In the following interview Zeina Zakhour, Global CTO - Atos Cybersecurity, explains how organizations can build trust in their hybrid cloud environments and elaborates on the future of cyber security. Atos has recently released an excellent, in-depth report on cloud security which can be downloaded for free.
In your report you write that “as well as multiplying opportunities cloud computing can also multiply risks”. Where do you see the most critical risks in cloud computing today?
Zeina Zakhour: Wiith the adoption of cloud computing, we are expanding the attack surface and facing new type of attack vectors that challenges how we used to do security. The Top Cyber risks an organization faces in the cloud will depend on the type of data processed/accessed in the cloud, the type of cloud services - Iaas, Paas, SaaS and so on - and the hybrid connectivity between the multi-cloud and on-prem environments. The Cloud Security Alliance’s Egregious 11 is a good start to understand the threats. And by running a cloud security risk assessment, organizations will be able to quantify the major cyber risks impacting their cloud environment.
In terms of cloud attack vectors, we have noticed in the past 12 months, an exponential increase in cryptojacking attacks compromising vulnerable and misconfigured containers. We also noticed cross-workload attacks especially through side-channel attacks. , API exploits, and orchestration attacks.
According to your study, 95% of cloud security failures will be the customer’s fault and not the cloud service provider’s responsibility. What should organizations do about this fact?
Zeina Zakhour: Indeed, most cloud security failures, whether data breaches or systems downtime, have been the result of human error and misconfigurations.
This is due to many different reasons such as the complexity of the cloud environment, the lack of proper training of teams or the fact that cybersecurity teams are sometimes not involved in the monitoring & operation of the cloud environment. To address this issue organizations must understand that data security in the cloud is always their responsibility, not the cloud service provider. And therefore, they will need to tackle three pillars: People, processes & technology.
People: Security awareness training for cloud operations is essential to make sure all the teams understand the company’s cloud security policies and know how to implement the associated security controls.
Processes: Organizations will have to integrate security by design in the cloud and mobilize the security operation teams in the configuration, operation & monitoring of the cloud instances. Adopting a threat hunting program will also support organizations in proactively et regularly test the security effectiveness of their controls and to have a step ahead on the cybercriminals by discovering potential exploitable vulnerabilities that could lead to a data breach, or insider abuse of privilege access rights etc.
Technologies: organizations should invest in third party tools that give them proper control of their security posture. For instance, Cloud Security Posture Management solutions are a good investment to monitor the multi-cloud environments and identify gaps between organizations cloud security policy and the actual security posture. Such multi-cloud risk visibility and gap analysis will help organizations detection early on potential misconfigurations or misalignment with their security policies and execute actions to remediate to any potential security issue.
New data regulations are coming into force all over the globe – GDPR in Europe is only one example. How should organizations make sure they can comply in this new environment
Zeina Zakhour: The various data protection regulations are just about making “common sense” …mandatory! Organizations will need to implement data governance and lifecycle management programs in order to properly collect, process, store and dispose of personal data. The first challenge organizations are facing is minimizing data when collecting it to make sure they get the proper consent and they demonstrate transparency in which data is collected and for which usage. Also, organizations will have to understand where this sensitive data is, who is accessing it, and for what purpose. Data discovery - especially unstructured data - is a big problem for organizations, even the most mature ones. Understanding data criticality and identifying the risks to data privacy are essential steps to a sound data governance program. For instance, EU GDPR regulation imposes organizations to run a DPIA – Data protection impact assessment - to analyze, identify and minimize the risks to data privacy and protection in a project.
Whether we are talking of a cloud based, on-prem or hybrid cloud project, this step is essential to identify the necessary data protection controls to mitigate the risks to privacy. We refer sometimes to this as shifting-left on cloud compliance and this requires organizations to implement the necessary tools for the automation of those activities. Certain cloud service providers are also adapting to this changing regulatory landscape and are proposing tools to identify personal data, measure the risk, activate the necessary controls and report on compliance throughout the lifecycle of the project.
Where do you see the future challenges of cloud security three or five years down the road?
Zeina Zakhour: Organizations will need to adopt a decentralized security detection and response framework as the cloud adoption increases and also with the introduction of edge computing in digital services. For instance, with the implementation of security intelligence at the edge/cloud organizations can accelerate detection with distributed learning and inference but also align with data sovereignty constraints and privacy regulations.
On the other hand, Serverless & Function-as-a-service will drastically change security as we know it. The immutable infrastructure concept brought forward by FaaS will remove the infrastructure security burden from the organizations’ responsibility. However, it will bring new types of cyber risks such as over privileged function permissions, injection flaws, application flow manipulation, theft of data in transit etc. Shift left and shift up security will become vital to properly secure FaaS architectures and secure the data.