Are you managing your digital identity effectively? That’s the question posed by one of Ireland’s leading IT security firms, aimed at the many companies currently moving their activities into the cloud. According to Integrity360, managing the twin challenge of authentication and authorisation is increasingly important as hackers and cyber criminals become more sophisticated in their attacks.
“In the hacker’s marketplace, digital identity is worth a lot of money, and hackers and malicious actors are increasingly finding that digital identities are considered a financial asset in the underground,” said Paul Ryan, head of cyber security strategy for Integrity360.
“So, in terms of managing your identity in the cloud, it’s very important. A strong consideration here is that security and privacy concerns around identity are almost identical across non-traditional cloud services and in the cloud. So the same types of attacks apply and your asset can be compromised whether in the cloud or on premise.”
With hackers still using the same techniques to compromise accounts, identities and credentials, managing that authentication and authorisation risk is a challenge.
“A lot of people don’t really understand the responsibility aspects of security within the cloud, in terms of understanding who’s responsible for what parts of the defences.”
Ryan concedes that it can be tiring for IT professionals to read about the same kind of attacks all the time, but the reason the security industry continues to emphasise them is that the nature of the attacks themselves rarely changes.
“If we look at the likes of phishing attacks, Distributed Denial of Service (DDOS) attacks, fraud, mail fraud and kind of those types of breaches, we go on about them a lot, and it’s probably a little bit fatiguing to hear the same things over and over again. But we’re still seeing the same types of attacks happening for the last number of years and people are still getting breached,” he said.
“People know what they need to do to mitigate these attacks but not a lot’s been done. Meanwhile, we’re seeing a lot of customers adopting digital strategies in terms of migrating into the cloud and migrating applications or business processes into the cloud. But along with that, obviously, there should be a strong consideration for security.”
According to Ryan, it’s not uncommon for companies to spend time and energy working out how to move their applications to the cloud without really thinking about the security implications of such a move.
“It’s obviously a traumatic matter when the consequences of this come along and they haven’t considered the security implications. We’re spending a lot of time at the moment helping companies in their cloud security strategies and looking at the types of things from a control and continuity point of view that they need to be concerned about.”
Companies contemplate moving to the cloud for a variety of reasons, most notably those around reducing costs, increasing levels of control or achieving efficiencies.
“But the thing to consider when moving to cloud computing is that you must have a clear understanding of the security benefits and the risks associated with cloud computing and really set realistic expectations with a cloud security provider. When I talk about what customers should be looking for from a cloud security provider, I suggest they should have a security partner who can provide them with the right level of advice in terms of selecting and managing cloud security.”
One of the key issues in this area is the lack of corporate governance.
“Basically, customers just tend to move into the cloud without any proper agreements or commitments, and it’s only when it comes to resolving issues with a cloud provider that they realise that there’s a lack of governance structure in place. That comes down to things like service level agreements and so on,” said Ryan.
“There are many cloud security frameworks, and what we’d advise is to adopt a baseline cloud security framework to address some of these risks. There are obviously compliance and legal risks, so certification of the cloud security vendor is important. For example, what type of encryption do they use?”
Regulations around privacy and data standards are important as well. There are different regulations in place in the US and the EU for retention of and access to data.
“So, obviously, customers are concerned about this. If they move their data to a US data centre in the cloud, then are they subject to US laws rather than EU data protection laws?” said Ryan.
A further issue to consider is isolation failure, based on the fact that often cloud installations are stored on and accessed in shared resources.
“People tend to think we’re moving into the cloud and it will be just like on premise where we’re the only people using the technology we’re paying for, that we’re going to be on our own in the cloud. But you know there’s multitenancy factors to be considered. You’re a guest in a cloud environment, so you could be susceptible to what we call guest hopping attacks.”
In extreme situations, this can mean some other company using the same shared resources as you may not have security measures in place as sophisticated as yours, but you can still end up paying the price.
Article of the Sunday Business Post, Focus On: ICT Security 2016, 22nd of May 2016