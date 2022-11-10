Cloud cyber resilience is currently being magnified by high profile, mass scale security breaches targeting private-data heavy organisations. Whilst the threats to cloud security are omni present, the increasingly sophisticated nature of threat vectors now demand increasingly sophisticated risk mitigation responses. With spending in the public cloud services sector forecast to surpass US$592 billion by the end of 2022 according to Gartner and cloud SaaS spending is poised to reach US$195 billion next year, security is a vital adjunct to that spend.

In the wake of these huge investments in migration to the cloud, the nature of security in the cloud has changed and organisations are now in a heightened state of awareness of over the importance of matching that fiscal commitment to cybersecurity. Continuum Cyber MD Ben Jones, claims that cloud security is one of the most important challenges that businesses will face in 2022 and beyond.

“People are finally waking up to see that cybersecurity is now not this nerdy little IT problem, it is now top of the risk register. You need to take away your traditional perceptions about how you're going to protect your business and you need to come in line with the innovation that the bad guy's demonstrating,” Jones says.

Organisations have undergone an accelerated digital transformation in the short span of two years with the cloud bringing agility while reducing costs and maintaining a mandatory competitive edge but maintaining vigilance on security has clearly not kept pace with that acceleration.

“This idea that there's some type of panacea, some software, some assessment that's going to rectify your problems is an absolute misnomer. The real thing that people have got to come to grips with is that this is a lifelong love affair you've got to have. If you love your business, then you've got to fall in love with cyber at some level.”

Jones cautions that it is a constant moving beast. “It's one that no piece of software or a consultant can remediate. It has to be about starting to build out your cyber resilience and stage one is a massive reality check and saying, ‘where am I currently sat with my business and its security posture’.”

My CISO, CEO Dane Meaher concurs, “the key thing, when it comes to avoiding a cyber incident is knowing that there's not a silver bullet. You know, we can all look at the recent events and say, ‘if they had X, Y, or Z, they would've been secure.’ But security is about defence and depth. It's about doing the basics really well. Be wary of a vendor claiming to offer the silver bullet, but look more at holistic best practices. Look at the tried and tested frameworks like ISO 27,000, the Australian Essential Eight and so forth to set a standard fuel business that you can benchmark against and programmatically improve.”

In the very current environment Meah has been in overdrive advising organisations on defence. “In the past few weeks, we've certainly seen a big outreach organization. They've seen these incidents occurring in the news and sort of saying, ‘what would we do in this type of incident and how, how can we respond?” So, I think that's a positive when there is a bit of a negative situation that's occurred for these businesses, it makes everyone else look at their own environment and say, how will I respond?”

Meah says organisations need instant response plans in place and having those tested, for the different scenarios and building out those playbooks, is really best practice.

Impenetrable, not

Jones adds that the notions of the perimeters of data centres being impenetrable are gone, “so is that idea that a data centre is one physical place and that can't be breached. The reality is that data centres used to be owned by cooperations, that they manage their risk. But now essentially, we've got so many different intricacies, huge different types of architectures, virtual switches, data centres at the composition of many different physical spaces to provide a service. So that means that attack surface is ultimately is larger. What we really need to be able to do as in the physical world, as in the digital word or in the cloud world. We need to ensure that we can segment those as best as possible to ensure someone doesn't get in.”

He warns that the significant challenge in the datacentre environment is that there's multiple tenants that are in a shared infrastructure which need really strong enforced segregation.

“Many layers of architecture, implementation, operations. The absolute number one crime, the thing we don't want is one tenant that bleeds out and metastasize across the rest of the network. So really that management channel, which a service operator controls, that infrastructure needs to have the strongest segregation of them all,” he says.

Meah adds that the four walls of the data centre just don't exist in the same way as they used to. “Your data centre is now made up of on-premise service over here, mobile device, connecting to the on-prem server, connecting to cloud environments, private clouds, public clouds, shared services, multi-tenanted cloud applications. There's a whole variety of different applications that a business depends on and relies on. The notion of having a cloud and an on-prem kind of environment are kind of now blurred. Really the defences that are now placed specifically around applications and between applications to make sure that any communication or access that's granted to a company's systems is, is completely secure a hundred percent of the time.”

He recommends zero trust methodologies as the way forward.

“Essentially zero trust methodologies, where organizations are transitioning towards to make sure that regardless of whether the connection's happening east, north or south, every connection and communication is being, secured, authenticated, and can be fully trusted, because it's been authenticated.”

Threat landscape

The threat landscape is constantly evolving and it evolves based on the new types of attackers and new attack techniques in the outside world, Meah states.

“The internal environment is changing in the case of cloud service and use of cloud services, but also business requirements are changing and we've seen that through covid. You must proactively address needs that are going to arise for a business, whether multifactor authentication across, a broader range of services and securing new types of users in where they connect to your network. Then it's our job as the service providers to, spot those, to understand the business and make security recommendations on that continuous basis. That's going to ensure that those examples of breaches that we've seen recently are mitigated and avoided where possible, so back doors are not left open.”

For Anthony Stevens CEO, 6 Clicks, the bigger issue overall is avoiding breaches in the first place. “It comes back to that point around effective risk management, be it both, cybersecurity and privacy. It's really important to understand when we're thinking about data centres or cloud security, what exact detailed terms are we talking about?

"Are we talking about applications being delivered via the cloud or are we talking about infrastructure being hosted? That opens up a raft of other questions like data sovereignty, to consider, do they want their data to be hosted in data centres outside of Australia, or do they want their data application to be hosted within geographic boundaries or jurisdictional boundary?" he says.

According to Stevens it comes back to risk management and understanding those information assets. "What are you trying to protect? What are you trying to protect them against, and how do you evaluate that risk and make effective decisions, about your, use of data centre technology.”