This article is part of our new State of Cloud Security 2021 Series which will interview a diverse mix of cloud security experts, design-makers, and practitioners with a goal of better understanding their perspectives on the current state of and future of cloud security.
The following is an interview OpsCompass CTO, John Grange recently had with Brad Thies, Founder and President, BARR Advisory.
JG: What is the state of cloud security today?
BT: In the last year, we’ve seen an accelerated shift to the cloud. Before COVID-19, many organizations had cloud adoption top of mind, but the pandemic definitely sped things up given the almost overnight necessity of remote work. Inevitably, concerns about security within the cloud quickly followed. In fact, according to security software and hardware company Sophos’s “The State of Cloud Security 2020” report, 44% of organizations stated data loss/leakage was one of their top three security concerns. And, believe it or not, as stated by a study from Tanium, C-suite executives reported a 90% increase in cyberattacks after workers went remote, and 98% say they saw a rise in security challenges in the first two months of the work-from-home period. In short, cloud security has moved from a nice-to-have to a need-to-have for organizations across the globe.
JG: What are the most common challenges organizations face when it comes to cloud security today?
BT: Cloud security threats and concerns can take many forms. It requires a much different security strategy than that of a physical data center because many traditional security solutions are not relevant. Some of the most common cloud security issues we see are misconfiguration, external data sharing, insider threats, data leakage, and data privacy. Let’s talk a little bit about each of these:
○ Misconfiguration: This is when a company has not configured its cloud-based system correctly, leaving the door wide open for hackers.
○ External data sharing: One of the major benefits of the cloud is how simple it is to share data, but this makes data sharing difficult to control and, therefore, links to sensitive data can easily make it into the wrong hands.
○ Insider threats: Sounds very James Bond-esque, right? The concern here involves people who already have authorized access—no hacking required—to your organization’s sensitive data stored on the cloud. It can be tough to detect misuse of this data until it’s too late.
○ Data leakage: This goes back to the ease of data sharing in the cloud. Without knowing it, or perhaps without realizing the dangers of it, employees may share public links or make assets public. Doing so means this shared information is easily accessible for the intended party and for cyber criminals.
○ Data privacy and confidentiality: This is perhaps the first thing most people think of when it comes to data security concerns. There are a number of regulations (e.g., HIPAA, GDPR, PCI DSS, etc.) that mandate the protection of customer data, but placing sensitive information on the cloud creates concern as employees may share or use it unsafely.
JG: What lessons can be learned from the biggest cloud-related breaches of 2020?
BT: With the increase in remote work, it’s no surprise 2020 brought more data breaches than ever. According to Risk Based Security, more than 36 billion records were exposed and nearly 3,000 breaches publicly reported data breaches occurred as of December 2020. Three of the biggest breaches that come to mind from last year involved Zoom, Twitter, and Marriott. Let’s talk about each of them and what I think we can learn:
○ Zoom: The need for more video conferencing made Zoom an ideal target for cyber criminals, leading to credential theft and a new issue called “Zoom bombings” (unwanted intrusion into a video call by a hacker). Simple fixes for this are to never share meeting information anywhere online and assign passwords to meetings that will cover confidential or sensitive information.
○ Twitter: It would have been hard to miss hearing about the massive Twitter breach that occurred in July 2020, where a number of high-profile accounts were hacked (e.g., Bill Gates, Barack Obama, Elon Musk, etc.). The attack was caused by hackers misleading Twitter employees into providing credentials by calling themselves Twitter support staff. Internal employee security training and awareness efforts could have helped prevent this.
○ Marriott: This was an unprecedented cloud breach caused by a hacker gaining access to the cloud via employee logins, exposing data for more than 5 million customers. The lesson here is that username/password credentials are not enough. Things like multi-factor authentication (MFA) and biometric identification could have helped prevent this.
JG: What are 3-5 pieces of advice for organizations looking to improve their cloud security in 2021?
BT: The best advice I can give is simple: Make cloud security a top priority. Some organizations leave it on the backburner because they think the chance of a breach occurring is low. But the truth is, data and cloud security breaches can take down a company financially and/or by killing their reputation. Another piece of advice I have is to train your employees about some of the common breach tactics like phishing scams, password reuse, and more. Be sure to educate them on how to identify a potential threat, and what to do when they see something odd. Finally, be sure you’re choosing the right tools based on the cloud security capabilities they have to offer. All toolsets in a cloud environment should have the ability to enforce multifactor authentication.
JG: What’s the future of cloud security?
BT: When I think about the future of cloud security, my mind immediately goes to Artificial Intelligence (AI). The use of AI as a defensive technology will be essential in helping organizations better protect their cloud-based data. The benefits are endless. For instance, implementing it can accelerate incident response times. AI can also take on manual tasks, freeing up time for an organization’s security team so they can focus on additional solutions. It can discover user patterns and help leaders make informed predictions by combing through multitudes of data. Of course, AI can’t plan and solve for every cloud issue, but I think it’s a big player in the future of cybersecurity solutions.