise of Artificial Intelligence (AI), machine learning, predictive analytics and deep learning create their own security and privacy challenges. AI algorithms dealing with personal data need to be accurate enough to preserve data integrity. The chances are that without input from information assurance professionals these important actions are likely to be missed.
These threats are being compounded by the inner workings of organisations. For example, key responsibilities for allocating and overseeing privacy and security roles and activities are not being assigned due to lack of understanding and insight into cloud security and privacy issues.
There are also budget constraints restricting investment into buying and implementing resources and tools. Then there is the continuing issue of recruiting, retaining, and training enough skilled staff to fill key IT security roles.
Also of interest: How to secure your move to the multi-cloud
Benefits of continuous oversight
Having several different environments to monitor means that centralised, homogenous security, privacy and compliance policies and procedures are no longer adequate. These must be adapted to become more holistic to cover a variety of systems – on/off-premise, cloud and hybrid – that are in multiple locations and often managed by different entities.
Continuous oversight of a corporate network helps provide real-time insight and metrics that can be used to improve and mature security, privacy and compliance programs. Typical continuous oversight and maintenance activities encompass internal monitoring; external cloud assurance; supply chain management; and continuous improvement (CI).
There is evidently a long list of issues that need to be addressed and how this should be achieved, but to convince the C-suite, investors and other stakeholders it is better to focus on the benefits of continuous oversight. These will highlight what continuous oversight can bring to the business and how it can contribute to its overall success.
One such benefit is using real-time information to proactively prevent incidents that may lead to data or financial loss, or lead to a considerable regulatory fine. Another is that continuous oversight can also ensure appropriate controls are in place for specific business processes, as well as provide information with which the C-suite can make timely, cost effective risk management decisions.
Also of interest: Leadership, imposter syndrome and humour with Thom Langford
Creating and maintaining continuous cloud oversight
There are some basics that organisations need to get right if they are to implement a successful security and privacy program.
The first is to define, identify and categorise all IT assets according to confidentiality, availability and integrity.
Second, to identify the legal requirements for complying with laws, regulations, contracts and so on.
Thirdly, identify and address risk in an ongoing basis through risk assessments, assigning mitigation responsibilities, and determining how to most effectively mitigate risk.
The next steps should be to define the continuous assurance and oversight strategy, determine who is accountable for developing and implementing it, and identify who the main stakeholders are. Those directly involved with continuous activities should be provided with regular training and receive frequent reminders about their responsibilities.
Choosing which metrics to analyse is crucial to maintaining a strong cloud security programme, as for many organisations there are too many for them all to be monitored effectively. Missing the right ones could cause a security risk. Overarching metrics to analyse include those related to key supply chains and key incidents and breaches.
The use of cloud services creates new types of security, information, compliance and privacy challenges for all enterprises regardless of size. By implementing continuous cloud oversight, enterprises can foresee issues and mitigate risks to ensure their network remains secure and compliant.