informa
/
Cloud
Feature

Cloud Security Basics CIOs and CTOs Should Know

Chief information officers and chief technology officers don't tend to be cybersecurity experts and yet they may have responsibility for it. Cloud security is somewhat unique because you can't control everything.

Every company should be actively investing in cybersecurity these days because sooner or later, a cybersecurity incident will happen. Not all businesses can afford to employ a chief information security officer (CISO), so CIOs and CTOs may find themselves overseeing this function even though they're probably not cybersecurity experts. As some of them have learned the hard way, cloud security doesn't just happen and not all cloud providers are alike.

Basic Services Aren't Enough

Basic cloud services include only rudimentary security that falls considerably short of enterprise requirements. Cloud vendors offer value-added security services because they represent additional revenue streams and customers need robust solutions.

"From a CIO's perspective, the No. 1 thing is really hygiene around the cloud," said Aaron Brown, partner at multinational services company Deloitte. It's [important] to appreciate the shared responsibility model because [cloud providers handle] security underneath the hypervisor, but everything above that, they offer tools for securing the environment."

AaronBrown-Deloitte.jpg
Aaron Brown, Deloitte

Beware of Misconfigurations

Cloud misconfigurations, such as the many high-profile S3 bucket misconfigurations, invite bad actors to wreak havoc.

"It's easier today to identify misconfigurations and vulnerabilities than it was several years ago, [but] cloud providers continue to innovate so the universe of potential misconfigurations is constantly expanding," said Brown. "One of the first things any enterprise should be doing is getting that visibility into configuration and environment, getting a cloud security posture management capability of some kind."

For one thing, lines of business may be procuring their own cloud services of which the IT department is unaware. To achieve visibility into the cloud accounts used across the enterprise, Brown recommends a Cloud Access Security Broker (CASB).

Cloud May Not Reduce Cyber Risk

Cloud environments have proven not to be inherently secure (as originally assumed). For the past several years, there have been active debates about whether cloud is more or less secure than a data center, particularly as companies move further into the cloud. Highly regulated companies tend to control their most sensitive data and assets from within their data centers and have moved less-critical data and workloads to cloud.

On the flip side Amazon, Google, and Microsoft spend considerably more on security than the average enterprise, and for that reason, some believe cloud environments more secure than on-premises data centers.

"AWS, Microsoft, and Google are creators of infrastructure and application deployment platforms. They're not security companies," said Richard Bird, chief customer information officer at multi-cloud identity solution provider Ping Identity. "The Verizon Database Incident Report says about 30% of all breaches are facilitated by human error. That same 30% applies to AWS, Microsoft, and Google. [Cloud] cost reductions don't come with a corresponding decrease in risk."

Cybersecurity Insurance Payouts Are Shockingly Small

Bird said companies are just now realizing that cybersecurity insurance isn't going to save them. Ransomware attacks have been increasing in number and the demand amounts are rising. Worse, the "single" ransom to encrypt data is increasingly accompanied by a "double ransom", which is a separate ransom demanded for not publishing the stolen data. Worse, they may also tack on a "triple ransom", which targets the individuals whose data was stolen. The level of cyber risk is rising and insurance companies are responding by raising the dollar amount of premiums, declining more applications and lowering policy limits.

"I've seen numbers range from zero to approximately 30%. The zero number holds a lot of weight because [the insurance companies] will mitigate thei

Liz_Tluchowski-WorldInsurance.jpg
Liz Tluchowski, World Insurance

r losses by making sure any violation of the policy would invalidate my ability to be reimbursed," said Bird. "In cases where somebody was hacked easily, or these ransomware cases [in which] somebody gained privileged access, the likelihood of any payout is zero because they're going to do a forensic investigation and determine you were negligent."

Due Diligence Is Important When Choosing a Vendor

AWS and Microsoft Azure have been the two most popular cloud service provider choices among InformationWeek readers. However, there are many other cloud service providers and not all of them have big names, like IBM and Oracle.

"I do my due diligence to understand if they have all the right security measures in place such as penetration testing, reports, and a team of people who are dedicated to security [versus] an IT team that does security," said Liz Tluchowski, CIO and CISO at personal and business insurance solution provider World Insurance. "The only thing that's not negotiable is security. We put in everything we can in place to protect what we have."

What to Read Next:

Laying Out a Road Map to Close the Cloud Skills Gap

Seeking a Competitive Edge vs. Chasing Savings in the Cloud

Building a Post-Pandemic Cloud Strategy