Cloud security: are we battle-ready?
The cloud represents a boon to innovation and e-services, but protection from cyber-attack needs to be taken seriously when selecting a platform and a provider, writes Necip Ozyucel of Microsoft
As one of the key issues facing Middle East governments, it is perhaps disheartening to note that cybercrime shows no sign of abatement. Indeed, Juniper Research projects a $2.1 trillion annual cost for businesses globally by 2019, which is almost four times the estimated cost of breaches in 2015. Closer to home, a KPMG report from December last year claims one third of UAE businesses experienced some kind of attack in 2015.
Any migration to the cloud today carries with it deep and understandable fears of becoming the next high-profile victim of cash-hungry crackers, Internet pranksters or vengeful hacktivists. DDoS attacks, data theft and infrastructure compromise are becoming commonplace. UK government figures are suggestive of this, showing 90% of large organisations and 74% of small businesses having suffered some form of security breach. The average cost of these incidents was $5.9 million and containment periods averaged 70 days.
Meanwhile, cloud adoption worldwide is ballooning. A recent Microsoft global study showed that over 80% of customers have an annual or longer-term contract with their primary cloud and hosting provider, with 43% having a contract of two or more years. This is a strong indication that migration is taking hold. Gulf governments have shown admirable ambition when it comes to modernisation through e-services and the cloud presents a temptingly fertile ground in which to grow those services at low cost and with eminently elastic scalability.
But care must be taken to properly cosset those innovations. For a start, agencies must recognise that firewalls, anti-virus and IPS in general, are has-beens when it comes to corporate cyber-security strategy. Most security experts today will tell you that breaches are inevitable and so massive capital outlay on a protection-only gambit is wasteful and inadequate. Instead, it is infinitely more advisable to tie cyber-security policy to an organisation’s business-continuity strategy.
Prevention should still be taken seriously, but in the age of mobile and cloud, its enactment lies less in software than it does in the training of end-users. It is imperative that agencies make sure that their employees understand the potential real-world consequences of clicking on links, even from supposedly trustworthy sources. Caution should extend to the screening of media devices such as USB sticks, crossing the boundaries of the workplace and the outside world – in either direction.
Cloud service providers are partners in policy. Choosing the right one, and the right platform, could be the difference between prosperity and disaster. Ask your provider if they are prepared to implement your policies, rather than dictating their own. However, be prepared to listen to any suggestions they make on enhancements to your policies. Do these changes make sense, or are they designed to make life more convenient for the provider?
When examining the platform used by the provider, you should be satisfied that security and privacy are embedded into the very fabric of the software itself, not tacked on as an afterthought. As data moves in and out of a government agency’s premises and the data centre of its managed services partner, that data should be protected at every step, but you, the customer, must retain ultimate ownership and control. A good provider will be happy to explain to you how they achieve this trade-off, so you know how your data is stored and accessed, and how it is secured.
For government agencies especially, it will be routine to check if the provider and the platform meet formal compliance standards. Most providers will be proud to claim it, but due diligence demands careful confirmation and managed services companies should be ready to part with documentation.
Make sure you are happy with the technologies being used to protect your data. For transit operations, does the proposed platform use industry-standard transport protocols between end-points and the data centre, and within the data centre itself? For data at rest, it is preferable that a wide range of encryption capabilities are available, right up to the ultra-strong AES-256. Intrusion detection systems need to be in place, as well as rich, visual reporting systems that instantly inform both provider and customer. Packet-filtering facilities for the mitigation of distributed denial-of-service (DDoS) attacks also make sense for government departments. And regular penetration-testing, along with data analytics and adequately advanced machine-learning tools should be in place to help battle inevitable threats.
Microsoft’s Azure platform is imbued with all of these features and more, and we are continually working to improve it. We watch the global threat landscape closely, through our Cyber Defense Operations Center, so we can evolve our tools along with the dangers out there.
The Internet of Things looms large and cloud migration and virtual computing are now taken for granted as the future. In the parlance of the cyber-security sector, the attack surface is growing exponentially. As the criminal element targets the low-hanging fruit, we need to be sure we are strapped to the highest branch.
Necip Ozyucel, is Cloud and Enterprise Solutions Lead, Microsoft Gulf.