Try Cloud Security/Cybersecurity tests occasionally if employees are willing to evaluate their knowledge
This is an exclusive interview conducted by the Editor Team of CIO News with Praveen Singh, Co-Founder & Chief Information Security Advisor of CyberPWN Technologies
How can organisations become digitally secure with the cloud?
Organizations need to take a cloud-first approach to enable business agility and resilience while accelerating their digital transformation journey. Cloud security is becoming critical since most organisations are already using cloud computing in one form or another. Organizations adopting best practises focus on three key elements: people, processes, and technology.
Let’s discuss a layered approach to cloud security: people, processes, and technology.
IT departments have adapted gradually over the past few years as the cloud has been more widely adopted. Unless your business was founded on the public cloud, technology leadership has typically inherited their environments, and they are looking for ways to get back control and security. I have mentioned below some important points with regard to people when it comes to cloud security:
- Cloud security officer in charge of a team with technical knowledge of cloud security
- Training teams on cloud security best practises and enabling easy access to updated security documentation can empower employees to more easily spot security issues and act with caution—when in doubt
- Program and process for identifying cloud security knowledge in people
“Process” is an area where a lot of organisations need assistance when it comes to cloud security. I’ve included some key points about the process of cloud security below.
- Cloud security assessment and gap analysis.
- Implementing a cloud security framework
- Periodic cloud security audit
- Continuous cloud security risk assessment
- Governance and compliance (security resources, policies, contracts, cloud service provider evaluation) as well as security controls such as ISO/IEC 27001, ISO-27018, ISO-27017, ISO-27018, NIST 800-53, GDPR, SOC 2 Audit, PCI-DSS, and so on.
- Monitoring and Logging: Vulnerability and Attack Management; traffic monitoring; log management; analysis; and mitigation strategies
Technology that brings everything together (people and process) and at scale is absolutely necessary. I have mentioned some technologies which should be used for cloud security
- User Identity & Access management with a Zero Trust model. (MFA, SSO, conditional access, access control, etc.)
- Data security (encryption in transit/at rest and key management) and CASB/DLP (data classification and control, data backup and restore, data loss prevention) follow
- Network Security: Rules and configurations, firewalls, security group specifications
- Monitoring and logging with user behaviour analytics. (Threat detection, continuous monitoring and alerts, incidence and response, etc.)
- Hardware and Software Security: Physical security, scans, audits, patches server hardening, configuration hardening, logical segmentation, etc.
- Cloud Application Security: WAF, Bot Management, API Security, D-DOS Services, etc.
- Security practise adoption at every stage of software development (SAST, DAST, RASP, IAST, SCA, Pen-testing)
- Cloud security based on cloud services (i.e., IaaS, PaaS, SaaS), CSPM, CWPP, CASB, CIEM, SSPM
Organizations must understand that cloud security is a shared responsibility. Only by deploying the above security controls and ensuring the security of their data and workloads in the cloud through secure processes and practises can organisations achieve the highest level of security.
What are the cloud security threats you could forecast in the coming year of 2023?
As the rate of cloud adoption rises, so do the number of security threats; here are five cloud security threats that I believe will emerge in the year 2023.
- I would say that misconfigurations are still the biggest threat to cloud computing.
- Insecure interfaces and APIs are the second biggest threat to the cloud in upcoming years.
- Multi-factor authentication (MFA) fatigue (aka MFA Prompt Spamming/MFA Bombing) is hackers’ new favourite tactic in high-profile breaches.
- Insecure software development can be a big threat to organisations again. If one event demonstrated how vulnerable organisations and infrastructure around the world are to software vulnerabilities, it was Log4j.
- Cloud computing-related insider threats are often listed as a serious concern by security researchers.
What are the most important aspects of a cloud security policy for organisations to implement before entering 2023?
It’s time to create the “Cloud Security Policy”. Many are moving to the cloud. But 90% of organisations do not have a cloud security policy in place. When you are on-prem, you have multiple policies, but when you are moving to the cloud, I am not sure why there is no security policy. Have a consolidated policy for “What needs to be Secured IN the Cloud” since the security of the cloud will be taken care of by CSPs (Cloud Service Providers).
The most important aspect of cloud security policy is data protection; the key threats are those of data unavailability, data loss, and the release of sensitive information. A data protection policy should be implemented before interning in 2023.
How can IT leaders educate employees so that there will not be any cloud security failures because of employees’ faults going ahead?
Cloud security and cybersecurity awareness training for all employees, regardless of role, is an absolute necessity if an organisation is serious about shielding its sensitive data from cybercriminals. An IT leader should use the following tips to ease employee cyber education.
- Explain the consequences of a cybersecurity incident on your company to communicate the potential impact of a cloud security/cybersecurity incident. This includes financial losses, fines, and eroded customer trust.
- Improve Your Cloud Security/Cybersecurity Messaging. In most cases, IT teams use incomprehensible terms that standard employees struggle to understand.
- Teach them about various types of cloud security and cybersecurity threats.
- Make use of different approaches, such as newsletter updates and announcements.
- Make all updates “keep it short and simple.” This makes it easy for employees to glean and retain the updates even after a long, hectic day.
- Provide updates on current cybersecurity trends. Reach out to your employees every time there is a new malware or phishing scam.
- Make the updates eye-catching. For instance, opt for colourful infographics instead of do’s and don’ts or listing statistics.
- Try Cloud Security/Cybersecurity tests occasionally if employees are willing to evaluate their knowledge. For this, consult an employment lawyer if there are potential repercussions of doing this.
Any other trends in cloud security which you would like to highlight for 2023?
The cloud has been a game-changer for the tech industry, and it shows no signs of slowing down. With such rapid growth, it can be tough to keep up with the latest trends.
In the current workplace environment, teams are more geographically dispersed than ever, with remote and hybrid working at an all-time high. As such, previous approaches to network security are no longer sufficient; employees logging in from everywhere expand the attack vector and make it easier for cyber criminals to compromise your organisation.
In addition, because of the distributed workforce, an organisation’s network has an unprecedented need for reliable connection and access. These network demands are compounded by how modern organisations use multiple Software as a Service (SaaS) products—SaaS products are all located on the cloud, which again opens up the attack surface for cyber criminals.
That’s where a SASE platform comes in. By addressing all these issues, a SASE solution sits at the forefront of modern cyber security needs, making it one of the most popular and most-discussed cyber security topics of the past few years, especially given the recent explosion in cybercrime.
Secure Access Service Edge (more commonly known by the SASE acronym) is a cloud architecture model that combines network and security-as-a-service functions to deliver them as a single cloud-based service. As the enterprise attack surface continues to expand across cloud apps, on-premises resources, and personal devices, a SASE network offers a context-aware solution with a fully integrated security and network stack that can enforce policies wherever the data goes.
This allows organisations to consolidate their network and security tools into one seamless management solution that is cost-efficient and location-independent. In other words, in an era of remote work and with the proliferation of cloud services, Secure Access Service Edge offers organisations a convenient, agile, scalable SaaS solution for networking and security.
“SASE is the future of networking and network security architectures.”
CIO News, a proprietary of Mercadeo, produces award-winning content and resources for IT leaders across any industry through print articles and recorded video interviews on topics in the technology sector such as Digital Transformation, Artificial Intelligence (AI), Machine Learning (ML), Cloud, Robotics, Cyber-security, Data, Analytics, SOC, SASE, among other technology topics