As the intrusion threat against businesses becomes more widespread, gaps in cloud security are a troubling topic for CIOs. No one solution can protect a business, so a multi-layered defense is the only way to cover those gaps and ensure continuity and that firms are prepared when disaster strikes.
Cybersecurity remains the number one challenge for CIOs, even as digital business and digital transformation challenges push firms further into the cloud. As IT departments migrate, the move from a legacy on-premises security posture to a cloud-facing and embracing one can create all manner of challenges. From private to hybrid and public clouds, the list of challenges and risks cloud security poses are ever-increasing and therefore require a joined-up approach to meet them. But which of these challenges are at the top of the CIO’s agenda, and how can they be solved?
1. The boom in data breaches
The threat of data breaches doesn’t just concern businesses - the World Economic Forum lists data theft and cyberattacks as the fourth and fifth biggest threats to the entire planet. With all that’s going on in the world, the CIO must face both sets of challenges and protect the company from the massive risk of a data breach.
As firms adopt the cloud for their productivity and data processing tasks, the risk of a breach grows due to the volume of attacks from the common security threats in the cloud. Some leaders, especially among smaller firms, think it’s up to their cloud provider to ensure security. However, the onus remains on the firm, just as it did in the on-premises traditional times when a firewall and antivirus software were top of the security charts.
Data breaches are a daily occurrence with only the major events hitting the headlines. Most recently, Air India’s breach that exposed 4.5 million customer records made global headlines and left those customers feeling exposed and betrayed. While your firm’s footprint may not be as dramatic, it remains a target due to the indiscriminate nature of hackers’ automated tools.
To defend against data breaches, CIOs need multilayered defenses. These include ensuring high-level security and safeguarding for all vital data by:
- Controlling access to only key employees
- Ensuring multi-factor authentication (MFA) is in use
- Making sure all security tools are up to date
- Following data governance rules for your market/region
- Securely archiving or destroying old data
- Training staff in data handling and sharing
2. The growing risk of cloud account hijacking
With cloud services come large numbers of user accounts across enterprises, creating potentially thousands of individual weak points. CIOs need to drill into the business strong password and privacy methods from day one of on-boarding, reinforced by regular strong password changes and training to spot and avoid phishing attacks or other methods that hackers use to gain entry to a business.
Once an account is compromised, hackers can create further backdoors, download key files and extend their reach into the company. Every business needs policy and compliance management services, workload security and intrusion detection tools to keep the hackers at bay should an account be hijacked.
3. Weak control planes
When adopting cloud infrastructure and services, many providers can give a false sense of security through their easy sign-ups, flash-looking dashboards and grand security promises. In reality, most are running on very lean budgets and provide the bare minimum in security, or only including quality tools among the premium service tiers. After all, data security is ultimately the user’s responsibility.
A weak cloud control plane is where cloud providers fail to deliver sufficient security for basic business needs. This can include allowing weak passwords, making it very easy to change them or create new accounts without suitable security, such as two-factor authentication.
When considering cloud providers, CIOs need to examine the security element of the service and either choose strong security over the most competitive price or ensure third-party security tools can be integrated into the service to deliver a strong control plane. Tools like cloud access security brokers (CASB) are being increasingly used in an intermediary role between users and cloud service providers to defend corporate data and monitor user actions.
4. The risk of insider threats and users taking control
There are also many threats to the cloud from within the business. Given the choice, users may choose the weakest possible passwords. They might log on while working in cafes or airports through weakly protected or fraudulent access points, and disenfranchised workers might take the opportunity to abuse cloud services.
The US Department of Homeland Security has a detailed assessment of insider threats. CIOs are responsible for developing the tools that can identify insider risks early, or the early actions they might take using forensic software and defensive tools. They must ensure that the business is just as focused on the insider risk as it is to external factors and be prepared with a reaction plan should such an event take place.
5. Control of data sovereignty and residence
As well as the malicious threat to data, there’s also the risk of it falling into the wrong hands across territories. Many regulated firms like banks must keep their data located within a specific nation or region. Generalist firms might also want to take that approach to ensure their business data doesn’t end up overseas.
When data does travel, it needs to be done with adequate decision-making processing and when subject to appropriate safeguards according to the EU GDPR. This requires research on where cloud providers store data and ensuring that concepts like encrypting data or tokenization are employed to protect it.
As cloud deployments grow, the complexity increases and CIOs need to get on top of advanced issues and complex services. The CIO role is often being augmented by CISO to focus on security, but a smart and adaptive approach to security is key across the whole IT security team to manage the current threats and prepare for the next ones.