By Monique Magalhaes
Technological advancements continue to change how we work and how we consume technology. But as new services and technologies appear, we do not always design or consume them with the “secure by default” idea in mind. Taking a constructive look at specific areas that are likely to grow or persist, including the cloud, remote working, and the suppliers of the services we consume, is essential to keep abreast of security, especially as technologies continue to progress. It is critical to remember the three pillars of security: confidentiality, integrity, and availability — the CIA triad.
Secure by default and the cloud
Over the past year, especially during the pandemic, we have rushed into the cloud and have relied upon and entrusted our business to larger corporations offering cloud services — sometimes without giving security very much consideration. If these hyperscalers — operators of a datacenter offering scalable cloud computing services — get compromised and result in customers losing access, be it temporary or permanent access, or result in customers’ digital assets being stolen, or sensitive data being exposed, what then? It is a scary thought, and not one many people consider or want to think about.
The fact is that any system can be broken into, given the time and resources and the degree of motivation from the attacker. With many of us placing all of our eggs in a single cloud basket, the risks increase. Attackers are aware, and it is only a matter of time until more cloud-based threats evolve.
Security must be transparent but not cumbersome
So, what can we do to defend ourselves? One way is to implement security layers that aim to slow attackers down but allow users to do their work. Security mustn’t be cumbersome; it must be as transparent as it can be to authorized users. Also, we make sure that we can detect and respond to unauthorized access and compromises, and we ensure that we have a robust and recoverable backup plan to get us up and running if and when required.
It is beneficial to understand what the hyperscalers provide or take responsibility for regarding security and what they do not. A standard view among distinguished and experienced cybersecurity professionals is not to leave any of the recovery and security to chance and in the hands of others. Your data is being processed on other people’s systems, and you and your company should take responsibility for the security of that data. The tools that you use, supplied by the service provider, are essentially rented. Therefore, you need to ensure that the data is secure and that everyone participating in the service uses the service/tool appropriately and most securely. This aspect should be managed by the company and not left to chance.
No system should be provided that is not secure by default — let alone insecure by default. This means that security should be “turned on” by default, and it should be the user’s decision to “turn off” the security as required for their purposes. However, a lot of the time, because the service provider wants to sell and market their service, a way to achieve this is to make it easy and convenient to use. But this would result in them providing a system that is not as secure as it can be — not secure by default straight out of the box. Some then sell the security as an extra, thus ultimately “admitting” the service is not secure by default or could be better secured.
Confidentiality, integrity, availability, and access control
Understanding what security encompasses is essential. Essentially, security, although made up of many parts, at a high level involves ensuring confidentiality, integrity, and availability, and a layer of access control. This robust access control means that only an authorized user with multifactor authentication can access the system to be sure it’s the person who should access the system. Confidentiality involves keeping the data secret and ensuring that only the right people, the authorized people, have access. It is important to note that this does not include the hyperscaler, its staff, or anyone that has compromised the hyperscaler.
Integrity involves monitoring so the system can be trusted. The company using and entrusting their business or data to the system is ensured that everything within the system is verifiable and access to it is known — access to what, when, and how. If this aspect is not obtainable, the trust is broken, and therefore the integrity is broken. The system cannot be trusted, resulting in a system that is not secure.
So, a compromise of the hosted platform (cloud) by the staff of the hyperscaler, or a supplier or anyone (including a bot — it does not need to be human) that is not meant to be in the system other than the people that the company has authorized to have access would constitute a breach. The compromise could be indirect and direct, so if a bot accesses the data and mines it and that data is sold for some artificial intelligence purpose, your asset is used for someone else’s gain, and that too can be considered an issue. So, it’s not always clear-cut.
Availability is likely the most mature security pillar as the emphasis is placed on keeping everything up and running for reliability. Moreover, it’s the item that has the most visibility to customers. Also, if the providers’ systems are down, they could be exposed too. Technically, if a system is down and not available to an authorized user when they need it, security availability would be broken.
In simple terms, we place valuable data in others’ hands, and through either an attacker or an insider, this valuable asset could be destroyed or access to it withheld. Availability must be a consideration. A restorable backup must be kept and maintained outside of the control of any hyperscaler or service provider to facilitate a more secure security posture and provide the portability required.
Secure by default and remote work
We will continue to work remotely for a long time to come, which can wreak havoc with any secure by default policy. Moreover, it will be an advancement of choice for many of us, so remote working issues need to be considered. Most importantly, this maps to the CIA triad and access control. Knowing who has access to the systems and platforms, how they are accessed, and when is vital. The data and devices are central to our security.
Systems need to be implemented to ensure the authorized workforce has a secure environment that enables them to do their jobs remotely. It is often said that sharing and security should not be used simultaneously. For example, what if a laptop is shared between two colleagues. Each would have different privileges and levels of access, depending on the tasks each needed to perform. Now imagine sharing a laptop with a stranger — that’s what happens when we share a device that can access the corporate environment with a family member or friend — they are a stranger to the company, an unauthorized individual.
Moreover, suppose the home network is compromised, which is a genuine possibility these days. In that case, the attacker could access corporate data and systems through the home network and the home devices. Thus, importance should be placed on cybersecurity precautions to secure remote workers and corporate and home networks. Everyone has a part to play to improve security while remote working.
Supplier security is a genuine threat since we all partake in the web of service delivery and our services’ collaborative nature. It is effortless to participate in a project where everyone works remotely and where several companies are working together to deliver a single project. This is now the norm. We do not always have insight into everyone’s security posture, so it is challenging to vet the suppliers and their security posture.
One of the biggest threats as we advance is likely to revolve around suppliers’ compromise, which would impact organizations who use their services. We need to work diligently to ensure in-depth systems enforce secure working and limit the risk. The security threat posed by suppliers continues to be a challenging one to manage.
Monique Magalhaes covers compliance, regulations, and security for TechGenix. She is a DP executive and facilitator of data protection and information governance at Galaxkey, a company specializing in data protection and security solutions. Monique is a researcher, writer, and author focusing on technology and security.