When meeting with organizations across EMEA, I often hear them cite concerns about putting security in the cloud. However, in the following discussions, they typically admit that doing just that is inevitable. There’s a mindset change here that needs to be embraced on all sides of the cybersecurity equation.
I’ve worked previously with companies operating on the mantra that change is the only constant, yet cybersecurity experts often perceive change as a loss of control that they have to regain. This is perhaps why 70 percent of cybersecurity professionals across Europe and the Middle East say a rush to the cloud is not taking full account of the security risks, according to a recent survey conducted by Palo Alto Networks.
At the same time, there is increasing pressure from regulation, such as GDPR, to be mindful of what data (specifically PII) is put into the cloud. Unlike databases or other IT systems, the concern is typically around how PII data can be accidentally captured by security tools being used.
With all this in mind, it’s not surprising that the initial idea of moving cybersecurity to the cloud makes many security leaders anxious, just as IT leaders felt when it came to moving their applications.
The Benefits of Agility
Perhaps the biggest cybersecurity challenge today relates to our ability to normalise and process the increasing volume of artefacts we gather through security tools and turn them into intelligence we can act on in a timely manner to prevent business impact. With many businesses now processing millions of artefacts per month, the key challenge is the time required to achieve this. How much is your business processing today, and what are the growth predictions for the next three years? The cloud effectively gives unlimited compute power with no big Capex investments, so the same rationale for moving applications and data to the cloud surely applies to cybersecurity. Indeed, our research highlighted that 75 percent of cybersecurity professionals agree embracing the cloud could be a method of enhancing cybersecurity capabilities in their organizations.
As more applications and data move to the cloud, the cybersecurity tools that gather all these artefacts are themselves having to move to the cloud. This must be natively integrated to detect the artefacts and understand the environment in order to effectivity secure it. However, the natural tendency of cybersecurity professionals is to haul this data back into their own organizations for analysis.
It is a typical human emotional response to want to keep precious things close at hand, and information that pertains to potential breaches is precious. However, if you look at traditional endpoint security, most security point products today share information about attacks against you with the security provider via the cloud, with the aim being to better detect and understand attack trends. Other organizations have already gone much further and send their security logs to managed security service providers to analyse and act upon.
Taking this into account, why are some cybersecurity teams more open to sharing than others? And what’s different between sharing in this way and storing artefacts or indicators in a private cloud?
In certain circles, data classification means that “no information leaves the building; where data is confidential or top secret”, yet for most, that’s not the limiting factor. All too often, regulation may be the justification, but it may not actually be the case. Security vendors and partners don’t want your PII, so they work hard to filter it out and give you control over what is shared. Likewise, regulations such as GDPR recognise the value of cybersecurity tools when it comes to helping protect PII, and this should allow for a little more leniency should personal data mistakenly get caught up in the process.
Not so long ago, people would bury treasures or hide their money under the bed, yet today, such prized items would typically be kept in a bank. This is because we recognize and trust that banks can better protect valuables, and there is incremental value – in terms of interest – in putting them there. Did you known Monzo bank was launched in April 2017 in the UK as one of the first cloud based banks utilised through an app. Banks are shifting to the cloud!
Now, consider cybersecurity. Security professionals apply it themselves as they trust in their own capabilities. This is absolutely valid, yet cloud services typically have more budget and resource to protect security data, and – most importantly – have the incremental value of agility, in terms of elastic compute power, to process it. The matter at hand therefore becomes how each business builds trust in storing its security data in the cloud. I would suggest that this starts with transparency and control: where and what is gathered, how it is stored and used, who has access to it and why. More and more cloud security services are sharing this information to ensure you can have trust in their capabilities. Likewise, there is also a growth in 3rd party tools that provide governance of your cloud services based on this growing need. Palo Alto Networks has recently acquired Evident.IO
You Can’t Stop It, Even If You Want To
Not so long ago, many held the same concerns for any use of the cloud, yet cloud-first strategies are commonplace today. I believe the same applies for cybersecurity, as most companies are now leveraging the cloud to enable or apply some level of their cybersecurity capabilities. However, at some point, each security professional will go through his or her own mindset shift, where concerns about the risk of putting security information in the cloud will be overtaken by the value of leveraging the elastic compute power to apply the latest smart AI algorithms against security artefacts, or by the growing need for security to be natively applied in the cloud to protect the business processes that have moved there.
The important things, at this point, are knowing when that mindset shift will occur in your business, and being clear and confident on what you and your business require to embrace it. Typically, business leaders are pushing IT teams to transform faster, which can potentially lead to bigger lag with cybersecurity teams. What’s clear is that business isn’t going to wait, so the longer it takes to make that mindset shift, the more catching up there will be to do.
 The processing of personal data by public authorities, computer emergency response teams, computer security incident response teams, providers of electronic communications networks and services, and providers of security technologies and services – to the extent strictly necessary and proportionate to ensure network and information security – constitutes a legitimate interest of the data controller concerned. This could include, for example, preventing unauthorised access to electronic communications networks and malicious code distribution as well as stopping “denial of service” attacks and damage to computer and electronic communication systems.
[Palo Alto Networks Research Center]