Security in the cloud: Facts vs fiction

There are anything from 13 billion to 21 billion smart devices online today. These estimates were presented by different speakers at a recent Westminster eForum cybersecurity conference in London.

Other figures were more alarming. To date, five billion personal records have been breached worldwide across every type of organisation. The motive is usually financial rather than hostile or political, and it's easy to see why. One estimate of the total losses to date was up to $1.2 trillion, if you include cybercrimes that are enablers of other illegal acts, such as fraud and money laundering.

Make no mistake, such attacks are the work of organised, entrepreneurial criminal networks, not the opportunistic bedroom hackers or hostile agencies of lore - though those threats certainly exist. Organised cybercriminals want maximum payback on their own technology investments, said the conference.

Growing attack surfaces

With 340 undecillion IP addresses available under IPv6, it's obvious that the so-called attack surface can only get bigger as the Internet of Things (IoT) grows - an environment that another speaker described as "feral", largely ungoverned by standards and (despite the UK government's best efforts) security by design.

IoT devices, such as smart lightbulbs, environmental control systems, digital assistants, and more, can offer backdoors into organisations' critical infrastructures and data, if securing them has not been factored into the security policy. This is particularly true if the devices themselves are not set to be ‘dumb by default' until the user opts in to more personalised options.

It must be acknowledged that another significant feature on the security landscape is the growing prevalence of cloud services. In that context, the extended enterprise is a security challenge too: organisations' partners and supply chain in the cloud are increasingly common targets, offering criminals yet another way into the business.

Most organisations are somewhere on a journey into the cloud for at least some back- and front-office processes. So it stands to reason that providers are targets for cybercriminals, particularly for those with financial ambitions. Suppliers play host to countless customers, so finding a way in could prove lucrative in the long run.

However, even with hosted services the real risk is often at the customer end - in the weakest link in the security chain: people. Employees sometimes fall victim to sophisticated phishing attacks, which are designed to allow criminals into accounts, where they can set up complex frauds or fake transactions.

In such an environment, security has to be agile and connected with governance, risk appetite, and sensible, pragmatic management.

Cloud vs on-prem

But is the cloud itself more or less secure than on-premises systems? It's fair to say that some IT leaders believe the latter, and feel more comfortable with systems that they can see and interact with first hand, as if that somehow confers greater security than a hosted service.

But such a viewpoint is more emotion-based than logical and ignores the rolling upgrades and automatic patches of most cloud services. Failure to keep on-premises operating systems or applications up to date and/or to failing to install readily available vendor patches are common reasons for cyber attacks succeeding. The havoc created in the NHS and other organisations by 2018's WannaCry ransomware attacks was just one example of this problem.

A recent Computing Research survey revealed some of the conflicting attitudes to cloud security among the UK's IT decision-makers, with particular reference to Human Capital Management (HCM) and Finance applications in the cloud.

Asked which aspect of cloud-based platforms were critical deciders, security was second only to reliability: 52 percent of respondents described security as very important, while 31 percent saw it as important - 83 percent in total. By contrast, 87 percent cited reliability (itself a form of security, in terms of service uptime and predictability) as either important or very important.

Asked which factors were stopping some organisations from moving back-office functions into the cloud, security came top, cited by 42 percent of respondents - a significant minority. Of those that had migrated functions into the cloud, 38 percent admitted to encountering at least some security challenges during that process.

However, the naysayers were overshadowed in the survey by cloud's many proponents. Improved data security was cited as either a major or very important motivation for moving to the cloud by just under 70 percent of IT leaders, with a further 20 percent identifying it as important.

So what were the results of that move? Over 64 percent of IT leaders said that improved data security had been achieved either "extremely successfully" or "very successfully" by shifting back-office applications into the cloud. A further 25 percent described the results as successful. In total, this reveals an 89 percent vote in favour of improved data security in the cloud.

This article is from Computing's Cloud ERP Spotlight, hosted in association with Workday.