Combatting Future Security Risks to Cloud Services
We live in an expanding digital universe. Each year zettabytes of data are added to global information asset holdings according to recent analysis by IDC, expanding the potential attack surface for highly organised cyber criminals.
The digital universe increases in complexity continually, requiring cyber security practitioners to address a fundamental problem; how do we ensure this deluge of data is protected to the highest standards in the age of the mega-hack? The proliferation of data breaches during the last decade, including the 2017 Equifax breach which saw 144 million financial records extricated by highly motivated cyber criminals, highlights the limits of defensive cyber security.
It is evident that our current approach to cyber risk management, defending the organisation from individual risks one by one, is simply not adequate in the age of an expanding digital universe. No organisation adopting new Cloud services for storage and infrastructure management has absolute control over their data leading to regular breaches and incidents including the major privacy scandal in 2017 when the Amazon Echo was found to be recording US citizens private conversations.
Adopting Cloud services in any form poses a security conundrum for organisations. Cyber risk management needs to be adapted to ensure that the potential threats to security hygiene are identified and controlled as part of systematic approach to managing cyber threats. This new approach is underpinned by changes in the way cyber threats will emerge and impact organisations over the next decade.
Managing Liquid Data Assets
Data is becoming ‘liquid’, comparable to currency flows internationally, with daily transactions across the Internet including 40 million WhatsApp messages sent to 266000 hours of Netflix consumed each and every minute of the day. This flow of data presents a major change to the way in which data and information need to managed and secured. Previously data was aggregated and stored in a number of standard ways and access control was managed via defined models.
These orthodoxies have been replaced by an approach to data and information that is primarily driven by access, ahead of other requirements including integrity management and protecting confidentiality. This generates new risks to the protection of data from cyber risk to deliver corporate security standards.
Cyber risk management has previously been mired in a defensive posture, addressing threats and risks in an inductive manner only. Cyber security practitioners have used risk management to divide threats into a long list of priorities and enacted controls without considering the organisation as a system. This has failed to resolve major vulnerabilities to our defences and allowed cyber criminality to prosper.
This approach to cyber risk management impacts the way in which we defence the organisation. For example, technology is currently instrumented to assess risk and adjust accordingly but this is not sufficient now that we have these flows of data and information within the organisation and internationally. The evidence for this limited cyber risk management is provided by the sheer number of compromises of both hardware and software during the last decade.
We need a new approach to cyber risk management, derived from a more sophisticated conception of operational status rather than the reductive conception of security as being ‘secure’ or ‘insecure’. Google’s Mark Masterson states,” We need to stop thinking in terms of “security” and start thinking in terms of “health”. We need intuitive technology that can consider the status of data in context and learn quickly when to be suspicious of activities that could lead to breaches. This will drive technology to act as a health monitoring system for the organisation, assessing threats dynamically and providing constant feedback for review. This requires organisations to adapt responses to threats from a defensive, reactive approach to an approach to security risk management that is adaptive and agile, constantly checking ‘security health status’ to gain richer intelligence regarding operational status.
Cloud and Complexity
One of the major changes to IT services and a driver for international data flows has been the emergence of Cloud services. The introduction of Cloud services for a range of organisational purposes increases the complexity of the overall data system in which organisations operate globally.
The velocity of demand has been impressive with the market set to grow continually for the next decade. Data flows will continue, expanding possible attack opportunities for highly motivated cyber criminals.
The rapidity of adoption of Cloud services has highlighted specific risks for security practitioners to consider. The emerging security risks arising from this area include;
RISK ONE. Big Cloud Monopoly; the capture of Cloud services by a number of big players and the resulting in balkanisation of services represents a threat to consumers. As a monopolies emerge in the Cloud services markets the risk to price and quality of service is amplified. Consider the actions of other sectors where a monopoly has captured the market. Do we really want Big Cloud in the way we have Big Oil? This might have implications for cyber risk if Big Cloud companies do not adhere to heightened security standards being demanded by consumers.
RISK TWO. Compliance Fines; With the introduction of GDPR there is more vigilance regarding securing personal data. This new regime has already extended the size and impact of fines, possibly putting companies out of business due to insufficient security management as in the case of WealthEngine.
RISK THREE. Outages And Failures; The elasticity of service is Cloud’s greatest selling point. However numerous events can disrupt services from natural disasters such as Hurricane Sandy to longer-term disruptions to infrastructure witnessed in many US states during 2018. An ageing electricity infrastructure is driving an increase in brown-outs and blackouts. Cyber risk assesses availability as one of the key metrics on a security scorecard so what if new disasters strike, impacting services on a national and international level?
The key issue for the organisation to consider relates to the complexity of its data and information flows and the continued evolution of these processes. The ability to expand Cloud services seems limitless. But can providers scale up services securely?
Developing Cyber Risk Strategy
A systematic approach to cyber risk management can enable organisations to deal with complexity across operations and anticipate potential threats and risks.
The Cloud service conundrum provides an opportunity to adapt risk management practices to manage assets in the era of digital complexity. There are key ways for an organisation to improve its cyber risk management. These include;
• Risk strategy technique one; Cyber risk management must go from “incident response” to “continuous response” as part of this adaptation. The reactive model only works in a limited fashion in the age of complexity. The continuous review of threats provides real-time intelligence regarding security health and can aid quick decision making should indicators of compromise be identified.
• Risk strategy technique two; Cyber risk practitioners must promote a new model of the organisation, going from seeking to fortify defences to agile security health monitoring across operations. This is based on a new method for designing cyber risk into service as part of devops. This has been successfully piloted by Netflix who are continuing to develop service quickly but with security embedded into processes from inception.
• Risk strategy technique three; Part of this new approach to cyber risk includes the introduction of adaptive threat response (ATR) strategy, that focuses on instance of compromising of detection, response process, deception reviews, hunting of threats, intelligence profiling and reconnaissance across data services. This proactive risk strategy enables richer cyber risk intelligence to be generated to enable better decision making.
It is time to shift our risk strategy to focus on a liquid approach to cyber risk management to clarify that we face an ever-changing attack surface. This will allow organisations to stop being defensive and allow a more threat-driven approach to reducing risks and threats to breaching corporate assets.
Cyber risk strategy has to enable organisations to move beyond cyber resilience to a constant state of business operations. This will aid the assessment of Cloud services and other aspects of complexity via improved monitoring and detection services.
It is evident that complexity changes the way in which cyber risk emerges and impacts organisations. Business needs to take its cue from cyber risk professionals who must drive a campaign to change the approach to risk strategy to ensure that security becomes embedded into every part of a diverse digital universe.