Between the Yahoo breach, hacking attempts on banks reported by SWIFT, and an array of patched zero-day vulnerabilities, the past couple weeks have provided no shortage of information security lessons. In this CIO Corner, we review advice on preparing to move to the cloud and insight into the cybersecurity concerns of organizations ranging from the Department of Justice to the private sector.
If there were any doubts remaining that cloud computing is just a fad, the rising demand in the private and public sectors should put them to rest. Budget restrictions, employee demands, and superior functionality are all driving organizations to adopt cloud services. Add security to the list, too. CIOs realize outsourcing many areas of security to highly capable cloud providers offers a cost-effective, enterprise-ready solution that employees love. Of course, cloud services are not automatically secure out of the box, and most will require special configuration and third-party security providers like a CASB to achieve security and compliance requirements.
Cloud adoption no slower in the public sector, research indicates https://t.co/sw0qmFVhSF
— Jos Creese (@JosCreese) September 29, 2016
One of the most common errors organizations make when they form their cloud security strategy is approaching the cloud the same way they do existing software environments. Securing the cloud requires different technology and a different IT culture. While companies will want many of the same security controls that existed on-premises like data loss prevention and threat protection, implementing these capabilities in the cloud without compromising functionality calls for a different architectural approach. Tools like APIs enable new security capabilities, but the challenge remains for companies to consistently manage a portfolio of applications across different devices and even countries.
Fear & Loathing In The Cloud https://t.co/UwdTDZf23a
— Scott Fenton (@sdfenton) September 29, 2016
Every company has dealt with the current shortage of skilled IT security professionals. The rise of new technologies like cloud has intensified the skills shortage, since even experienced IT professionals may lack expertise in cloud systems. Many point to the need for emphasis on information security in the education system, yet the industry will only reap the benefits those investments a few years down the line. In the meantime, executives should consider training and professional development opportunities for current staff to develop and retain talent.
Amid growing U.S. cybersecurity threat, a critical lack of trained experts https://t.co/WcK6YxdeWs
— Michael Archuleta (@Michael81082) September 29, 2016
Connected devices raise the stakes for cybersecurity. Technology always advances before cybersecurity, and many IoT devices have weak default cybersecurity. Earlier this year, the EU intervened by requiring member states to meet minimum cybersecurity regulations for critical infrastructure in an effort to prevent the effects of malicious attacks. Now the US Department of Justice is eyeing connected devices’ vulnerability as targets for terrorism.
Terrorist in the machine: U.S. DOJ fears IoT security threat https://t.co/dYXJ1d2T9O
— Steven G. Snyder (@stevengsnyder) September 29, 2016
Bug bounty programs are on the rise, yet they still face challenges to preventing the malicious use of zero-day vulnerabilities. Price disparity between sanctioned bug bounty prizes and black market buyers illustrate a thriving market for criminal hacking talent. There’s no way to guarantee a zero-day vulnerability does not exist for a given software application, operating system, or device, especially after leaks of government-owned stockpiles showcased the work of professional hackers. As a proactive step, companies should invest in activity monitoring to detect suspicious activity and attempts to exfiltrate data. At the very least, bug bounty programs eliminate the low-hanging fruit and significantly increase the cost of successful attacks for hackers.
— Michael Skaff (@mskaff) September 29, 2016