That classic lyric by The Rolling Stones has never been more pertinent to cloud security. After all, the risk of downtime and data breach not only deny an organization\u2019s ability to operate effectively, but will also impact its reputation and brand. Not everyone can be expected to know all the nuances of cloud security and IT security teams cannot oversee everything. The sheer pressure to deliver within tight deadlines, meanwhile, means we need to extend the vision to a broader set of security measures to avoid exposing additional risk. <\/p>\n
With today\u2019s agile computing environment, plus the current forced migration to cloud workflows through remote work from home, the biggest threat is the speed of change and the risk of not being secure by design.<\/p>\n
Gilliat-Smith made a few quick observations at the start of the presentation. First, \u201cclearly, organizations are rapidly transitioning to the cloud and many services are now only cloud-based,\u201d he noted. \u201cIt\u2019s generally the same issues that cause security data leak,\u201d and they include cloud migration challenges, the time to deploy, unknown costs, staff-related issues, and deploying securely, he said.<\/p>\n
![\"\"](\"https:\/\/www.mesalliance.org\/wp-content\/uploads\/2020\/05\/working-man-is-typing-on-black-frame-laptop-3774082-1024x487.jpg\")
Remote work has become even more widespread than ever due to the COVID-19 pandemic. This trend has \u201cchanged the landscape and\u2026 it\u2019ll be here for longer than perhaps we thought,\u201d Gilliat-Smith said, adding: \u201cThe key message really is if you\u2019re starting out now for cloud migration, if you make security the cornerstone of all that you build, it\u00a0 will save a lot of time and cost\u201d than if you have to \u201crectify it later.\u201d<\/p>\n
He had another suggestion for organizations: \u201cKeep it simple. Using a straightforward approach and leveraging cloud security tools\u2026 goes a long way to reducing the risk of a data breach.\u201d<\/p>\n
Dave Loveland, cloud security architect at Convergent Risks, went on to discuss some of the specific common issues that cause data breaches. \u201cWhen you hear about a large cloud breach, it\u2019s commonly caused by a misconfiguration coupled with a lack of security alerting,\u201d he said. <\/p>\n
But he noted: \u201cIt is possible to avoid all of these situations by taking some simple steps, taking the time to understand and familiarize yourself with the causes of common cloud security breaches, and also looking at how you\u2019re deploying into cloud or how you deployed into cloud already. It\u2019s all about leveraging the advantages of cloud, while making sure that you don\u2019t make the same security mistakes that many people have made previously.\u201d<\/p>\n
To \u201cavoid some common security pitfalls,\u201d he suggested, when it comes to planning:<\/p>\n
(1) Have \u201cclear usage objectives.\u201d Be aware that \u201cbefore you migrate a workload,\u201d you need some services \u201cin place first and the configuration and security of those forms the bedrock of your cloud environment. Things like user management, secure virtual networking, vulnerability management, effective security alerting, etcetera, are all key things that you need to get right before you even consider migrating a workload onto the platform.\u201d<\/p>\n
(2) \u201cUnderstand your workflows and how the data will be protected, understanding how your data will move from your on-premise environment into the cloud, how it will be protected in transit and also at rest. Start to ask yourself some questions,\u201d such as whether the cloud provider\u2019s protection is \u201csufficient for the content owner\u2019s needs or is any additional protection required. \u201cIt\u2019s worth remembering that, by default, cloud service providers quite often have access to the data that you put into their environments.\u201d<\/p>\n
(3) \u201cAvoid the temptation to \u2018lift n\u2019 shift\u2019. Taking a legacy security approach to resources or workloads that you put into the cloud can leave you exposed.\u201d<\/p>\n
When it comes to awareness and training, to avoid common security pitfalls, he suggested: (1) Follow cloud provider best practice guidance. (2) Make sure your IT staff or IT provider are adequately trained. Education is important. (3) Consult independent hardening guides to reduce your attack surface.<\/p>\n
![\"\"](\"https:\/\/www.mesalliance.org\/wp-content\/uploads\/2018\/03\/cloud-service-1024x683.jpg\")
Last, when it comes to having a safe configuration, to avoid common security pitfalls, he advised: (1) Make sure to patch your systems regularly because, if you don\u2019t, \u201chackers are going to be able to potentially leverage existing vulnerabilities and that\u2019s obviously going to be the Achilles\u2019 heel of your otherwise secure cloud environment.\u201d (2) Deploy security policies (not paper ones) to prevent misconfigurations. (3) Leverage the existing\/built-in cloud security tooling because they were \u201cdesigned by default\u201d by the cloud providers and \u201cwork pretty much out of the box with minimal configuration\u201d so you \u201ccan get a window into what your environment looks like and see in an instant where there\u2019s a misconfiguration that\u2019s potentially going to be damaging.\u201d<\/p>\n
Another important thing to keep in mind, he said: \u201cThe cloud is never still. Security is contiguous and effective security is an ongoing challenge. Changes and deployments into your cloud environment will mean that it\u2019s potentially in a constant state of flux as you deploy different services and different configurations. Change is the new norm and security needs to keep pace with this.\u201d<\/p>\n
Concluding, he said, embedding security by design is crucial and it is important to \u201cengage security expertise\u201d early rather than \u201cwhen you\u2019re half-way through the journey.\u201d It is also important to understand what a cloud provider\u2019s security best practice \u201clooks like for the workload that you\u2019re going to deploy,\u201d he said.<\/p>\n
Presented by Richey May Technology Solutions, with sponsorship by Akamai, Cyberhaven, Microsoft Azure, SHIFT, Convergent Risks, and the Trusted Partner Network (TPN), the Cybersecurity & Content Protection Summit focused on the latest cybersecurity and content protection challenges studios, broadcasters and vendors alike are facing during the ongoing pandemic.<\/p>\n
Produced under the direction of the Content Delivery & Security Association (CDSA) Board of Directors and content advisors representing Amazon Studios, Adobe, Paramount, BBC Studios, NBCUniversal, Lionsgate, WarnerMedia, Amblin Entertainment, Legendary Pictures, and Lego Group, this year\u2019s Cybersecurity & Content Protection Summit looked ahead at the challenges facing the security community in 2020 and beyond.<\/p>\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
The many combinations of risk ownership and accountability today, along with the increased use of remote work, make the security landscape more complex than ever, requiring continuous monitoring to avoid … Continue reading Convergent: How to Best Avoid Costly Security Breaches<\/span>