Cloud and Security: Done and dusted? Not yet Muffin

Pratima H

INDIA: India sits at number sixth in Asia, but not for some good news. When Zero-Days vulnerabilities with 2015 double to 54 running at a 125 per cent clip and malware numbers tot up around 430 million in terms of new malware variants, things may not be looking all sun-shine-y after all.

And along side, one has to constantly suss out new issues like warm data vs. cold data; cloud sprawl; cloud-specific exploits, such as SQL injection flaws, or Spear-phishing campaigns exploiting misconfiguration and poor security by users, rather than cloud service providers; besides fuzzy implications of arrival of cloud’s new cousins like IoT, Fog and so on.

Symantec’s Internet Security Threat Report Vol. 21 raised some furrowed eyebrows when it underscored that with businesses turning more to cloud technology and the prevalence of IoT devices, targeted attacks seeking to exploit vulnerabilities in these systems can go up in the next year or two. There is more cause for worry when one flips the pages to areas like misconfiguration and poor management (by users, not cloud service providers) and other vulnerabilities for cloud-hosted systems.

Clearly, there are more gasps than sighs when one starts wondering about Cloud in light of such reports. Atul Anchan, Director, Systems Engineering – India, Symantec helps us to debunk some assumptions and uncover some directions that the scenario direly needs.

What are the highlights worth noting (and new ones if any) from Symantec’s Internet Security Threat Report Vol 21? Should India side be worried too?

As real life and online become indistinguishable from each other, cybercrime has become a part of our daily lives. Symantec’s Internet Security Threat Report globally reveals explosion of Zero-Days vulnerabilities with 2015 numbers more than doubled to a record-breaking 54, a 125 per cent increase from the year before, reaffirming the critical role they play in lucrative targeted attacks. Meanwhile, malware increased at a staggering rate with 430 million new malware variants discovered in 2015.

The sheer volume of malware proves that professional cybercriminals are leveraging their vast resources in attempt to overwhelm defenses and enter corporate networks. 2015 witnessed the largest data breach ever publicly reported with 191 million records compromised in a single incident. There were also a record-setting total of nine reported mega-breaches.

The India findings from the report reveal that the country continues to be a top source as well as destination of cyber attacks. India continues to rank 3rd globally as a source of overall malicious activity which takes spam and other threats like malware, phishing hosts, bots into consideration. The report shows that Indian enterprises need to plan for repeated targeted attacks. Indian organizations were the 6th most targeted in Asia, with targeted organizations on the receiving end of two attacks on an average.

Moreover, the last five years have seen a steady increase in attacks targeting businesses with less than 250 employees. In 2015, over one in two attacks (52 per cent) were aimed at small businesses in India, proving that companies of all sizes are at risk.

Why do you emphasize data as the focus point to address threat issues? How can it be the right spot of action and strategy? Any particular types: streaming data/warm data/cold data etc?

The cloud has single-handedly turned IT departments of enterprises upside down by providing unrivaled benefits for hosting and accessing data. According to Cisco, 69 per cent of all workloads will be in the cloud by 2017. Moreover the Indian cloud market alone is expected to reach over $3 billion by next year—an almost five-fold increase from 2012. In recent years, large corporate data breaches are showing that security in the cloud is, and will continue to be, a main topic of concern for organisations.

While cloud application providers today such as Salesforce and Amazon are safely and securely servicing hundreds of thousands of enterprise customers, what is worrisome is protecting that data when transferring fluidly from those applications to mobile and/or IoT devices.

At Symantec we have to protect all data which is critical to the organisation, be it warm, cold or hot. It all begins with prioritizing the enterprise data. IT departments need to compartmentalize their data, understand which of it is the most critical to their business and put a metaphorical fortress around it. Today, some may feel like they need to secure every piece of data equally. This is akin to pushing a boulder up a mountain; virtually impossible.

But when this data is broken down into a much more manageable task, it’s more tangible to secure the data that, if meddled with, would have devastating recursions for businesses.

What else can you recommend?

Additionally below are a few steps that can help enterprises allow, but safely manage, cloud applications:

• Stop being a barrier. Businesses will need to use devices and cloud apps that facilitate collaboration and increase productivity – it makes the organization more competitive and nimble. IT and CISOs in particular can’t afford to ignore cloud apps and BYOD devices anymore because CEOs expect IT to be a business and innovation driver, but we must also be sure we can manage and secure this technology.

• Leverage the chance to improve communication. Initiate communication between IT and other company stakeholders to have a frank, open discussion on how employees are using unsanctioned cloud apps, what features are important, and drive toward a decision on which applications are needed. In some cases, you may be able to recommend a solution that adds a layer of security in front of the cloud app to mitigate the risk to the organization. In other cases, the app may simply be unsecure and another one must be found that provides the same capabilities but more security.

• Educate users and mitigate risk. IT also must work with the business to educate users so that the most sensitive information is handled appropriately to mitigate the risk of data loss – either because of a lost device or because the data was placed in a vulnerable location.

• Don’t resist change, embrace it. In order to stay competitive, enterprises are going to have to continue to move apps and services to the cloud, our goal as IT professionals must be to stay an active part of the conversation. Implement a cloud strategy that offers both security and accessibility.

Can you elaborate on the threat possibilities that IoT might usher in? Is it just about the increased surface area or skills or standards or access points?

With businesses turning more to cloud technology and the prevalence of IoT devices, Symantec expect to see targeted attacks seeking to exploit vulnerabilities in these systems within the next year or two. Cloud services particularly vulnerable to exploits, such as SQL injection flaws, will likely be targeted first. Spear-phishing campaigns exploiting misconfiguration and poor security by users, rather than cloud service providers, will bear low-hanging fruit for the attackers.

We may even expect to see IoT devices as the preferred route for attacking an organization, and potentially the most difficult for incident response staff to recognize and remove. Given the present poor state of security on connected devices, they will present an increasingly attractive target to criminals who look for easy targets.

Any signs of how fog computing could have a security implication as well?

Fog computing, also known as Edge computing or fogging refers to extending cloud computing to the edge of enterprise network. This facilitates the operation of compute, storage and networking services between end devices and cloud computing Datacenters. As the number of connected devices (IoT) is rapidly growing and the applications that consume cloud services generate massive data, such devices have started processing and storing data.

Over the last year, Symantec has seen an increase in proof- of-concept attacks and growing numbers of IoT attacks in the wild. In numerous cases, the vulnerabilities were obvious and all too easy to exploit. IoT devices often lack stringent security measures, and some attacks are able to exploit vulnerabilities in the underlying Linux-based operating systems found in several IoT devices and routers. Many issues stem from how securely vendors implemented mechanisms for authentication and encryption (or not).

Has the growing influence of software in so-far-hardware-dominated areas like networking, storage etc increased the threat factor?

Software as a service model and Big data are trends that are gaining popularity because of cost effectiveness and scalability. Today organisations have an option to buy Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a service (SaaS). When organisations make decisions to opt such services, they try to secure it by deploying additional layers of security or by asking the service provider to provide security driven SLA’s.

Any particular warning signs and prescriptions with respect to cloud from a security perspective? Would they differ for hybrids, DIY, private and public clouds?

Today's cloud and mobile-driven world creates new data protection challenges as business critical information is no longer confined within corporate networks. In such scenario, new security patterns and practices are emerging to address the challenges in this cloud-based environment. These are based on IT regaining control by setting policies consistently across physical, virtualized, private cloud, and public cloud infrastructures; acquiring visibility into policy deployment and enforcement; and, finally, auditing those policy controls.

Elaborate.

While there is no written guide to just follow for cloud adoption, but organizations may consider customized approach basis what’s critical considering existing set up. How much ready and advance your internal and external systems and process to take a call and ‘move to cloud’. For ex. Cloud means security challenge’s, data leakage , data privacy and many such threats So the best possible way of selection is to identify what’s important to move to cloud and security organizations who can provide ‘unified security strategy’ and help build business for and placed to serve the enterprise achieve their business goals rather than focus on security issues.

Is shadow-IT or cloud sprawl or overprovisioning factor a cause or a side-effect or a parallel track of security-related mishaps?

As companies move their IT systems to virtual and cloud-hosted environments, they face new security challenges. In addition, as ever, human nature itself is a threat, with poorly-managed security leading to shadow IT systems. Shadow IT refers to solutions used inside organizations without explicit organizational approval, and solutions used by departments other than the IT department. It can sometimes be all too easy for a group of employees to turn to external products to fulfill an immediate need. IT decision makers should understand what is influencing their employees to turn to these solutions, and when the IT department should be involved to help shape those decisions.

Situations like Shadow IT and cloud sprawl arise when the IT team doesn’t have adequate tools and resources to monitor endpoints and servers including cloud infrastructure. As business grow, their requirement also increases, however IT team requires time and budget to identify adequate solutions which fulfils business requirements as well ensures data security.

Can you translate that for a CIO?

It is important for the CIO to understand what the organization is doing, and whether certain teams are looking for services or applications that are not provided for, and then determine how to address that need and offer that service in a secure fashion. Having the right processes is key to protecting information and data, even when it is not housed inside the enterprise.

Anything else that you see on your radar which the industry may still be negligent about?

Businesses today do not want to deploy multiple solutions to protect each end point. For business benefits, they should rather deploy solutions which will integrate themselves with existing infrastructure. Solutions like Advanced Threat Protection (ATP) leverages existing threat protection infrastructure, helping companies to achieve an effective data protection regime without the expense and implementation issues from vendors.

As companies migrate to cloud, they would need solutions that would help them keep their critical information secure regardless of where it resides. Data Loss Prevention (DLP) is one of the key technologies to enable anytime, anywhere, any device data protection. DLP is a foundational technology for cloud security. Additionally, efficient use of analytics for the data aggregated will make the information more useful and the security approach more intelligent. Security is no more a point product play but an architecture play. Enterprises should work with partners who can help them devise security as a part of their architecture.