Humans as cloud security’s weakest link
Thu 17 Sep 2015
Reza Alavi, researcher at The British Computer Society, discusses the security challenges faced by companies operating in cloud environments and why mitigating human vulnerabilities should be considered as a key focus…
What makes hybrid cloud distinctive to other cloud deployments in terms of security?
Companies are striving to move rapidly into new markets and launch new products, placing increased demand on IT departments and firms to deliver. Traditionally, the focus of the tech industry has been on availability of information rather than safeguarding security and other emerging issues. Today organisations not only need to ensure that their information is available, but that it is also secure and up-to-date in terms of compliance and regulation.
Hybrid cloud provides a distinctive platform for an organisation’s services, applications and software. It guarantees high levels of availability, compliance and elements of security, as well as substantially reducing cost.
Public cloud runs across shared infrastructure, which is particularly risky for mission critical data and applications. Company systems running in a public cloud are therefore more likely to be compromised and, because of this risk, cannot achieve complete compliance.
Alternatively, high security levels can be maintained in private cloud environments, but the related costs are considerably higher.
The mistakes people make under stress, from not paying attention, or not having enough experience are important factors to acknowledge when it comes to the cloud.
There are certain security concerns presented by hybrid cloud, such as issues around security control and management, compliance, mobile devices, data privacy, standards, and lack of visibility. However, it is able to effectively balance these with cost compared with public and private models.
What are the main human factors at play in a hybrid cloud environment which could impact security?
Referring to the research study, Analyzing Human Factors for an Effective Information Security Management System, human factors present one of the biggest security challenges for companies running across cloud platforms. People have different levels of system access, but whether they are working in an IT department, are non-IT employees or customers, each individual can play a critical role in maintaining or damaging system security.
Direct human factors include human error, apathy, stress, and lack of awareness, skill and experience. The mistakes people make under stress, from not paying attention, or not having enough experience are important factors to acknowledge when it comes to the cloud. It is under these conditions that people are easily influenced by traps, such as reverse social engineering, advanced persistent threat (APT), and phishing attacks. All of these malicious tactics exploit human vulnerabilities, whether targeted at IT departments, staff members or a company’s customer base.
How should Situational Awareness (SA) play a part in security training for companies deploying cloud environments?
Situational awareness trains system users on how to deal with ad-hoc, agile scenarios. This includes training staff and customers with alert messages, short videos, leaflets or face-to-face information about specific situations such as online bank account fraud, showing them how to report it and the next steps to take.
Although situational awareness can help organisations deal with ad-hoc scenarios, it requires company-wide acknowledgement of a current situation. You cannot deal with situational awareness if you don’t acknowledge that something has happened and identify the cause.
Some organisations are reluctant to acknowledge vulnerabilities. Admitting an attack took place and determining what type of attacks occurred is key to situational awareness.
Business impact assessment (BIA) provides a good sense of what damage is possible from future incidents by running vulnerability and threat analysis to assess potential impact. The National Institute of Standards and Technology (NIST) and the information security standard IOS 27001 provide self-assessment guides for organisations, but companies should go beyond these suggestions and consider their own unique culture, priorities, and asset classification.
How can risk management support security safeguarding?
Risk management is always one of the key sticking points for senior managers, as it comes with associated cost. In cloud deployment, risk can be instigated by a number of people, IT employees, non-IT staff, customers, the network provider and obviously external attackers trying to infiltrate the company system. Risk mitigation processes need to consider the impact that all of these actors have on the confidentiality, integrity, availability, auditability, and authenticity of a company’s information assets. Threat assessment enables an organisation to establish types of risk based on its own culture, values, and assets.
Obviously, major threats include criminal acts, malicious activity, data loss, application hijacking, and phishing. In terms of activities considered to be results of human factors, steps can be taken to mitigate risk beyond what current security standards suggest. Regularly updating employee credentials, constantly reviewing data classification, minimising administrative access, and ensuring credential expiry of individuals who have left the company are just some of these necessary safeguarding procedures.
What are the financial considerations around training staff members using cloud deployments?
Cost around security has always been controversial because the return on investment proves extremely difficult to quantify. The relationship between investment and return value is a daunting concept for CISOs as they have to try and come up with concrete reasoning to convince the board of governors to invest. The problem is exacerbated with security training as historically it has shown little effect in preventing security breaches.
CISOs and CIOs must consider a variety of issues to ensure that their training is actually effective. One of the best ways to identify which training model is economically justifiable is to reshape programs based on the broader organisation’s risk management model. Ensuring that the security training model follows wider risk management concerns should help justify budget allocation for future investment.