CPS 2019: Convergent Risks on Getting Security Right in the Cloud

UNIVERSAL CITY, Calif. — If correctly configured and when relevant best practice standards are followed, cloud workflows create undisputed speed, cost and security benefits — but, if not done correctly, serious security pitfalls can occur, according to Convergent Risks.

Challenges to getting security in the cloud right include unrestricted access, weak encryption and exposed keys. So, why is it so hard to get security right in the cloud? The main reasons include the fact that each business is unique and there are differing methods of configuration and many control frameworks to follow, Convergent Risks pointed out Dec. 4, during the Cloud Security breakout session “Towards a Common Goal – Ensuring Security in Cloud Environments” at the Content Protection Summit.

“Some say that the cloud is this lovely, heavenly place,” Chris Johnson, president and CEO of Convergent Risks, pointed out. After all, he said: “It’s particularly safe. It’s friendly. It’s fast. It’s efficient.”

But he added: “Some believe that behind that, lurks this really dark, sinister place where we’re going to get our stuff stolen or we’re going to have denial of service take place – all sorts of nasty things.”

For now, “what we do know already [is] that if we do it correctly, we can secure that environment,” he said.

But he asked: “How’s that going to get achieved?” The answer: “If we follow best practice standards, then we can reach these undisputed speed and cost efficiencies.”

However, he warned: “If we don’t, we’re going to meet significant security pitfalls, and it’s going to cost us a lot of money, it’s going to cost us a lot of time and it’s going to destroy reputations.”
So, the next question, he asked rhetorically was: “If we already know that, why is it so difficult to transition to the cloud securely?” And “part of the reason, I believe,” anyway, is that “we’ve currently got too much choice,” he said, noting that “where you sit geographically for your compliance requirements for the studios may determine which international standard you are going to use.”

While we’re all “still waiting for the Trusted Partner Network to come up with their security guideline, we can’t wait,” he said, adding: “We’ve got to do something because… 20 percent of people have already migrated and 80 percent of people are either looking to migrate or are part-way through that process.” And “each user case is different, and I think that’s where the real issues exist,” he said.

He went on to say: “We’ve got to adopt basic principles. I personally believe that if you use cloud security version four and go to the mapping matrix … you’re already on a good path to compliance and it’s going to probably meet the majority of what the TPN — the Trusted Partner Network — requirements are going to” be.

“You’ve got to know what your business requirements are, and understand what your risks are going to be,” he went on to point out, adding: “Most companies aren’t even vetting their cloud providers. They’re just going ahead and doing this blindly.” He estimated that more than 70% aren’t vetting their cloud providers.

Meanwhile, “we’re probably some months away before we get … assistance from the TPN,” he predicted.

Janice Pearson, vice president of Global Content Protection at Convergent Risks, went on to stress the importance of developing a methodology that’s “thorough so that, in the end, you get an assessment that is going to be thorough, comprehensive and also address where your security issues are.” That starts in the discovery phase, she noted.

One other thing that’s important to consider is “how can we automate – how can we create efficiencies that make everything seamless,” she told attendees, adding: “One of the beauties of automation is that you take the human element out of it and you de-risk certain processes that way.”

One challenge of using consultants to help with development, meanwhile, is that “once they leave the project, all that knowledge sometimes goes away,” she noted. “If it’s not properly documented, you might find yourself in a situation where you don’t understand your infrastructure and you have to reverse engineer,” she warned.

Proper training is very important and, without it, “your cloud implementation is not going to be successful,” she went on to say.

“Continuous monitoring and testing becomes so important” as well, she said, explaining: “The threat landscape is changing constantly and, often times, we’ll see organizations will maybe only do a penetration test once a year. But, in our opinion, that needs to be happening on a quarterly basis – whether that’s happening internally by your teams or externally by a third party.”

It’s also important to “understand each organization is different – there are going to be nuances that we have to understand and, if we don’t do proper discovery at the very beginning, it will all fall short in the end,” she warned.

Mathew Gilliat-Smith, advisor at Convergent Risks, went on to point out how engagement with third parties is important as well.

The Content Protection Summit was produced by MESA and CDSA, and was presented by SHIFT, with sponsorship by IBM Security, NAGRA, Convergent Risks, LiveTiles, Richey May Technology Solutions, EIDR, the Trusted Partner Network (TPN) and Darktrace.