Convergent: How to Best Avoid Costly Security Breaches

The many combinations of risk ownership and accountability today, along with the increased use of remote work, make the security landscape more complex than ever, requiring continuous monitoring to avoid becoming the next cyber breach statistic, according to Convergent Risks.

“I think we all recognize that a security breach is expensive and reputationally damaging,” Mathew Gilliat-Smith, EVP at the company, said May 12, speaking during the presentation Hey, You, Get off of my Cloud!” at the Cybersecurity & Content Protection Summit (CCPS), held digitally as part of the NAB Show Express experience.

That classic lyric by The Rolling Stones has never been more pertinent to cloud security. After all, the risk of downtime and data breach not only deny an organization’s ability to operate effectively, but will also impact its reputation and brand. Not everyone can be expected to know all the nuances of cloud security and IT security teams cannot oversee everything. The sheer pressure to deliver within tight deadlines, meanwhile, means we need to extend the vision to a broader set of security measures to avoid exposing additional risk.

With today’s agile computing environment, plus the current forced migration to cloud workflows through remote work from home, the biggest threat is the speed of change and the risk of not being secure by design.

Gilliat-Smith made a few quick observations at the start of the presentation. First, “clearly, organizations are rapidly transitioning to the cloud and many services are now only cloud-based,” he noted. “It’s generally the same issues that cause security data leak,” and they include cloud migration challenges, the time to deploy, unknown costs, staff-related issues, and deploying securely, he said.

Remote work has become even more widespread than ever due to the COVID-19 pandemic. This trend has “changed the landscape and… it’ll be here for longer than perhaps we thought,” Gilliat-Smith said, adding: “The key message really is if you’re starting out now for cloud migration, if you make security the cornerstone of all that you build, it  will save a lot of time and cost” than if you have to “rectify it later.”

He had another suggestion for organizations: “Keep it simple. Using a straightforward approach and leveraging cloud security tools… goes a long way to reducing the risk of a data breach.”

Dave Loveland, cloud security architect at Convergent Risks, went on to discuss some of the specific common issues that cause data breaches. “When you hear about a large cloud breach, it’s commonly caused by a misconfiguration coupled with a lack of security alerting,” he said.

But he noted: “It is possible to avoid all of these situations by taking some simple steps, taking the time to understand and familiarize yourself with the causes of common cloud security breaches, and also looking at how you’re deploying into cloud or how you deployed into cloud already. It’s all about leveraging the advantages of cloud, while making sure that you don’t make the same security mistakes that many people have made previously.”

To “avoid some common security pitfalls,” he suggested, when it comes to planning:

(1) Have “clear usage objectives.” Be aware that “before you migrate a workload,” you need some services “in place first and the configuration and security of those forms the bedrock of your cloud environment. Things like user management, secure virtual networking, vulnerability management, effective security alerting, etcetera, are all key things that you need to get right before you even consider migrating a workload onto the platform.”

(2) “Understand your workflows and how the data will be protected, understanding how your data will move from your on-premise environment into the cloud, how it will be protected in transit and also at rest. Start to ask yourself some questions,” such as whether the cloud provider’s protection is “sufficient for the content owner’s needs or is any additional protection required. “It’s worth remembering that, by default, cloud service providers quite often have access to the data that you put into their environments.”

(3) “Avoid the temptation to ‘lift n’ shift’. Taking a legacy security approach to resources or workloads that you put into the cloud can leave you exposed.”

When it comes to awareness and training, to avoid common security pitfalls, he suggested: (1) Follow cloud provider best practice guidance. (2) Make sure your IT staff or IT provider are adequately trained. Education is important. (3) Consult independent hardening guides to reduce your attack surface.

Last, when it comes to having a safe configuration, to avoid common security pitfalls, he advised: (1) Make sure to patch your systems regularly because, if you don’t, “hackers are going to be able to potentially leverage existing vulnerabilities and that’s obviously going to be the Achilles’ heel of your otherwise secure cloud environment.” (2) Deploy security policies (not paper ones) to prevent misconfigurations. (3) Leverage the existing/built-in cloud security tooling because they were “designed by default” by the cloud providers and “work pretty much out of the box with minimal configuration” so you “can get a window into what your environment looks like and see in an instant where there’s a misconfiguration that’s potentially going to be damaging.”

Another important thing to keep in mind, he said: “The cloud is never still. Security is contiguous and effective security is an ongoing challenge. Changes and deployments into your cloud environment will mean that it’s potentially in a constant state of flux as you deploy different services and different configurations. Change is the new norm and security needs to keep pace with this.”

Concluding, he said, embedding security by design is crucial and it is important to “engage security expertise” early rather than “when you’re half-way through the journey.” It is also important to understand what a cloud provider’s security best practice “looks like for the workload that you’re going to deploy,” he said.

Presented by Richey May Technology Solutions, with sponsorship by Akamai, Cyberhaven, Microsoft Azure, SHIFT, Convergent Risks, and the Trusted Partner Network (TPN), the Cybersecurity & Content Protection Summit focused on the latest cybersecurity and content protection challenges studios, broadcasters and vendors alike are facing during the ongoing pandemic.

Produced under the direction of the Content Delivery & Security Association (CDSA) Board of Directors and content advisors representing Amazon Studios, Adobe, Paramount, BBC Studios, NBCUniversal, Lionsgate, WarnerMedia, Amblin Entertainment, Legendary Pictures, and Lego Group, this year’s Cybersecurity & Content Protection Summit looked ahead at the challenges facing the security community in 2020 and beyond.