Did you ever ponder why there are so many data breaches these days? Did you also notice why such incidents are significantly more on cloud than otherwise? Did you wonder why despite best talents, intents and efforts, businesses get bulldozed besides being publicly embarrassed by a few unknown enemies? Ask any leader and s/he would fumble to say that his/her cloud is 200% secure. Even companies backed by powerful investors are left to the mercy of time.
Highway accidents are akin to cloud breaches – with both cascading at times. One might be the best driver, but one still meets with an accident not because of one’s fault but because of someone else’s. Likewise, one might have done everything right on cloud but just one oversight from one’s trusted aide (partner, team, or 3rd party) is enough to bring the roof down – something one wouldn’t even realise for months but by then the damage would have been done.
Old Wine, New Bottle
If one is not onto cloud, one gets frowned upon – very similar to if one is not onto social media. Cloud is revolutionary. Whatever was achieved earlier with copious resources of manpower, hardware, software, effort, and time is now being accomplished in a fractional time without using any such paraphernalia.
No wonder, a cloud backbone is considered a default today. The journey from on-premise to cloud has not only been transformational but also has put many on cloud nine – cloud helps businesses zealously boast about their renewed offerings, capabilities, scale and differentiation.
Old wine in a new bottle comes at a cost. If you don’t cautiously tread on cloud, your operating expenditure would easily surpass your capital expenditure and guess what, you would not have a cost arbitrage anymore. Much worse, if you are not proactive, you could be the next victim in making.
Major promises of cloud – efficiency, flexibility and scalability – come with one key challenge: security. Alarmingly, many cloud tenants are oblivious about security threats lurking in their backdrop and their responsibilities in mitigating them.
We fail to fathom that data, which traditionally resided in a guarded perimeter (on premise), is now residing with a third party that also shelters data for millions of others. Cloud is like a bank’s strong rooms and lockers storing valuables. If such vaults with state-of-the-art physical, logical, and digital security could be trespassed, then, your data on cloud could also be breached irrespective of who provides the cloud or who uses it.
Because of prohibitive cost reasons, many cloud tenants, especially the SMEs (small and medium enterprises), carry a defensive approach to security. No wonder, cyberattacks have skyrocketed recently with an attack every 39 seconds.
Many companies, on average, take nearly six months to detect a hack while their share prices on average plunge 7.27% after a breach. These attacks haven’t spared anyone from World Health Organization, Big Basket, Alibaba, LinkedIn, Facebook to Marriott.
Shared Security Model
Running a business on cloud is analogous to owning a shop in an upscale mall. To effectively run a mall, certain obligations reside with both the mall owner and shopkeepers. Likewise, cloud by design follows a Shared Security Model. Both the cloud provider and tenants must fulfil certain mandatory obligations; if one doesn’t adequately perform one’s task, end users’ experiences suffer.
The onus of the cloud provider stops after provisioning the required infrastructure. Hence, an organisation that doesn’t fully understand or participate in securing its data doesn’t do its job and takes unnecessary risks. Unfortunately, many organisations can’t delineate where cloud service provider responsibilities end and their own responsibilities begin, opening them to serious vulnerabilities.
Why it is Insecure?
Don’t forget, security, governance, risk, and compliance have been supporting functions — these aren’t the areas in which companies have been historically investing. The increased expansiveness of cloud increases an organisation’s potential attack surface. Prominent issues impacting cloud security today range from inadequate strategy, architecture, configuration, change management, identity and access, controls, visibility, secure application programming/user interfaces (API/UI) and encryption, resulting in unauthorised access and data theft. To further complicate the matter, traditional security controls often don’t fulfil cloud security needs.
Information asymmetry exists – not everyone understands intricacies. Knowledge typically resides with a handful and when an old employee leaves, crucial secrets go with him/her. A knowledge transfer exercise over a few days, amidst other pressing priorities, is insufficient to unambiguously extract work done over the years.
Because certain inbuilt cloud features that strengthen security are not as intuitive, most people don’t typically leverage such freely available options. For business reasons, cloud providers love this asymmetry as it gives them opportunities to create additional revenue streams by rolling out targeted offerings around intricate areas. No guesses why there exist so many optional paid services on cloud today.
Interestingly, older configurations don’t always stay relevant with time. With newer attacks surfacing every other day and with people unable to timely update relevant security controls, potential backdoors are left open for hackers. Lastly, things are changing quickly. Our excuses and inertia besides costs prohibit us from catching up with the speed of change.
Fortifying Your Cloud
Being complex, cloud needs smart manoeuvrings; hence adoption requires a cautious approach. The good news is that 95% of cybersecurity breaches are due to human error, something that could be avoided with awareness and a focused approach.
The cloud application needs to be thoughtfully designed while adhering to the core trust pillars of confidentiality, availability, integrity, privacy and security. By following principles of least privilege, separation of duties, defence in depth, robust interfaces (API/UI), the cloud application needs to scale, both horizontally and vertically, without revealing anything sensitive.
Once on cloud, it is mandatory that the cloud and the hosted application are periodically assessed for potential threats, vulnerabilities, misconfigurations, and potential weaknesses. Last but not the least, compliances specific to countries, regions, regulations and customers need to be watertight while adequate cyber insurance is in place to attract potential customers.
Hackers breaking security for a few bitcoins is now passe. With advanced persistent threats, sophisticated attacks and state-sponsored curated incidents looming all over, security is ever evolving. It is time approach to security moved from a mere tick-in-the-box mindset to a key strategic lever that helps attain the desired competitive advantage.
It is time security takes the centre stage.