For cyber bad guys, 2015 was a banner year. Unfortunately, there is ample validation in the form of a daily onslaught of data breach news, sobering reports from cyber security vendors and analyst firms, surveys at security shows, and other sources. The truly bad news is that, while 2015 may have set records, 2016 is poised to break them. Unfortunately, the cloud is viewed as an increasing attractive target.
The frequency and severity of attacks and the sophistication of attackers is impressive. Plus, “hacking” long ago stopped being a sport. Putting aside state-sponsored and cause-related incidents, hacking has become a big, growing and very profitable business.
The industry is doing its best to keep up with new tools and training programs. Yet, when it comes to the cloud, skepticism about its safety continues. But, this skepticism is also a source of greater skepticism. Most Chief Information Security Officers (CISOs) admit that, despite the cloud (and the virtualization of what I have called “Infostructure” in general) creating more vectors of vulnerability, in many ways the cloud is actually safer than reliance on legacy protections. The Barbarians are not at the gates, but they will get around them easily if you have not taken care of the basics, which reports indicate most organizations don’t.
CISOs will also point to outsourcing security (that other SaaS (News - Alert)) as highly desirable. The reasons are not just the traditional cloud benefits of moving CapEx to OpEx. They include the documented and growing global shortage of skilled security people, and the inability of even highly skilled in-house people to keep up with the staggering pace of malicious activities and the patches needed to provide even a “reasonable” security posture.
In short, security as a reason to not move to the cloud is unfounded. What is very real for CISOs and their staff, as I found out at RSA (News - Alert), is the need to:
- Have a reliable inventory of security tools, and trained people to use them.
- Be able to assess the level of vulnerability in not just the network, compute and storage infrastructure based on threat severity metrics and a holistic view of risk management.
- Use information gathered to discern what to invest in to improve overall security posture.
- Divining how and which solutions to recommend to the C-suite that will compel investment in the most-needed solutions.
While cloud security is a subject of numerous books and articles, a good context for thinking about this is at a high level. It comes down to the issues of Visibility and Control. What I mean is that for security professionals to improve their protection postures, they need:
Visibility — Being able to see across all attack surfaces, which means seeing what they know they need to see and what they know they don’t see. And, as importantly, leveraging things like machine learning and big data analytics to have the ability to see what they did not know they needed to see.
Control — The ability, if threats are detected or potential ones expected, to proactively impose and enforce rules to mitigate risks.
Two great places to keep up on cyber security in general and cloud security specifically are TMC’s (News - Alert) Cloud Security Resource Community and Cyber Security Trend Community. They provide constantly updated news and insights into cyber security, privacy and risk mitigation, and focus on the needs to adopt a holistic strategy that includes proactive and reactive protective mechanisms and leverages high-level analytics, threat intelligence and visibility to protect critical digital assets whether at risk or on the move.
On area of particular criticality worth a pullout is the hot topic of encryption. Momentum (News - Alert) is gathering to encrypt “E”verything, which is creating major challenges: Where are all the keys? Who owns the keys?
Who has access to the keys? How strong is the encryption and can it be hacked? Who is liable if bad things happen? Are you ready for a compliance audit on key management history?
The answers to these questions go directly to the issues of visibility and control. They speak to the needs of security everywhere, not just in the cloud. They touch on that holistic need for knowing if people, devices, the apps on those devices, the networks and databases accessed, and business process used, are adequately protected. Indeed, if 2016 is going to be another good year for the bad guys, encryption, key management and enforcement of key usage will be the key to stemming the tide of bad guy success.
Edited by Stefania Viscusi