Why cloud needs a new approach to cybersecurity

CIOs and CISOs must focus on their employees, implement security by the design and reevaluate their cloud choices if they are to modernise cybersecurity for the digital age.

gettyimages 1147239870
getty

How secure is your cloud environment? If you’ve outsourced to a managed service provider (MSP) and you’re referring us to its SLA for an answer, we suggest you think again. Cloud-based data and applications might be hosted remotely, but responsibility for security doesn’t stop at the data centre’s front gate.

In reducing complexity, costs and the burden of local support, cloud is rightly becoming today’s predominant business platform, but CIOs who believe that outsourcing the infrastructure means they’re also outsourcing responsibility for corporate cybersecurity are doing their employers – and themselves – a real disservice.

Security starts at home

The weak point in any security chain is more often than not human. Recycled passwords, social engineering attacks and a failure to implement 2FA/MFA are more likely threats than remotely installed malware or any kind of physical attack. CIOs looking to secure their cloud data should turn their attention first towards their users, rather than their supplier.

Research by Microsoft, which counters more than 300 million fraudulent sign-in attempts on its cloud services every day, reveals that 99.9% of attacks can be countered through the single act of deploying multi-factor authentication, requiring a physical check or confirmation code in addition to a password on every account.

It’s reasonable to believe the results would be similar for non-Microsoft cloud services, and MFA –which is reasonably easy to use, even for the less digitally savvy – can simultaneously mitigate the risk of data loss when a device is stolen, compromised or left in the back of a taxi.

Secure by Design

Security needs to be baked in at every level and reassessed any time the business needs require an infrastructure change. Likewise, it is vital that organisations looking to partner with an unknown MSP verify that it has taken adequate measures to provide real-time analysis of their systems and potential threats through deployed security information and event management (SIEM).

With SIEM detecting threats from both inside and outside the organisation, monitoring behaviour and ensuring MSPs and their client remain in compliance with common security standards, administrators can detect issues before they become problems. Moreover, by establishing rules-based responses, systems can actively participate in their own protection, shutting down endpoint services or blocking access to hostile IPs at the point of detection while simultaneously ensuring business as usual for authorised users.

Using cloud services developed by a provider like Microsoft, rather than on-site or locally managed but remotely hosted infrastructure owned by the customer, ensures not only that organisations benefit from the latest intelligence sooner – and more timely updates to their core infrastructure – but that CIOs have the capacity they require to manage owned assets and track where their data rests. Securing CRM data at the server level but leaving staff laptops unprotected could, after all, give would-be attackers easy access to business-critical assets.

Security portability

Loyalty is no longer a given, either from staff to their employer, when their increasingly portable skill sets make them ripe to be poached, or from your own organisation to its suppliers.

Cloud offers easy terms, short contracts and platform-agnostic data formats, all of which makes it easy to switch suppliers. CIOs are duty bound to ensure that an organisation’s security measures are at least as portable as its data if the business is to remain agile.

Security, in itself, should never be a reason to stick with a current supplier if it’s no longer the best fit. Likewise, moving from one provider to another shouldn’t pose a security risk unless the provisions thus-far implemented are bespoke – which, by definition, makes them more complex to administer and prone to fail.

There’s a sweet spot in every set-up that lets businesses develop services across diverse platforms without exposing their data to risk. It’s the CIO’s job to find it, ideally in partnership with their cloud provider. Security is no longer a service to be bolted on at the periphery; it’s an infrastructure keystone, just like the storage and connectivity that facilitates cloud computing.

Rethink your security posture

Take positive steps and start freeing-up time to focus on the important stuff. Find out how Avanade can help you rethink your security strategy in a post-pandemic world, using Microsoft security technologies.

Copyright © 2020 IDG Communications, Inc.

7 secrets of successful remote IT teams