Over the past few years, enterprises across Australia have moved more and more of their systems and applications to the cloud, with the trend only gathering pace with people increasingly working outside the traditional network perimeter, often at home and other locations.
Throughout 2022, several large enterprises, including NAB, doubled-down on their cloud migration plans, while the vast majority of the CIO50 listed this among their top priorities.
But while the cloud provides more flexible and scalable IT services, it’s also introducing new and vexing challenges around cyber security. In particular, many organisations are having to make significant cultural – in addition to technical – adjustments to deal with the fact that growing caches of potentially sensitive credentials are in the hands of more people.
The recent attacks on NFPs would seem to highlight many of the security risks being posed by the migration to the cloud. Typically fiscally restrained, their migrations are often more hurried and less considered, while they also tend to have fewer resources to train staff, many of whom are part time or volunteers.
Our attendees reflected on the serious concerns raised about security since the earliest days of the cloud; concerns that were often dismissed as unfounded, and centred mainly around issues of data sovereignty.
But the security challenges apparent in the cloud today are quite different to what was imagined in the past.
There are several key questions organisations need to ask themselves today as part of their plans to ensure they’re assuming a robust cyber security posture as the cloud becomes increasingly ubiquitous.
- Have your intrusion detection and prevention strategies have changed as you move systems and applications off your on-premise facilities and into the cloud?
- What recent high profile cyber-attacks in Australia are teaching you about your own cyber security posture and why data security can never be an afterthought?
- How you are ensuring your data and applications can be accessed securely no matter where users are located?
- Why it’s vital to make sure your technology teams don’t lose focus on cyber security in a cloud environment with fast moving cloud-native development processes?
- Do you feel that the pressure to migrate to the cloud and take advantage of the usability and cost benefits, is exposing you to cyber security risks?
- Do you, or are you seeking to have security baked into your cloud provider SLAs? Do these take account of changing security risks in the event of activities being dramatically scaled up?
- Are you confident you’ll be able to contact the key people at your provider in the event of a breach? Have their staff been vetted?
- Have you ensured your provider doesn’t have your key access passwords?
- Has the criticality of your data been fully ascertained?
George Dragatsis, A/NZ chief technology officer with Hitachi Vantara Australia says it’s essential that CISOs, CIOs and others tech leaders contemplate these questions seriously.
“Ultimately, whatever you did with respect to security on premise won’t help you in the cloud”.
He explains that there are two phases to getting security right in today’s virtual, SaaS-based environment.
The first is the ‘front end’, with an emphasis on endpoint protection, identifying external threat factors and developing strategies to mitigate against them. And the second is all about guaranteeing 100 percent data availability, as well as high levels of resilience, for instance in the face of a ransomware attack, to ensure a quick and effective recovery.
“Organisations need to ensure they’re able to get back up and running in the unfortunate event of an attack. And they need to guarantee the ‘immutability’ of corporate business data,” Dragatsis adds.
But according to Nathan Knight, managing director of Hitachi Vantara A/NZ, while most tech leaders understand the importance of getting back up and running as soon as possible after a breach, many businesses lack a clear picture of what’s actually occurred and the implications.
“Visibility into the impacts of breaches appears to be poor, with Medibank, for instance, still unable to tell customers what data has been lost”.
The Medibank breach of November 2022, has been described as arguably the biggest in Australian corporate history, with more than 200 gigabytes of sensitive health data from almost 4 million Australians being ransomed under threat of publication on the Dark Web.
It’s now widely accepted that the breach followed a simple theft of key credentials from an unwitting staff member; a situation that is becoming more common because of companies’ increased reliance on the cloud.
And while every cyber breach seems to trigger vigorous finger pointing, especially from the media, Knight stresses that cyber security is far from a perfect science, with the cloud making it even less so.
“Maybe we all need to accept that you can’t keep everyone out, and that it’s critical to focus on getting back up and running as quickly as possible”.
Darren Reid, director of VMWare’s security business explains that the nature of cloud computing demands an approach to security that is “intrinsic”. “Security must be built-in, rather than bolted-on”.
He adds that as we’ve modernised apps and moved to the cloud at speed, many organisations seem to have lost sight of the “controls that we used to have”.
“We’re accessing data via unsecured networks and all of that structure we used to have around us is basically gone”.
When trying to secure networks today, it’s critical therefore to know the first point of entry. Figuring this out requires micro-segmentation and the correlation of end-point data.
“You can limit to laptops, or segment networks. That’s ok,” Reid says. “But if an attacker is inside your apps, data is being exfiltrated and you’re about to be ransomed”.
Increasingly, tech and business leaders are being urged to work more closely together on cyber security these days, with the move to the cloud playing no small part in ramming home the message that everyone has their part to play.
“Security is not just a problem for security people anymore,” stresses Reid. “It’s team sport for everyone in the company.”
Meanwhile, as several of our delegates noted, not only are cyber attackers becoming more sophisticated and organised, we’re now entering a new phase whereby they’re operating more like entrepreneurs, taking more serious note of things like ROI, profit and loss, arguable strengthening their resolve to ‘get results’.
However, Reid notes that despite the heightened risks, this there is a definite lack of skills more broadly across organisations, meaning CISOs, CIOs and other tech professionals with responsibility for cyber are “getting slammed”.
Moving forward, all attendees agreed that it’s imperative cyber security is elevated in all discussions across organisations, starting with ensuring that everyone understands what a phishing email is.
Business teams needs to be up to speed and vigilant. And when problems are reported, there needs to be a proper understanding of the context.
Further reiterating the importance of ensuring rapid recovery, Reid adds that nothing should be taken for granted when it comes to backups either.
“While people might say, oh we’ve got a backup, the question needs to be asked, “are those backups ‘immutable’”?.