Securing hybrid, on-prem and cloud environments is an ongoing challenge for many companies. Nigel Gibbons, director and senior advisor at NCC Group, a cybersecurity advisory company, described the most common problems he sees and how to resolve them.
Bob Scheier: What are some common cloud security gaps and how should they be closed?
Nigel Gibbons: First, access control and identity management (IAM). One client used a cloud-based CRM system alongside an in-house file server for document storage. In the cloud they had robust role-based access control and multi-factor authentication (MFA). However, their in-house file server relied only on basic username/password authentication without MFA, which could lead to a breach if an employee's credentials are compromised. We recommended a centralized IAM system to enforce consistent access policies across both systems, as well as MFA for in-house systems with regular review and updating of access permissions.
A second weak area is organizations that regularly patch their cloud infrastructure but fall behind on their on-prem systems. This exposes the on-premises servers to known vulnerabilities like the recent Log4j vulnerability. The fix is automated patch management for both environments, with regular patching cycles and vulnerability assessments to identify and prioritize critical patches.
Third is data encryption. One healthcare provider with whom we worked stored patient records in an on-premises database while using cloud-based email services. The email services offer encryption in transit and at rest, but the on-prem records lack encryption, leaving them vulnerable if the on-prem server were compromised. The solution is encrypting the on-prem records using industry-standard algorithms, securely managing and regularly rotating the encryption keys.
A fourth area is monitoring and logging. One financial institution with whom we worked maintained an in-house legacy trading system alongside cloud-based customer portals. While the cloud environment has robust monitoring and logging with automated alerts, the legacy system lacks these, making it challenging to detect unauthorized trading activity or security breaches. We recommended a unified monitoring and logging solution for on-prem and cloud systems, using security information and event management (SIEM) tools to consolidate logs, set up alerts, and establish automated response mechanisms for both environments.
Where do CIOs and CISO fail in understanding such vulnerabilities?
When I go into an organization, the first question I ask is to whom does the CISO report? If they’re not reporting to the CEO, that is an immature organization in terms of digital transformation. If the CISO reports into the CIO, that’s probably the second best. If they report to the CTO, that’s getting into dangerous territory, as their conversation and focus will be down in the technical weeds, not focusing on the most strategic risks or communicating that down into their security teams.
How many CISOs report to the CEO?
No more than 30 percent, though that figure may be skewed because we tend to talk to organizations that need more help with security.
Besides improved security, how does such a reporting structure help the business?
By helping it understand how close to their “risk envelope” they are flying and whether they can “fly closer.” We find they can often accept more risk than they think in return for lower costs and greater agility. With our clients we see this increase productivity by six to 15 percent. But this requires understanding not just the attack surface (the number and nature of vulnerable systems) but the business tolerance for risk. Consider the risk of moving too slowly, as the digital economy is breeding challengers who can better balance risk vs. agility.
Some organizations say they need IT up time 24/7, 365. But with one client we found only one system that needed to be up all the time, and then only during the work week. Other systems could survive a complete outage of between 8 and 24 hours. The nature of their data flows with suppliers and customers meant they could afford to lose all their current transaction data, because as soon as they brought the systems online, they could refill 90 percent of their data from their partners.
This also meant it didn’t take six months to deliver a new bit of technology their customers were screaming for. If the new systems went down occasionally during the six months it took to get the bugs out, they could afford it.
Where else do organizations fall down?
In the hard work of setting policies and developing risk management frameworks for a more agile, cloud-enabled world. We find many organizations get bogged down in what I call “voluntary compliance.” These are security, disaster recovery or other requirements an organization thinks are required by law but are often imposed by the company’s own legal, HR, compliance or procurement organizations.
What are some examples?
We worked with a major international bank which imposed its overly rigid traditional risk management framework on an online startup it had created to compete with new challenger banking entrants. The start-up failed. We found a retail organization spent six weeks creating a compliance strategy for their online shopping cart. I told them “You could almost call yourself a compliance company” rather than a retail company delivering a convenient buying experience for its customers. A lot of self-imposed regulation can disproportionately magnify security and compliance costs. But most organizations don’t fully grasp that concept, and it’s a tough sell because we live in such a litigious society today.
How can a CIO or CISO sell this idea of accepting more risk?
A CISO working with a CIO should work with their business partners to establish a true picture of the threat profile. It should describe their current digital footprint, and the real threats to the business, its success, and bottom line. Work with the business to establish and continually revise how much risk it can afford against the benefits of lower costs and faster growth. Consider the risk of moving too slowly and define the upper boundary of your acceptable risk.
Nigel Gibbons, director and senior advisor at NCC Group has more than 25 years’ experience in IT and cybersecurity, advising and consulting at the enterprise level.