Cloud Security Basics CIOs and CTOs Should Know - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Cloud
Commentary
7/30/2021
07:00 AM
Lisa Morgan
Lisa Morgan
Commentary
Connect Directly
Twitter
RSS
50%
50%

Cloud Security Basics CIOs and CTOs Should Know

Chief information officers and chief technology officers don't tend to be cybersecurity experts and yet they may have responsibility for it. Cloud security is somewhat unique because you can't control everything.

Credit: Rawf8 via Adobe Stock
Credit: Rawf8 via Adobe Stock

Every company should be actively investing in cybersecurity these days because sooner or later, a cybersecurity incident will happen. Not all businesses can afford to employ a chief information security officer (CISO), so CIOs and CTOs may find themselves overseeing this function even though they're probably not cybersecurity experts. As some of them have learned the hard way, cloud security doesn't just happen and not all cloud providers are alike.

Basic Services Aren't Enough

Basic cloud services include only rudimentary security that falls considerably short of enterprise requirements. Cloud vendors offer value-added security services because they represent additional revenue streams and customers need robust solutions.

"From a CIO's perspective, the No. 1 thing is really hygiene around the cloud," said Aaron Brown, partner at multinational services company Deloitte. It's [important] to appreciate the shared responsibility model because [cloud providers handle] security underneath the hypervisor, but everything above that, they offer tools for securing the environment."

Beware of Misconfigurations

Cloud misconfigurations, such as the many high-profile S3 bucket misconfigurations, invite bad actors to wreak havoc.

"It's easier today to identify misconfigurations and vulnerabilities than it was several years ago, [but] cloud providers continue to innovate so the universe of potential misconfigurations is constantly expanding," said Brown. "One of the first things any enterprise should be doing is getting that visibility into configuration and environment, getting a cloud security posture management capability of some kind."

Aaron Brown, Deloitte
Aaron Brown, Deloitte

For one thing, lines of business may be procuring their own cloud services of which the IT department is unaware. To achieve visibility into the cloud accounts used across the enterprise, Brown recommends a Cloud Access Security Broker (CASB).

Cloud May Not Reduce Cyber Risk

Cloud environments have proven not to be inherently secure (as originally assumed). For the past several years, there have been active debates about whether cloud is more or less secure than a data center, particularly as companies move further into the cloud. Highly regulated companies tend to control their most sensitive data and assets from within their data centers and have moved less-critical data and workloads to cloud.

On the flip side Amazon, Google, and Microsoft spend considerably more on security than the average enterprise, and for that reason, some believe cloud environments more secure than on-premises data centers.

"AWS, Microsoft, and Google are creators of infrastructure and application deployment platforms. They're not security companies," said Richard Bird, chief customer information officer at multi-cloud identity solution provider Ping Identity. "The Verizon Database Incident Report says about 30% of all breaches are facilitated by human error. That same 30% applies to AWS, Microsoft, and Google. [Cloud] cost reductions don't come with a corresponding decrease in risk."

Richard Bird, Ping Identity
Richard Bird, Ping Identity

Cybersecurity Insurance Payouts Are Shockingly Small

Bird said companies are just now realizing that cybersecurity insurance isn't going to save them. Ransomware attacks have been increasing in number and the demand amounts are rising. Worse, the "single" ransom to encrypt data is increasingly accompanied by a "double ransom", which is a separate ransom demanded for not publishing the stolen data. Worse, they may also tack on a "triple ransom", which targets the individuals whose data was stolen. The level of cyber risk is rising and insurance companies are responding by raising the dollar amount of premiums, declining more applications and lowering policy limits.

"I've seen numbers range from zero to approximately 30%. The zero number holds a lot of weight because [the insurance companies] will mitigate their losses by making sure any violation of the policy would invalidate my ability to be reimbursed," said Bird. "In cases where somebody was hacked easily, or these ransomware cases [in which] somebody gained privileged access, the likelihood of any payout is zero because they're going to do a forensic investigation and determine you were negligent."

Due Diligence Is Important When Choosing a Vendor

AWS and Microsoft Azure have been the two most popular cloud service provider choices among InformationWeek readers. However, there are many other cloud service providers and not all of them have big names, like IBM and Oracle.

Liz Tluchowski, World Insurance
Liz Tluchowski, World Insurance

"I do my due diligence to understand if they have all the right security measures in place such as penetration testing, reports, and a team of people who are dedicated to security [versus] an IT team that does security," said Liz Tluchowski, CIO and CISO at personal and business insurance solution provider World Insurance. "The only thing that's not negotiable is security. We put in everything we can in place to protect what we have."

What to Read Next:

Laying Out a Road Map to Close the Cloud Skills Gap

 Seeking a Competitive Edge vs. Chasing Savings in the Cloud

 Building a Post-Pandemic Cloud Strategy

 

Lisa Morgan is a freelance writer who covers big data and BI for InformationWeek. She has contributed articles, reports, and other types of content to various publications and sites ranging from SD Times to the Economist Intelligent Unit. Frequent areas of coverage include ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

News
Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Slideshows
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Commentary
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
White Papers
Register for InformationWeek Newsletters
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
Video
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
Slideshows
Flash Poll