This article is part of our new State of Cloud Security 2021 Series which will interview a diverse mix of cloud security experts, design-makers, and practitioners with a goal of better understanding their perspectives on the current state of and future of cloud security.
The following is an interview OpsCompass CTO, John Grange recently had with Piotr Wieczorek, CEO of Fly on the cloud.
JG: What is the state of cloud security today?
PW: The state of cloud security is far from perfect – not due to insufficient technology, but rather due to too much trust placed in the technology and lack of risk-awareness. Although security measures available today are more than enough to ensure data safety, their weak point always lies in the human factor. With the rising value of data, we can be sure that any back door accidentally left open will be mercilessly exploited by cybercriminals.
Businesses enthusiastically adopt the public cloud and chase a return on their investment but far too often fail to leverage available security tools. Oracle and KPMG cloud threat report 2020 revealed that companies heavily invest in cloud security, as 78% of businesses use at least 50 cybersecurity products, 37% use more than 100 such products. Multiple misconfigured tools with limited functionality are often far worse than one or two that are fully understood and put to practice according to thought-through strategy. Know-how and tech are there, ready to be used. Still, not enough pressure is put on the optimization of security systems and enforcement of the basic safety rules.
JG: What are the most common challenges organizations face when it comes to cloud security today?
PW: The pandemic forced most companies to shift toward decentralization and distributed workforce. Now, the most common challenge faced by our clients is evolving security strategy accordingly to that shift. It needs to fit new patterns of behavior and risks associated with having data processed on many devices in various locations. IT professionals put even more focus on access management and configuration of cloud security tools – so another challenge is to allocate time and manpower to audits and training.
Prevention is an ongoing process that is never fully concluded. It involves frequent checking and double-checking every potential loophole and sensitizing workers to quickly report any malware, phishing, or lost devices to system administrators. If circumstances like excessive permissions, default security profiles, and unenrolled devices are paired with MTTR oscillating around 30 days, then a serious breach of security is not a matter of “if” but “when”.
JG: What lessons can be learned from the biggest cloud-related security breaches of 2020?
PW: Two famous data breaches from the beginning of 2020 targeted Marriott and Magellan Health – big players in industries that gather volumes of personal data from the public. Both teams of cybercriminals started their operations by obtaining credentials from representatives of those companies. The predominance of frontline employees in hospitality and healthcare makes a top-down approach to security harder but also even more crucial. They have direct contact with customers and access to sensitive information, so they are prone to social engineering and phishing.
The lesson here could be summed up in a proverb “a chain is as strong as its weakest link”. Train and encourage employees to show a proactive attitude toward risk prevention. Security should be built in the roots of the organization.
JG: What are 3-5 pieces of advice for organizations looking to improve their cloud security in 2021?
PW: My pieces of advice to anyone willing to improve safety in the cloud would be:
● Develop a security-centric mindset at every level of the organization.
● Segment resources by granting minimum access needed. Never assume that if someone or something is within the corporate network, then it can be trusted.
● Polish your incident response, estimate your MTTR and shorten it.
● Teach employees how to recognize and report phishing.
● Embed security early in the development of your services and strive to stay ahead of emerging risks.
JG: What’s the future of cloud security?
PW: The reality is that no matter what security measures you deploy, hackers will always catch up and wait for any mistake on your part. It’s a constant struggle that forces both sides to step up their game.
The future belongs to those, who are aware of the fact, that cloud security is a journey, not a destination. Businesses ready for constant self-improvement in this area are most likely to stay safe and gain long-lasting customer trust.