Cloud security risk due to distributed workforces

By Eklove Mohan, Senior Director, Technology, Synechron Ashburn, VA, USA

The pandemic introduced us to a new reality of uncertainty across every part of the world, including India. We are seeing the unseen, imagining the unimaginable and protecting the unprotected. This applies to anything, including Covid, the economy or even cyber security. That’s what this pandemic has done. No matter who and where you are, you are affected. Preparedness is the only way to counter this. 

According to VMware Carbon Black data, financial industry enterprises saw a 238 per cent increase in the number of cyberattacks just during the initial phase of the pandemic from February to the end of April 2020. This was primarily because hackers caught organisations unprepared and unaware of how to protect their assets. Things that were well protected behind closed doors suddenly had to be opened, and the security had to be relaxed or at least did not have the same priority as ‘keep the business running’. 

Moving to the cloud suddenly became the top priority for many organisations. Cloud computing is not as easy as it has been promoted as being. One of the key reasons for this is due to the misunderstanding of roles and responsibilities between cloud providers and the organisations. Every cloud provider has its concept of the “Shared Responsibility” model, but complexity lies in the way you want to use the cloud (IaaS, PaaS or SaaS). Experience is the only way to understand this model. 

During the pandemic, when organisations moved in haste to cloud, the security nuts and bolts were not as tightly fastened as they should have been. This led to a lot of attacks. In fact, it was observed in a study by IBM that 95 per cent of cyberattacks are caused due to human error or misconfigurations. With more and more organisations moving on to cloud, especially in the current scenario, we are facing a big threat of exposing ourselves to cyberattacks. 

Moving to cloud has become a new normal, but we need to ensure that risks of running applications on cloud are being considered and a prevention plan exists. The first and foremost requirement for the organization is to have a cloud governance team. This ensures that there is a centralised body that is responsible for implementing the best practices, certifying the ’can be used’ services, and monitoring the entire infrastructure on cloud. Understand that the governance team only provides guidelines that are considered at the organisation level, whereas the development/operations teams would be the ones implementing them based on the application requirement. For example, the governance team may provide a guideline that the private and public data be stored in different buckets and have the right roles associated with each bucket, but they would not go into each of the buckets to verify that. The development team would be responsible for ensuring data segregation and ensuring that they have a proper lifecycle implemented on the buckets. This, like the shared responsibility model, leaves the door open for confusion. 

With all these confusions and misconfigurations, the major question is: how to determine if your business is prepared for the inevitability of a cyberattack in the cloud? To answer this, let’s break it into three levels of security:

Level 1 — Block easy pass. There are a few checkpoints necessary. A very basic one is to at least have periodic scans to make sure that the basics are right. For example, run a scan for all the running Virtual Machines to assess if port 22 or port 3389 have accidentally been left open for the entire world. Another is checking for public write access on storage buckets. Regularly conduct penetration tests to check your preparedness for cyberattacks. If your organisation has allowed connecting to the network via your own private IT devices, implement strict shadow IT rules. This is even more important if IoT devices are allowed to connect to each other. Nothing would be more lethal than a hacker getting into your cloud environment and moving laterally throughout the network without any restriction. 

Level 2 – Conduct alertness checks. Hackers may not always try to storm the entrance gate. Consider the case of supply chain attacks. They ‘tailgate’ with something that is considered authentic. Organisations should be prepared for this and should have implemented ways to be notified of these activities. One of the best ways for this is via honey tokens — fake resources that are especially created to identify breaches. None of the applications/genuine users would actually use them because they know they are not authentic, but hackers won’t know that. If a hacker gets hold of this fake resource and uses it, it will sound an alarm. It’s generally implemented with the cloud accounts access and secret keys since the usage of these can be easily tracked.

Level 3 – Ensure damage control. Even after Level 1 and Level 2 security implementation, an attack may still happen. The reputational loss may not be easily compensated for, but the financial loss can be. Consider opting for cyber insurance, a specialty line insurance that protects organisations and individuals from internet-based risks. Many insurers now provide this. With cyberattacks on the rise, organisations should consider this within their overall cyber security preparedness. 

The road ahead for the Indian cloud security market is bright, but cyber security will be costly. While modern India already had a great digitalisation adoption rate, the pandemic increased use of digital technologies and data solutions. Once the pandemic is over, this growth is not going to diminish, and more avenues will open up. India businesses understand that this growth can only be handled by more cloud adoption, thereby also creating more opportunities for hackers. India will face a steep increase in their cloud security budgets to counter this growth. Per the study published by PWC-DSCI, the cloud security market in India is expected to grow from US$ 1.97 billion in 2019 to US$ 3.05 billion by 2022.