As remote working explodes, cloud visibility is no longer a “nice to have”
Mon 6 Apr 2020 | Jeremy Snyder
Is centralised visibility still a nice-to-have, or is it a necessity?
Cybersecurity teams are some of the most risk averse people in any organisation — they have to be. In our new coronavirus-induced reality, however, this trait is being challenged.
Security pros dipping their toes into cloud applications have been forced firmly out of their comfort zones. Instead of vetting remote work or cloud-based systems one by one over a suitable period, companies are spinning up multiple overnight. And this is against the backdrop of all of the other numerous fears and anxieties that a global pandemic brings to the table. It doesn’t matter if you’re in marketing, finance or IT: high-pressure situations breed errors.
“The combination of these factors together makes this a very risky situation for a lot of organisations,” says Jeremy Snyder, VP of Business Development and International Strategy at cloud security company DivvyCloud.
Snyder, an MBA and computational linguistics graduate, has driven business development for a raft of cloud solution providers in Washington, DC, and is a regular speaker at cloud conferences and meetups. Speaking to Techerati, Snyder identified three risk factors that IT teams are currently battling with: secure access, secure data transfer and data governance.
“There are several questions that need to be answered. Can everybody access the systems that they need? Can they access them in secure ways? Is the data secured and encrypted, or is it potentially exposed for people to eavesdrop on?”
“Last but not least, as you shift more work into cloud-based systems, organisations need to know who controls each application, partially from the standpoint of the vendors behind them and the governing law across where data is stored on those systems, but more so on their own side. Ultimately, customers are always responsible for the security of their own data,” he explained.
The cloud’s “Shared Responsibility” model divides security responsibilities between users and vendors of infrastructure, platform- or software-as-a-service offerings. Even though there is no uniform model across cloud service providers, models typically define data protection as the customer’s responsibility.
Cloud mature organisations understand this well. Those pivoting to cloud-based systems for the first time, on the other hand, might be caught out. Even in “ordinary” circumstances, organisations have often struggled to do the basics, like securing cloud databases. Innumerable high-profile organisations have left S3 buckets or Elasticsearch databases exposed to the wild. Cloud beginners should learn from their predecessors’ mistakes.
Other internal considerations include mechanisms like access control. It’s an unfortunate fact that employee layoffs will likely accelerate in the coming weeks. A data storage platform like G-suite won’t be sensitive to these changes but will instead continue to present company documents to every user until it’s told otherwise.
And responsibility does not just fall on the shoulders of IT. A resentful employee wishing to infiltrate a sensitive Zoom meeting could do so with ease by calling up a personal meeting ID. When was the last time you updated your personal ID?
Remote working also exacerbates the complexity of firewall management and configuration. Unlike corporate locations or offices, IP addresses associated with home broadband connections are dynamic. Rather than triggering access manually, Snyder warns organisations might be tempted to “open up things broadly.”
“The broader you open it, the higher the risk of somebody unintended joining,” he says.
Interestingly, to solve rising cloud management complexity, organisations probably need more cloud, not less. Namely, a cloud tool that provides a big picture view on expanding cloud kingdoms: where data is located, who has access to it and if it’s being transmitted securely. Long before coronavirus, many vendors, including Snyder’s DivvyCloud, stepped in to fill this gap.
“Once you’ve got centralised visibility in place, cloud based systems are actually far superior to on-premise systems for managing this on an ongoing basis,” Snyder says. “As cloud-based systems are software defined, making the necessary changes to allow or deny access is a matter of a few clicks and a few seconds. The real challenge is establishing that overall visibility from the start.”
A list of environment changes as long as your arm doesn’t fix the complexity problem, it’s just a starting point. Incoming data needs to be split up, tagged and filed appropriately, so teams can see the context behind it. Firewall changes, for instance, can be meaningfully differentiated based on which system is being opened, to whom and for what purpose.
“Tagging becomes a very powerful tool to provide a context that you need so that changes get properly processed, accepted or rejected,” Snyder says. Of course, something like a publicly exposed database doesn’t really need this kind of context, it just needs to be identified and secured.
Now that the coronavirus wave has rocked company boats, organisations have no choice but to hand life rafts out to employees stranded overboard. Every new and necessary access point must be understood, monitored and guarded. Technology that eases this complexity is available if firms choose to use it. The question they must ask themselves is: Is centralised visibility still a nice-to-have, or is it a necessity?