The shift to the public cloud has offered organizations increased agility, flexibility and scalability. However, as more and more organizations move critical workloads to the public cloud, the potential for attackers to steal data, intellectual property or computing resources also rises.
Below is a brief breakdown of three considerations for securing public cloud workloads. Download the white paper to view the detailed list of all 10 top considerations.
Embrace the shared security model: The infrastructure is secured by the cloud service provider, but users are responsible for securing their own applications and data as it resides in the cloud. With this in mind, security practices must be implemented to secure workloads in the cloud as well as prevent loss of data and IP, just as if the workloads were on-premise.
Engage with business groups and DevOps early: Security teams and respective business groups, such as DevOps, should work collectively – particularly during initial stages of public cloud projects – to ensure all development needs are met while still maintaining a healthy security posture.
Know your potential exposure: Monitor public cloud usage, ensure proper configuration of the environment, enforce two-factor authentication, and properly lock down Secure Shell (SSH) access to gain visibility and minimize potential exposure through “shadow IT.”
Editor’s note: Dr. Mary Aiken, a cyberpsychologist, expert in cyber behavioral analysis and author, will deliver the closing keynote address at CSX North America 2017, to take place 2-4 October in Washington, D.C., USA; and CSX Europe 2017, to take place 30 October-1 November in London. Aiken recently visited with ISACA Now about several of her core areas of interest, including digital ethics and how parents can combat some of the cyber threats that could harm their children. The following is an edited transcript:
ISACA Now: What intrigued you about pursuing cyber behavioral analysis?
As a cyberpsychologist, I maintain that human behaviour can fundamentally change in cyberspace. Powerful drivers such as (perceived) anonymity, online disinhibition and psychological immersion, along with minimization of authority online, dictate that people can act very differently in cyber contexts. Therefore, there is a need for new behavioral scientific approaches and analysis in terms of understanding human, and specifically criminal behavior mediated by technology.
ISACA Now: What should organizations be especially mindful about from a digital ethics standpoint?
In 2016, NATO declared that cyberspace was a ‘domain of operations.’ People like me have been talking about cyberspace for over a decade, but this was a paradigm shift in terms of an official acknowledgement that ‘cyber’ is actually a place, an environment. This recognition gives us a great opportunity to draw on the learnings of the environmental movement. What happens in cyberspace impacts the so-called real world, and vice versa. We should therefore be very protective of this new cyber environment.
The “precautionary principle” has been used to great effect in the environmental movement, placing the onus on companies to prove that their products are doing no harm. From an ethical perspective, if we apply the precautionary principle to cyberspace, then the onus will be on organizations to prove that their digital products do no harm. We are all familiar with the benefits of Corporate Social Responsibility (CSR). There is a now an exciting opportunity for organizations to practice Cyber CSR.
ISACA Now: Which aspects of your research on virtual behavioral profiling tend to surprise people the most?
In terms of behavioral profiling, I have been involved in a dozen different research silos – everything from cyberchondria to organized cybercrime – and the one thing that I have observed is that whenever technology interfaces with a base human disposition, the result tends to be amplified and accelerated. I called this ‘the Cyber Effect,’ and wrote a book about it. A lot of people were surprised and fascinated by this insight; I believe it could be the E = mc2 of this century. If we could figure out and factor this escalation, then we could also look at technological solutions to de-escalate.
ISACA Now: What do you see as the most positive potentials of technology across the cyber environment today?
I believe that AI offers incredible potential across the cyber environment. Many of the problems that we experience in cyber contexts are in fact ‘big data’ type problems – for example cyberbullying. If we could develop machine intelligence solutions to technology-facilitated problem behaviors, then I firmly believe we could help to create a better cyber society for all, and most importantly for those who are vulnerable, such as children.
ISACA Now: Cyberchondria is probably a new concept for a lot of people. How would you characterize that term, and how prevalent is it?
Searching about health and illness are among the most popular search topics. There is lots of constructive and helpful information available online, from quality medical websites, such as the Mayo Clinic. However, it is difficult from an untrained human perspective to be objective in terms of the interpretation of bodily symptoms, and subsequent translation into medical search. There is a word for what can go wrong. Cyberchondria is a form of hypochondria manifested online.
It is described as anxiety induced as a result of escalation to review morbid or serious content while engaging in health-related search. What does that mean? It means that you have a headache (that could be anything from a hangover to a migraine), and you start clicking to read about brain tumors, and experience anxiety as a result. In other words, you may be perfectly well in physical terms, but may end up with a nasty dose of health anxiety.
ISACA Now: How concerned should parents be about cyberbullying, and what should they be doing to help their kids navigate the digital world?
Cyberbullying is a serious issue for parents, and I am very concerned about what society should be doing to tackle it. Let’s think about it like this. Real-world bullying is a problem – why? With a harsh word or punch on the playground, there is little or no evidence. However, cyberbullying is nothing but evidence; in fact, you cannot cyber-bully without leaving a significant digital trail. So, how did we ever get to a point where cyberbullying was a bigger problem that real-world bullying? There are solutions.
We could develop AI technologies for telecommunications and social media platforms that (with parental consent) could monitor digital traffic to children. The point at which the behavior escalates in terms of bullying, the AI could trigger a digital outreach to the child to “go and get help,” and a digital outreach to the parent to “go talk to your child.” Parents should not be the last to know that their child is being cyber-bullied.
ISACA Now: If you had one key inspirational message for the ISACA business technology professional community today, what would that be?
I am absolutely pro-technology. I could not do my job as a cyberpsychologist without spending most of my time online. I firmly believe that in time we will develop a whole range of technological solutions to technology-facilitated problem behaviors. It is important to remember that technology is not good or bad; it is either used well or poorly by humans.
The National Crime Agency recently revealed a fascinating intelligence assessment, uncovering the ‘pathways into cyber crime’. The key finding was that most young hackers are motivated, not by financial reward, but by idealism. The NCA added that many of those involved in cyber-crime had “highly marketable” skill sets, and evidence showed that positive role models could help steer ex-offenders towards productive technology careers.
Many people feel that re-training young cyber offenders as cyber security professionals offers a chance to kill two birds with one stone; reducing cyber-crime and simultaneously helping to reduce the cyber skills shortage. The NCA proposed creating a “toolkit of positive diversions” for young people deemed to be at risk of online criminality, such as positive mentors, coding clubs and job opportunities.
It is certainly true that today’s cybersecurity profession is in desperate need of more young talent. Our Global Information Security Workforce Study found that only 12% of the UK workforce is under 35. The NCA’s initiative is a welcome one if it can steer enthusiastic and gifted young people towards the many career opportunities awaiting them, recognising that the devil makes work for idle hands.
However, if we are to find a long-term solution to youth cyber-crime and the skills gap it is not sufficient to target educational resources, mentors and job opportunities at a narrow band of gifted youngsters on the periphery of cyber-crime. The true solution is make such career opportunities available to all by making cybersecurity a core aspect of the education system at all levels and across a range of relevant subjects; helping prepare the future generation for work in a digital economy. Cybersecurity is increasingly fundamental to many industries and many different jobs, from engineering to web design and the education system needs to reflect this. Why wait until young people are already on the periphery of cyber-crime to divert them onto the straight and narrow when we can equip all young people with the skills to make a positive contribution from the outset?
Fortunately, this is starting to happen now. (ISC)2 has worked with organisations including the Council of Professors and Heads of Computing (CPHC), to design cybersecurity Principles and Learning Outcomes which have been turned into part of the official accreditation criteria for all UK computing degrees under the bodies BCS and the Chartered Institute for IT.
At a subsequent curriculum development roadshow supported by the Cabinet Office, 60 UK universities demonstrated a will to champion and embed cybersecurity more comprehensively across their computing degree courses. There are now opportunities to go further and teach cybersecurity within an array of popular disciplines from psychology to business management. Further efforts are being made in Further Education; with our involvement in the development in the UK’s first ever cybersecurity EPQ helping to embed cybersecurity skills in curricula at all levels.
Employers could also aid this effort by working with colleges and universities to ‘mentor’ promising students, organising graduate recruitment fares and offering cyber apprenticeships to graduates or college leavers.
I recently attended an inspiring event at the Plymouth Science Park hosted by Bluescreen IT, which echoed these very sentiments of bringing cybersecurity into the fold at a much earlier stage. The event, which brought together leading organisations including businesses, schools, universities and the local authority examined how recent online threats and the shortage of qualified and experienced cybersecurity professionals could be tackled by both business and government. It was proposed that through bringing their respective bodies together, it could mean that their agendas could be aligned and integrated to form a proactive ‘cyber cluster’, enabling parties to shape curriculums to incorporate information security and in turn provide a pipeline of nurtured talent to the profession and local businesses.
With the internet overtaking TV as children’s favourite pastime, there is also a real opportunity to engage children in cybersecurity by incorporating it into primary and secondary school teaching materials. Cybersecurity content could be included in everything from maths classes to World War One and Two history lessons on the role of code-breakers at ‘Room 40’ and Bletchley Park. Teachers could create code-breaking competitions to make the content engaging for children.
There is also an opportunity to teach internet safety to all young people, in an age when children are increasingly exposed to the hazards of the internet, from hackers to cyber-stalkers. (ISC)2 volunteers from across the cybersecurity profession have been going into UK schools to teach over 5,000 children each term on everything from ‘sexting’ to cyber-bullying. Similar initiatives could be rolled out across all schools at a national level.
The only viable long-term solution to youth cyber-crime and the skills shortage is to ensure that our education system gives all students (and their parents) the necessary skills, knowledge and awareness to feel included in, able to contribute to and benefit from the digital economy.
By Adrian Davis, CISSP, Managing Director EMEA, (ISC)²
Even before cloud adoption became mainstream, it wasn’t uncommon for IT security needs to conflict with both business strategy and end user preferences. Almost everyone with a background in security has found themselves in the awkward position of having to advise on going against a technology with significant appeal and value because it would introduce too much risk.
In my time working both as a vendor and as a risk management consultant, few IT leaders I’ve come across want to be a roadblock when it comes to achieving business goals and accommodating (reasonable) user preferences and requests. However, they also understand the costs of a potential security or non-compliance issue down the road. Unfortunately, many IT security teams have also experienced the frustration of being overridden, either officially by executives electing to accept the risk or by users adopting unregulated, unsanctioned applications and platforms, introducing risk into the organization against their recommendation.
In today’s world of cloud computing there are more vendor options than ever and end users often come to the table with their preferences and demands. More and more I speak to IT and security leaders who have been directed to move to the cloud or have been pressured to move data to a specific cloud application for business reasons but find themselves saying no because the native cloud security controls are not enough.
Fortunately, in the past few years, solutions have emerged that allow IT and security leaders to stop saying no and instead enable the adoption of business-driven requests while giving IT teams the security controls they need to reduce risk. Cloud vendors spend a lot of time and resources to secure their infrastructure and applications, but what they are not responsible for is ensuring compliant cloud usage in their customer’s organizations.
The legal liability for data breaches is yours and yours alone. Only you can guarantee compliant usage within your organization, so it’s important to understand the types of data that will be flowing into the cloud environment and work with various stakeholders to enforce controls that will reduce risk to an acceptable level and comply with any geographic or industry regulations.
It can be tempting, as always, to lock everything down and allow users only the most basic functionality in cloud applications. However, that often results in a poor user experience and leads to unsanctioned cloud use and shadow IT.
While cloud environments are very different from on premise environments, many of the security principles are still valid. As a foundation, I often guide organizations to look at what they are doing today for on-premises security and begin with extending those same principles into the cloud. Three useful principles to begin with are:
Privilege Management Privilege management has been used in enterprises for years as an on-premises method to secure sensitive data and guide compliant user behavior by limiting access. In some cloud services, like Amazon Web Services (AWS), individual administrators can quickly amass enough power to cause significant downtime or security concerns, either unintentionally or through compromised credentials. Ensuring appropriate privilege management in the cloud can help reduce that risk.
In addition to traditional privilege management, the cloud also introduces a unique challenge when it comes to cloud service providers. Since they can access your cloud instance, it’s important to factor into your cloud risk assessment that your cloud provider also has access to your data. If you’re concerned about insider threats or government data requests served directly to the cloud provider, evaluating options to segregate data from your cloud provider is recommended.
Data Loss Protection Another reason it’s so important to speak with stakeholders and identify the type of data flowing into the cloud is to determine what data loss protection (DLP) policies you need to enforce. Common data characteristics to look out for include personally identifiable information, credit card numbers, or even source code. If you’re currently using on-premises DLP, it’s a good time to review and update your organizations’ already defined patterns and data classification definitions to ensure that they are valid and relevant as you look to extend them to the cloud.
It’s also important to also educate end users on what to expect. Good cloud security should be mostly frictionless, but, if you decided to enforce policies such blocking a transaction or requiring additional authentication for sensitive transactions, it’s important to include this in your training materials and any internal documentation provided to users. It not only lets users know what to expect, leading to fewer helpdesk tickets but also can be used to refresh users on internal policies and security basics.
Auditing A key aspect of any data security strategy is to maintain visibility into your data to ensure compliant usage. Companies need to make sure that they do not lose this capability as they migrate their data and infrastructure into the cloud. If you use security information event management (SIEM) tools today, it’s worth taking the time to decide on what cloud applications and transactions you should integrate into your reports.
By extending the controls listed above into your cloud environment, you can establish a common ground of good security practices that protect business enabling technology. With the right tools and strategy in place, it’s possible to stop saying no outright and instead come to the table enabled to empower relevant business demands while maintaining appropriate security and governance controls.
Yael Nishry, Vice President of Business Development, Vaultive
