Born in 1990 and taking off with the internet, cloud computing
developed with a main ad-vantage: to have at one’s disposal
the capability to safekeep files elsewhere than on local servers.
The goal being to allow users access to many services
accessible online without having to bear the cost of a
cumbersome infrastructure. For companies, the cloud has
be-come an essential tool. This solution allows to very largely
surpass the memory capacities of local devices and hard drives.
By hosting the strategic data, the cloud became little by little
an attractive environment for hackers. And the pandemic did
not help things. And still, para-doxically, it’s one of the
environments for which security teams are the least prepared.
Clouds above security
These days, cybersecurity in the cloud is without doubt a major
topic for companies, what with the securing of the data,
management of the users’ identities and their access,
governance or the planning of the conservation of data.
Continuity of operations during a cyberattack is even part of
cybersecurity proposals. Security on the cloud also rests on
the development of new cutting-edge technologies. A new
generation combines IA and automation to detect faults, by
implementing sensors transmitting the changes in code in the
cloud. Thus, it can react to any cyberattack in real time to
neutralize it in an entirely automated way.
Despite the best intentions of the suppliers, it is users and
misuses that generate most of the attacks. Customer training
to ingrain the adoption of good reflexes so as to limit attacks
seems to be indispensable. “In an instinctive way, one may
think that the cloud is secured. This is true for the most part
from the suppliers’ liability viewpoint, but many actions remain
the responsibility of user entities, which are, regretfully, often
forgotten about! It’s a major point for the security of new
applications”, explains Gérôme Billois, a partner of the
Wavestone firm. To put it plainly, it’s up to the companies
to make sure the tools they use are configured correctly.
Nevertheless, migration to cloud environments remains
a complex and time consuming task.
One realizes that two common causes of data violations in the
cloud are misconfigured access restrictions and forgotten or
badly secured systems. Both of these, however, fall under the
responsibility of the organization, and not that of the cloud
services provider.
Certainly, cloud services providers know full well they must do
what it takes to guarantee the best security, but in the end,
if the data of a customer become compromised, it is first and
foremost a problem for the user entity that will be paying the
consequences. As an example, if an organization is the victim
of a ransomware attack, it is it who must pay the pirate and not
the cloud provider.
Providers, likewise, offer services to support their customers.
For instance, Google proposes a Cloud Security Command
Center that acts as a scanner to seek out vulnerabilities.
From their part, Amazon and Microsoft have built applications
and infrastructures to help customers to adopt the best
practices in terms of security.
However, it’s not because the big cloud companies assure
secured services that Cloud users must let their guard down.
Cloud services providers have already invested enormous
resources in the security of their own products. The main actors,
including Amazon (Amazon Web Services), Microsoft (Azure)
and Google (Google Cloud Platform) have made security one
of their highest priorities.
Cognyte, the 5 billion break-in
In June 2021, the cyber-analysis company Cognyte did not manage to secure its database, exposing 5 billion records. The files were put online without password protection, or any need for authentication to access them. The database containing names and e-mail addresses was exposed during four days. This kind of mistake is a mother lode for computing pirates.
On his part, Gérôme Billois, partner of the Wavestone firm and author of a report on the cyber maturity of large French companies, points out that 47% of the companies only rely on the security alerts of the provider, which is insufficient by far.
A dearth of cyber talents
In France, just like at the worldwide scale, cybersecurity is
confronted with a dearth of tal-ents: there are more than
15,000 positions available that remain unfilled. Big companies
try to revert the curb and strengthen their teams but the gaps
are important taking into account the digital maturity of the
industries. In what concerns the personnel within the
organiza-tions assessed by the Wavestone firm, one counts
less than one person dedicated to cyber-security for 1,500
employees. A number that is well too small to face the current
challenges.
Well aware of this issue, Microsoft wants to contain this dearth
with an ambitious training plan of nearly 10,000 professionals
up to 2025, especially with the Microsoft Cyber School by
Simplon. The idea: communicate to attract the young talents -
even those with no experience in the cybersecurity sector – and
to support throughout a complete training cycle so they can be
recruited directly upon completing the training.
Integration to secure migration
When a company decides to migrate to the cloud, it exposes
itself to risks while migrating data as well as providing new
access to its employees. The integrator then plays and essential
role in this complex process: It can limit those garden-variety
errors that lead to flaws and to mitigate the overflow situation
of the security teams, overwhelmed with alerts to process.
“Misconfigurations have greater consequences in a cloud
environment”, points out David Hatfield, co-CEO of Lacework,
the American cybersecurity unicorn. In the run-up of a
migration to the cloud, integrators generally establish a transfer
architecture defining and planning the migration process.
This consists in clarifying with the customer company the
requirements of the cloud solution, the design of the data
migration strategy (for instance, to maintain the company’s
services during the migration, with the setting of migration
priorities).
• Data encryption make sure that both data at rest and in
transit are encrypted.
• Vulnerability assessments of the cloud through test routines
of which some are centered on cloud environment cloud
intrusion make possible the agile correction of each flaw.
• The implementation of additional security on laptops,
desktops and the mobile devices of the company employees.
• The implementation of multi-factor identification systems for
the most strategic data. Users must confirm their identity by
scanning, for instance, their fingerprint or by entering a code
received by phone.
The great strength of cloud integrators is the application agile methods inspired by DevOps. There is even talk about DevSecOps which automates the securing process of the lifecycle of data on the cloud. Each step of the migration to the cloud is thus subject to security checks.
In other words, despite the quick and continued adoption of
this remarkable storage tool, security remains more than ever
a crucial challenge for the cloud’s customers.
Summarizing, the possibility of many critical security issues
in the cloud requires vigilance and to choose appropriate
attitudes and strong security solutions. In particular by
surrounding itself with integrators with whom the company
can setup its migration strategy. It will then be easier and more
efficient to integrate security into the transfer of data to the
cloud, all the while establishing a rigorous management
framework of access and flaw prevention, so as to guarantee
as much as possible the long-term security.
Sources:
https://www.kaspersky.fr/resource-center/definitions/what-is-cloud-security
https://www.simplilearn.com/things-you-must-know-about-cyber-security-in-the-cloud-article
Le Figaro - The Cloud, the Achilles’ heel of cybersecurity, Ingrid Vergara (April 2022)
https://itrmanager.com/articles/193970/le-niveau-de-maturite-cyber-des-grandes-organisations-francaises-reste-largement-insuffisant.html (Gérôme Billois quote)
Share this article:
