Moving to the cloud is critical but is it secure? McAfee weighs in
MIGRATING to the cloud has given IT professionals headaches for years now because of all the different moving parts that must be balanced, at scale, before the promised returns can be achieved.
To add to the complexities, the risk of cyberattacks have increased manifold in the recent past.
As a result, not only are businesses thinking twice before migrating to the cloud but regulators too are taking action to ensure those that do make the move are taking precautions to prevent data breaches and ensure tight control and security of their applications.
In an exclusive interview with McAfee APAC CTO Ian Yip ahead of the ConnecTechAsia2019 summit, Tech Wire Asia takes stock of what’s at stake and how companies can secure themselves during the transition to a cloud-first, or rather, cloud-optimized infrastructure.
“Cloud services are now a cornerstone of modern corporates, enabling businesses to quickly scale and capitalize on opportunities without significant investment into physical infrastructure. Critical to this growth is the understanding that data, and most importantly sensitive data, now lives in the cloud and must be protected.
“As digitalization takes root, data will be the new currency of a digital-first economy, and will increasingly place cloud servers in the crosshairs of cyber criminals seeking to monetize their illicit activities.”
In Yip’s mind, companies need a firm understanding of the challenges they face before they can get to grips with it.
Yip cites a company report pointing out that despite an estimated 21 percent of files in cloud servers being sensitive data, lapses in security on multiple fronts continue to proliferate across organizations globally.
“These include sharing of information via publicly accessible links, and misconfigured security settings. Today, stolen cloud credentials from an estimated 92 percent of all organizations are believed to available for sale on the Dark Web.”
The interconnected nature of modern technological platforms also means that a breach in one area could potentially function as an entry point for cyber threat actors to launch further attacks on the extended network.
Organizations seeking to properly safeguard their digital assets need to adopt a comprehensive, risk-based approach to cybersecurity that covers the needs of all platforms in use, ranging from device-to-cloud.
Moving to the cloud? Here’s what you need to think about first
McAfee has a reputation for its cybersecurity solutions. Building those requires a good understanding of the risks that companies face when moving to the cloud.
Here’s what Yip believes most organization might need to think about when moving to the cloud, from a security standpoint, in order to best protect themselves:
# 1 | Governance, Control, and Visibility
Most IT leaders recognize the role of proper IT governance in ensuring that digital assets are used in accordance with policies and procedures.
However, difficulties arise from the growing number of users accessing cloud data from personal devices or applications, and from business teams procuring technology in the cloud without first consulting the security team. This is known as Shadow IT.
In many cases, Shadow IT is a by-product of businesses attempting to make themselves more competitive, and employees more productive.
Security teams that are set up to work collaboratively with the business should treat this as an opportunity to prove to the business that security team members are there to enable the business while ensuring cyber risks are properly assessed and mitigated, instead of getting in the way.
# 2 | Access Control
Passwords and access controls are vital to the security of any cloud platform. However, cyber risks increase as more users are granted access.
To address this, businesses should employ verification measures such as biometrics or two-factor authentication to ensure that only authorized personnel are able to access cloud data.
Privileges should also be restricted and reviewed regularly, ensuring that only people with the need to access specific resources are able to, and that those no longer requiring prior levels of access are de-provisioned.
# 3 | Compatibility with Existing Infrastructure
A challenge often encountered in the adoption of cloud systems is the integration of existing infrastructure and services with the cloud.
Instead of viewing technology adoption as a piecemeal process on a needs basis, business leaders should first formulate a long-term strategy for change on a company-wide scale, ensuring changes happen in line with the rest of the organization.
# 4 | End-to-End Data Protection
Protecting data in an environment that does not utilize any cloud services has always been challenging, particularly when attempting to determine where critical information is stored, accessed, and flows.
Adding cloud environments to the mix increases this complexity, especially given the reduced control over data and resources in the cloud.
Organizations should implement security controls that help to ensure a single view, management of policies, and control over the reduction of data breach risks.
Security must be part of migrating to the cloud
Yip doesn’t advise organizations to stay away from the cloud, he only asks them to ensure that security is included as a part of the adoption process.
“Organizations need to realize the extent of their exposure to threat actors and allocate necessary resources according to their risk profile.
“As a start, businesses should first develop a deep understanding of their cloud assets, using these insights to determine potential vulnerabilities and risks, and also possible use case scenarios.”
Yip also advises businesses to conduct the necessary due diligence to identify any security control gaps — this is vital to any effective preparedness plan and can help rapidly curtail the impact of a breach.
At a high level, Yip believes that organisations should aim for the following outcomes:
# 1 | Complete Visibility
In many cases, cloud services are managed by third-party providers, and from devices not directly managed by an organization’s IT functions.
Responsible teams need to have complete visibility and control over all aspects of cloud services to effectively monitor for security anomalies, and to subsequently deploy the right countermeasures.
# 2 | Dynamic and Complete Protection of Critical Assets
Organizations should focus on the use of security controls that protect critical or sensitive data, and assets that are deemed critical to maintaining continuity of business operations.
# 3 | Automated Policy Management
Policies are vital for data management, to detect violations, and subsequently implement appropriate countermeasures.
However, manual enforcement of policies is an uphill task in view of the extensive scale of digital processes within modern organizations, not to mention being extremely time and cost inefficient.
Automating processes ensures more effective management and reduces human error, reducing an organization’s overall exposure to cloud risks.
At the end of the day, migrating to the cloud is critical for the success of any organization — regardless of the industry you belong to.
However, as Yip emphasizes, baking security into the adoption process and thinking ahead can really help mitigate many of those risks and secure the organization’s new-age, cloud-optimized infrastructure.