In the quest to adopt cloud and Digital Transformation, many companies assume that traditional security will be sufficient for its purpose. Yet, cyber security experts warn that this approach is flawed.
As enterprises embrace automation and self-service user functionality, the impact of these innovations will push data out of its traditional protected locations. So, what are the security implications for the latest wave of increased data mobility and accessibility?
According to Gartner, by 2023, 99% of cloud security failures will be due to the customer’s actions, while through 2021, 50% of enterprises will unknowingly have some IaaS storage services, network segments, applications or APIs directly exposed to the public internet.
There is a growing urgency for a new approach on managing risk during a time when the protection of data has never been more critical.
“It has become insufficient to rely on your data centre firewalls as the primary control point for data access as they can only affect access to on-premise systems,” says Evros CIO Joe Brady.
“Firewalls are useful to restrict access to data hosted inside the data centre or a private cloud deployment. But where data is stored on global Saas platforms such as Salesforce or Sharepoint Online, enterprises need to change how they control access to data to rely more on context and identity.”
As Ireland’s largest indigenous cloud solutions provider, Digital Planet (part of the Evros Technology Group) was one of the main drivers for developing the Evros expertise around cyber security. As their capability matured, Evros built out its 24/7 Security Operations Centre and established a comprehensive managed security division.
Joe speculates that companies seem to overlook two very important factors when considering today’s data security: identity and context.
He continues: “Companies need to determine user patterns; what would be considered acceptable behaviour for the user, and what is the normal context of user activity? Who is the user? What are they doing? What data do they access to and how they utilise it?
“Let’s say your CFO has access to your company’s financial data. But one day your system detects a connection by your CFO from a suspicious location and an attempt to download data. As a human, you immediately understand it’s a potential hack but traditional security systems probably won’t. No technical controls have been broken but in the situation’s context, it’s clearly wrong.”
Another common misconception is that companies assume major technology providers have put these controls in place.
“Microsoft Office365 is a global platform that will give you the security tools but you can’t assume they’ve implemented the tools to your behalf. Without a Managed Security service provider, the responsibility for configuration of these security controls falls on your company, not Microsoft,” the Evros CIO adds.
The good news is cloud adoption is on the rise. Gartner’s latest IT spending forecast predicts that cloud spending will jump from $39.5 billion in 2019 to $63 billion through 2021, showing that enterprise is becoming more comfortable off-premise.
The down-side to this is a higher susceptibility for attack on the user. This doesn’t mean that cloud is less secure than on-premise. However, by changing the way users interact with your new systems, lack of familiarity has provided yet another phishing opportunity for online attackers.
“As your users start to sign in to cloud services or platforms more often, they become exposed to phishing attacks lying in wait on false sign-in pages or fraudulent email notifications,” says Brady.
“We’re seeing a lot more sophisticated-looking phishing emails that come through to our customers, under the seemingly innocent guise of a new software update. Apart from the smallest fault in the design or a slight grammar mistake, most recipients of such an email wouldn’t notice the counterfeit quality, or would barely skim the email before clicking on the link.”
And where are these phishing scams coming from?
“We’ve tracked a lot of these scams or malware attempts worldwide – even from locations that would not traditionally be considered high-risk. These attackers have even considered geo-location controls because many of these phishing attacks are being sent through VPNs so the emails seem to come from what are deemed ‘acceptable’ geo-locations, but in fact have just been re-routed to hide the original source. Again, by taking both identity and context into account, if you have implemented specific controls around your users’ behaviours and professional context, this will save a lot of pain in the long-term.
“As widespread cloud adoption and Digital Transformation initiatives gain momentum, it’s critical to understand how to implement security in this new world. If you have any questions, get in contact with our security team today,” he adds.
To find out more about Evros Security Services, visit www.evros.ie
Joe Brady is CIO for Evros Security Services