In the light of the European Cloud Survey results, carried out by McAfee, in which it was predicted that just two-fifths of UK businesses will be cloud-only by 2021, representatives from the computer security firm discussed not only the vitality of cloud security but also why they believe the predictions to be what they are.
Nigel Hawthorne director, EMEA cloud security business, McAfee’s first point was that people tend not to realise how complex cloud really is. He discusses how people are starting to realise the importance of cloud, but struggle on an internal DevOps surface level to set the correct infrastructure for it. A further argument that the EMEA makes about cloud security it that isn’t just about hackers.
“I could say that if your view of security is all about the bad guys, keeping away the hackers, then that is one element of security absolutely, but you could argue that, at its core, what you want to achieve with all of those problems is actually relatively simple. You want to take a lot of stuff away. The difficulty with Cloud is, it’s a bit more complex than that,” says Hawthorne.
“The world is not black and white”
After proving his points by regaling the crowd with stories from firms that may have good cloud security in place but don’t have ways for users to protect themselves fully. For example, there are many companies that share numerous amounts of accessible data on the cloud that means when an employee potentially leaves the firm, they may still have access to the information. Or if that person is not using a work computer, that unencrypted data then becomes available on a potentially unprotected device.
“I’m just trying to point out that the world is not black and white. If you go back to the web filtering world, certain websites are not appropriate for your employees to go to either. Because they’ve got malware or inappropriate content. But actually, in the cloud, we don’t usually have that information. That might be something that we want to track.”
“[We look at] data user service business legal cyber threats, and we colour code. We allow people to make their decisions. So, for instance, they might log into the public cloud, we find that passwords are out there to someone who knows what might be happening. They may be connected to the public Wi-Fi, which is picking up all of the data. So, I want to make a corporate decision that says, I only want to use services that encrypt data in transit. Or it might be a legal question was about to be stored etc.”
On further reflection of the results, it was noted that along with the low expected rate of businesses moving to the cloud, just 5% of businesses have already become fully cloud orientated.
The aim of the report was to explore and understand the future of cloud for large organisations and if they intend to become cloud-first or cloud-only and when they intend to achieve certain milestones by.
1310 senior IT staff and 755 employees in business with over 250 employees were questioned in the survey that was carried out across the UK, France and Germany.
Despite the majority of large businesses (86% in the UK, 90% in France and 92% in Germany) believing that their organisations are cloud-first, 93% of firms across all three counties hope to increase their reliance on the cloud and move more sensitive data to the cloud in the coming years.
The main reason for companies wanting to make the move to cloud or becoming cloud reliant, with 88% of respondents making this point, is due to an increased productivity amongst end-users. 84% said that it has improved their company’s data security.
Other research factors to moving to the cloud highlighted increased employee skills, making jobs more fulfilling and increased innovation.
Cloud security concerns
In terms of the concerns around cloud security, 45% of respondents in the UK said that they store sensitive data on the cloud and security issues are holding people back from putting on more data. Because of this 22% of senior leaders across all three countries feel that their businesses will never be fully cloud -only due to security concerns. 55% state “security fears feel this is down to “security fears” with a further 40% saying it to be because of “ data access concerns”.
When it comes to security, the poll revealed that there is widespread uncertainty as to who is ultimately responsible for the security of data. 14% said the CEO is responsible, with 19% saying the CIO is and 5% believing it to be the responsibility of the CISO. 34% feel the IT manager is responsible.
Raj Samani, chief scientist and McAfee fellow, suggests: “We’ve got to recognise that what individuals see as a security concern. The issue actually fundamentally is their inability to be able to understand what needs to be done and how things should be done…We’re given this great technology, but individuals not necessarily understanding the tools that are required to secure that infrastructure….”
He adds: “I want to be clear we actually didn’t break the law, but we actually said well, wouldn’t it be great because that actually we can, first of all, identify the open buckets online, and then using those open buckets actually develop PowerShell code that would allow us to be able to encrypt everybody that’s downloading this commercial. So, in other words, we created a malicious piece of code on an open s3 bucket, sent an email to every single person in that organisation to say please go to our cloud service. And actually, what we found was it’s a really easy way to be able to disseminate malware, or it can in this instance with ransomware”
Samani reiterates the complexities behind cloud migration. He comments: “Obviously, that suggests that there is still an appetite [for cloud] but there’s a discrepancy between desire and actually [making it happen] Because the reality is moving to the cloud isn’t easy. In certain scenarios, it might be straightforward for certain things like migrating something down to the SAS but the reality is that it requires a significant amount of governance and due diligence required on behalf of the organisation.”
Is it the fault of the customer?
“The reality is in cloud computing, we see organisations of people migrate outsources over to cloud services with the belief that absolutely absolves them of any risk or any concerns,” Continues Samani.
However, in an IT world, people are very aware of the security protection that is needed in the cloud. When asked at a private conference what needs to be done outside of an IT world to make sure people are protected, the experts suggested that not only do we need to take on more responsibility in general but in a growing technologically focused world, we need to have more focus on IT security in general.
“There are many things that we can do. Actually, we should share responsibility more, because I think, as a vendor, we have responsibilities to start to create or to develop new axes that make it simpler and more intuitive to be able to secure systems right. I think there is a responsibility for us, as vendors, to create guides around how you set up the infrastructure and how you protect yourself against these environments.”
“But then, it’s a responsibility for organisations and consumers themselves to start to take those configuration guides and influence. For example, if you’re a parent and you’re giving your kids a mobile phone at Christmas. You can do parental controls, and that’s the same concept and so every single person has that level responsibility…ultimately you own the risk…I think that’s the time right to take reasonable measures to implemented appropriate organisational and technical controls and so did you do everything within reason to be able to implement that”
Adding to this, the fellow says we need to be teaching children about protection from a young age “Educate people with realistic stories of getting it wrong to ensure that they realise that everyone needs to be involved. And we need to help bring in other developers from governance, risk and compliance to everyone else.”
The impact of biometrics
When asked biometrics will play a role in security, Hawthorn responded:
“We have now this toolkit, which is a technology that allows you to be able to integrate multi-factor authentication within a wider environment. I think two-factor authentication will be used. Then, of course, you’re going to see the adversary kind of respond and actually. not everything should require two-factor and is going to be based upon the context of the asset that you’re trying to protect.”
He added: “But then, of course, you’re going see the adversary response, and you’re going to see the use of the technology to be able to bypass facial biometrics. And then you’re going to see the industry respond by creating defect detection capabilities to be able to bypass the adversarial machine learning models that they’ve implemented to be able to bypass the two- factor, and they because then they’ll have to respond and will have to respond so like this is that game of cat and mouse we’re going to have to play.”