Cloud security concerns Elon Musk just as much as it concerns any other business leader. Source: Jim Watson/AFP

Cloud security concerns Elon Musk just as much as it concerns any other business leader. Source: Jim Watson/AFP

Symantec CTO and Govt Affairs Director break down cloud security

CLOUD technology is interesting because it offers immense productivity and extreme agility.

For many businesses, successfully migrating to the cloud is an important part of their digital transformation agenda, and marks a critical milestone in their journey up the digital maturity curve.

However, there are significant risks as well.

“Alongside new business opportunities, cloud adoption has also unlocked a new, large attack surface for cybercriminals to exploit,” said Symantec APAC CTO Nick Savvides in an exclusive interview.

“Many organizations are struggling to understand and secure their cloud services and this, unfortunately, works in the favor of cyber criminals,” added Symantec APJ Government Affairs Director Brian Fletcher.

The duo interacted with Tech Wire Asia ahead of Fletcher’s speaking engagement at the ConnecTechAsia2019 event in Singapore next month to discuss cloud security and the impact of regulations on the technology.

According to Savvides, many cloud data breaches occur as a result of two major themes — misconfiguration of cloud services and applying on-premises security controls to cloud environments where they do not fit well.

Criminals recognize this and can leverage easily-accessible tools that allow them to identify misconfigured cloud resources on the internet – targeting these businesses with poor cybersecurity infrastructure.

For example, poorly secured cloud databases continue to be a weak point for organizations.

According to the Symantec Internet Security Threat Report Volume 24, more than 70 million records were stolen or leaked from poorly configured Simple Storage Service (S3) buckets in 2018.

To be fair, even the best and brightest companies fall prey to cyberattackers when using the cloud. Elon Musk-owned Tesla’s cloud account, for example, was also famously attacked last year and used to mine cryptocurrency.

“As more organizations embark on their cloud journey, they need to take a closer look at their enterprise security,” emphasized Savvides.

The cloud is complicated, but simplicity is key to securing it

While the cloud offers major business and operational benefits, it can also create significant exposure to cyber criminals.

To secure all the varying cloud apps used inside their organizations, many have turned to complex combinations of vendors, solutions, plugs, and fixes, each addressing a specific cloud security issue.

“Doing so only adds complexity to security stacks that are already too overburdened and fragmented to operate effectively,” warns Savvides.

This results in cloud chaos, says the Symantec APAC CTO.

“A mix and match of solutions from different cloud security vendors fail to work in harmony to protect the infrastructure.”

To resolve this challenge, Savvides suggests that organizations consider replacing the single-function point products with an integrated security platform that natively understands cloud services.

The duo emphasizes that using an integrated approach is important as many of the traditional tools don’t fit or translate well into cloud services.

“This approach can not only unify critical security and compliance services together, but also ensure threat intelligence works together to protect their cloud environments,” explained Savvides.

Well-written regulations on cybersecurity should have no impact on the use of cloud

Regulations often make migrating to the cloud quite complicated, which not only causes companies to stall their move but also forces them to make choices that aren’t right for their business.

“Well-written regulations on cybersecurity should have no impact on the use of cloud by businesses and consumers. Likewise, it need not have any impact on innovation for businesses and new project developments that use cloud products,” said Symantec APJ Government Affairs Brian Fletcher.

Recent changes to privacy regulations in Vietnam, for example, dictate that all data relating to users in the country must be stored in servers that are based inside the country.

While the law might aim to protect domestic user data, it might inadvertently weaken the security of organizations that must find ways to comply with regulations — even if it means being less secure overall.

According to Fletcher, what could go wrong is when regulators equate unrelated issues, such as the geographic location of the cloud with cybersecurity.

“Forcing business and consumers to only use cloud products physically located within their country can reduce the quality and range of services available to their constituents, ultimately reducing their ability to innovate using hyperscale technologies such as AI and easy access to new markets.”

“In fact, geographically limiting the available cloud has no positive impact on security and could even reduce the security with regards to disaster recovery,” highlighted Fletcher.

At the end of the day, the reality is that moving to the cloud is not optional and cannot be delayed. Organizations must take every precaution while migrating to the cloud but ultimately, stalling or delaying is not an option.

According to the Symantec experts, organizations that want the best cloud security must use an integrated strategy to secure themselves.

“By bringing an organization’s critical security and compliance services together, an integrated cyber defense strategy can drive down the cost and complexity of cybersecurity, while protecting the business against sophisticated threats,” concluded Savvides.