Cloud isn’t in the future, it’s today’s reality. Organisations are harnessing its power to introduce flexible ways of working.
But the issue isn’t whether organisations use public, private or even hybrid cloud platforms. It’s not even what data they choose to store in the cloud, or how they access it. It’s whether they’re doing it securely.
And there’s the problem – cloud is part of the new elastic attack surface. Whereas organisations once only worried about securing servers and laptops, today’s organisations struggle to manage a complex computing environment which includes mobile, cloud and IoT to name just a few. Most organisations cannot currently monitor, manage and understand the nature of their Cyber Exposure consistently or with confidence. This creates a Cyber Exposure gap and the larger the gap, the greater the risk of a business-impacting cyber event occurring.
How can organisations harness the power of the cloud securely?
A New Frontier with an Old Approach
The traditional approach of building a secure perimeter to ring fence infrastructure and data has been consigned to the history books – actually, cloud allows new services to be spun up in seconds. Cloud computing allows organisations to expand and adjust their IT environments with incredible flexibility, but it has also introduced new challenges to identifying and reducing cyber risk. The reality is that the tools and approaches organisations use to understand Cyber Exposure didn’t work in the world of client/server, on-premise data centres, let alone today’s elastic environment.
As validation, Tenable’s 2017 Global Cybersecurity Assurance Report Card, which surveyed 700 security practitioners around the world, found that participants rated their ability to assess risk in ‘cloud environments’ [the combination of software as a service (SaaS), infrastructure as a service (IaaS) and platform as a service (PaaS)] at just 60 percent. This dearth of confidence mirrors an alarming and widespread lack of visibility into not just cloud instances, but also most other areas of the modern computing environment.
It’s worth clarifying that the perception of cloud as being any more vulnerable than on-premises solutions is a myth. It doesn’t matter where the infrastructure, applications, or data reside – if they’re connected then they’re vulnerable. It is important that organisations accept this and address the issue.
In order to do this, a new security approach is required that encompasses both a new way of thinking, and a toolset capable of adapting to these elastic working environments.
[easy-tweet tweet=”Cyber Exposure is an emerging discipline for managing, measuring and reducing the modern attack surface. ” hashtags=”Cyber, Cloud”]
A New Frontier Requires a New Approach
Cyber Exposure is an emerging discipline for managing, measuring and reducing the modern attack surface. It should be approached as a live, dynamic process that expands and contracts along with the elastic attack surface. After all, containers and cloud workloads may have a lifespan of minutes to hours which makes them extremely hard to see and protect.
There are three fundamental questions organisations need to be able to answer if they’re to stand a chance of understanding and reducing their cyber risk: are they secure; how are they exposed; and most importantly, how do they proactively reduce their exposure.
To do this, organisations should practice four related disciplines:
Discover: It’s impossible to protect what you don’t know exists so the first stage is to inventory the computing environment in real time. Having mapped these assets whatever they may be – from desktops, laptops, servers, applications, containers etc., and wherever they may reside – be it in the Cloud, physically networked, etc. the organisation can establish a baseline of the current and desired operational state.
Assess: Having established what makes up the organisation’s infrastructure, the next phase is to accurately determine any areas that are exposed. This is basic cyber hygiene and should check for any vulnerabilities, misconfigurations, out of date software, products that are no longer supported or no longer accessed or used. It should also include users that are either no longer active or privileged accounts that potentially pose a risk.
Analyse: Having mapped the network and identified the perceived risks, the next element is to put these risks into context. Is the asset critical to the day-to-day operations of the business, or does it hold vital information? Where does it live? Does it move? Who or what has access to that asset? If it’s vulnerable, is it being actively exploited? The answers to these questions will help organisations properly prioritise their risks to determine what needs to be remediated first.
Fix: The final element is fixing what needs fixing. This may mean implementing temporary security controls while waiting for a patch, updating systems or upgrading hardware.
Cyber Exposure Lifecycle
This isn’t a one time action, but rather an operational security lifecycle.
The boundaries of the organisation’s perimeter and accountability are expanding and contracting hour by hour, minute by minute and in some cases second by second. Organisations need capabilities for inventorying not just on-premises infrastructure, but also in and across the cloud in real-time.
Organisations need to embrace this new way of thinking – to understand their Cyber Exposure in a way that adapts to this new world of modern assets and elastic working practices.
Cloud isn’t the future, it’s part of today’s reality. And organisations must make sure they’re harnessing its power securely.
Tom has a lifelong passion for solving problems. During his 18 year career he’s worked in many roles from threat research, security response, localisation, quality engineering and product management across companies such as Symantec and McAfee.
Â
Today he is Senior Director of Product Management at Tenable where he has responsibilities for the Tenable.io platform and key capabilities on that platform such as VM. He is a big believer in the 'prevention is better than cure' mantra. It still baffles him that the number of known vulnerabilities implicated in breaches has increased in the past ten years (71% in 2008 but 99.9% in 2015).
Â
Tom has published whitepapers, contributed to the ISTR (Internet Security Threat Report), led global engineering teams, filed patents, and was also a spokesperson sharing perspective on breaking threats with the BBC, CNN Money, PC Mag, and CNET amongst others.
Â
Tom lives in Ireland, having returned in 2015 from a two year stint in California. When not working he spends his time racing around after his three young children - Conall, Emer and Donncha. If there is any time left he masquerades as a soccer player during Wednesday night 5-a-side.