In my career, I have, more than often, come across businesses who want to fast track their digital transformation by adopting cloud but somehow in the urgency and enthusiasm, tend to overlook the soundness of the solution from the security standpoint. As the security solutions evolve to make your ecosystem sacrosanct, malicious players also incessantly up their game resulting in a constant cyber warfare which your business simply cannot afford to lose.
On November 7th, 2022, an unidentified ransomware hacking group claimed to possess data on 9.7 million customers of Medibank, the largest health insurance provider in Australia. Medibank also confirmed that nearly 0.5 million health claims had been unlawfully accessed. Medibank ultimately refused to pay the ransom causing the attackers to leak the patient data on the dark web. (Reference Link)
Or closer to home, Air India airline data was breached in May 2021, compromising data of almost 4.5 million passengers. The attack on the airline data service provider SITA not only affected Air India, but other airlines like Lufthansa, Cathay Pacific and Malaysia airlines as well. (Reference Link)
Needless to say, the reputational hit takes a considerable time to mend.
“Over 6.74 Lakh cybersecurity incidents were reported in India, in 2022 till June, Minister of State for Electronics and Information Technology Rajeev Chandrasekhar informed the Parliament in July, 2022.”
The need of the hour is to reimagine the security solution for the cloud. To sculpt a secure solution, it is essential to have a futuristic understanding of the cyber-attacks. Past can be a good reference but sometimes it can be a trap as the solutions are old and don’t really apply to the current situation. On-premises security mentalities combined with fragmented scanning systems are not able to address the complexity of the cloud.
Similar to the unbreachable walls and the gates of forts, the entry points to the cloud have to be impenetrable.
Impenetrable cloud ecosystem requires an approach that encompasses People, Processes and Technology.
Educating organizations from bottom up, starting with basic security practices, is fundamental to cyber resilience. Training engineers to use MFA and not share their passwords (which caused the recent Uber breach), can be a first step in ensuring security. (Reference Link)
Introducing processes as simple as segregation of development and production environments to limit the blast radius, or regular clean-up of residual unused user accounts, can go a long way in protecting organizations. As a responsible business, you need to review your exit processes for the concluded projects and terminated employment/contracts. No one would want any unintentional lingering access to their sensitive data. Similarly, authorization to access data or infrastructure based on least privilege identity management principles is a must.
Technology however is the star player in the security game. While there are enough tools and services in the market to secure your cloud, it is vital to periodically introspect on whether you are wielding them to add all the barriers and the guard rails. Never presume that you are safe and compromise security for saving cost. Ultimately if you are hacked, the costs could be unsurmountable.
Take the example of ML tools that are available in the market that can analyse or scan logs by adding filters and checking for sensitive data. Are you using them to have a multi-layered security approach for your infrastructure? These tools also play an important role in automating the identification and isolation of potential issues. If you are dependent on proficient individuals running analysis, then there are serious limitations, putting you at the mercy of individuals. Question yourself on whether your data is encrypted with keys complex enough to resist brute force attacks; or if your secrets are well protected in vaults.
Best possible way to be assured of cloud security is continuous evaluation. Conduct penetration testing for your cloud. This will help you understand your existing security status quo and enable proactive risk management. Are you employing the static application security testing (SAST) tools available to detect secrets in the code that is committed. Are you conducting black box testing with dynamic analysis security testing tool (DAST) to examine your application, as it is running, for any security vulnerabilities that an attacker could exploit?
While it is essential for organizations to perpetually educate themselves on the latest tools and technology to secure business and keep abreast of the latest developments in the world of cyberattacks, it sometimes can be an overwhelming affair. Jeff Bezos coined the term undifferentiated heavy lifting in his keynote in 2006. This means investing all hard work in areas which don’t add value to your business mission. I would encourage you as an organization to focus on your business goals and partner with the best in league security solution provider to have a peaceful night’s sleep.
Finally, security is not a trivial matter, so it’s best left to the experts!