It's all about data security. Some companies prefer to build Ft. Knox-type data centers that they can defend with latest-generation hardware and software, along with an army of technicians to monitor logs and network activity. Others opt for an out-sourced approach, engaging managed security services providers (MSSPs), Software as a Service, Platform as a Service and other fill-in-your-favorite-technology as a Service approaches to cloud-based computing.
Michael Viscuso, chief strategy officer at Bit9 + Carbon Black, was co-founder and CEO of Carbon Black before it merged with Bit9 in February 2014. In addressing the trend toward MSSPs in the cloud in a March 2016 story in SC Magazine, he said, “By now, the vast majority of businesses understand that a breach will invariably hit them at some point. As a result, they are taking an active approach with their security posture, and MSSPs are a great option to make that switch quickly.”
But is the cloud actually safer than traditional data centers? The bottom line is: That depends. While cloud-based approaches have their champions, there are still some vulnerabilities from which you simply cannot run away, regardless of the computing approach you take. Here are five examples that impact on-prem and cloud-based data centers alike.
1. Compromised Credentials. It does not matter if a corporate “user” is a person or a server communicating with another system, login credentials can be compromised. Perhaps the user logs in to corporate server from a breached, free Wi-Fi connection in a local bistro or perhaps the user is re-using login credentials that they use for their YouTube account that was hacked — the reasons don't matter. Sometimes administrative server credentials are compromised, making it possible for an attacker to access a server that normally has no human users. What matters is that the login credentials have been compromised and perhaps are available for a few pennies on the Dark Web. Without a strong user authentication strategy that incorporates multi-factor authentication, along with policies and procedures that dictate where and how a user is permitted to access the corporate network, it is possible that the authentication protocols can fall. One popular approach is a multilayered, multifactor, encrypted authentication system that confirms that both the person and the server should be engaging in communications.
2. Malicious Insider or Accidental Breach: No one likes to think that their internal staff is deliberately stealing data, but that does happen. Sometimes, however, the “malicious insider” is not being malicious out of spite or anger; it could be a user trying to do their job but using unsafe computing practices. It is essential to identify the insider and then determine if the attack is deliberate or not. An employee who downloads ten times the amount of data they normally access, saves it to a thumb drive, then goes on an international trip might well be trying to steal secrets. However, it also is possible that the employee is downloading the data so that they can access it more conveniently while traveling, not taking into consideration that the data is confidential and they are creating a risk. A forensic analysis, combined with an interview of the individual and analysis of their overall work habits, can help the CISO determine if this is a malicious insider versus an accidental but well-intentioned breach.
3. Defending the Network: When a company owns and controls the data center and the entire infrastructure of its corporate network, it is clear who is responsible for data security. However, in the cloud, that responsibility becomes murkier. It is not always possible for a company to test the full extent of its service provider. As a result, trust and contracts become key tools in the defensive relationship, but that's not nearly enough. If you use a cloud service provider, you need to examine the provider's own audits of its security. You also need to understand that provider's own supply chain, along with the provider's own disaster recovery plans and tests. The infrastructure might not be yours to access directly, but if your company's essential data assets are going to be housed on a cloud provider's network, it is incumbent upon you to understand fully your provider's own security plans and how well it executes on those plans. It's all part of your due diligence.
4. Data Breaches. Data breaches happen, in the cloud and on-prem. The question for you is this: What is your plan to identify and defend against the breach, especially if you do not have direct, physical access to the breached data? Here are some recommendations of plans to have in place before the breach.
a. Make sure that you don't keep all your live data in one basket. It is best to make sure you have copies of your data in more than one location, along with encrypted backups of your live data. If Cloud Provider One's data center is breached, you need to be able to cut the cord that ties you to that data center so that your business can continue to operate using live data from a separate data center.
b. Just as you want to have multiple locations for your live data, having multiple data centers for backups is also important. Backups that can be accessed quickly and accurately are essential today, especially considering the laws and regulations concerning privacy and archived data. Don't get caught without access to your data simply because your cloud provider got breached or was a victim of a DDoS or other attack.
5. Due Diligence. It doesn't matter where your data is stored. If you have not done your due diligence to ensure you have the best security policies, procedures and protections in place, you likely will be breached. Just because data is stored on a cloud provider's servers doesn't mean your data is safe from an advanced persistent threat attack, distributed denial of service, phishing or any other type of attack. If the provider has not done its job to stop vulnerabilities and protect itself from its own supply chain, it can be breached. The same is true for a corporate data center. What this means is that no matter where you store your data, house your apps, or keep your backups, you must ensure on a regular basis that your protections are still in place and your data has strong defenses against an intruder. Due diligence is not a one-time activity — it is an ongoing process.