Why you can’t ignore cloud security
Over
the
past
few
years,
enterprises
across
Australia
have
moved
more
and
more
of
their
systems
and
applications
to
the
cloud,
with
the
trend
only
gathering
pace
with
people
increasingly
working
outside
the
traditional
network
perimeter,
often
at
home
Over
the
past
few
years,
enterprises
across
Australia
have
moved
more
and
more
of
their
systems
and
applications
to
the
cloud,
with
the
trend
only
gathering
pace
with
people
increasingly
working
outside
the
traditional
network
perimeter,
often
at
home
and
other
locations.
Throughout
2022,
several
large
enterprises,
including
NAB,
doubled-down
on
their
cloud
migration
plans,
while
the
vast
majority
of
the
CIO50
listed
this
among
their
top
priorities.
But
while
the
cloud
provides
more
flexible
and
scalable
IT
services,
it’s
also
introducing
new
and
vexing
challenges
around
cyber
security.
In
particular,
many
organisations
are
having
to
make
significant
cultural
–
in
addition
to
technical
–
adjustments
to
deal
with
the
fact
that
growing
caches
of
potentially
sensitive
credentials
are
in
the
hands
of
more
people.
The
recent
attacks
on
NFPs
would
seem
to
highlight
many
of
the
security
risks
being
posed
by
the
migration
to
the
cloud.
Typically
fiscally
restrained,
their
migrations
are
often
more
hurried
and
less
considered,
while
they
also
tend
to
have
fewer
resources
to
train
staff,
many
of
whom
are
part
time
or
volunteers.
Our
attendees
reflected
on
the
serious
concerns
raised
about
security
since
the
earliest
days
of
the
cloud;
concerns
that
were
often
dismissed
as
unfounded,
and
centred
mainly
around
issues
of
data
sovereignty.
But
the
security
challenges
apparent
in
the
cloud
today
are
quite
different
to
what
was
imagined
in
the
past.
There
are
several
key
questions
organisations
need
to
ask
themselves
today
as
part
of
their
plans
to
ensure
they’re
assuming
a
robust
cyber
security
posture
as
the
cloud
becomes
increasingly
ubiquitous.
-
Have
your
intrusion
detection
and
prevention
strategies
have
changed
as
you
move
systems
and
applications
off
your
on-premise
facilities
and
into
the
cloud?
-
What
recent
high
profile
cyber-attacks in
Australia
are
teaching
you
about
your
own
cyber
security
posture
and
why
data
security
can
never
be
an
afterthought?
-
How
you
are
ensuring
your
data
and
applications
can
be
accessed
securely
no
matter
where
users
are
located?
-
Why
it’s
vital
to
make
sure
your
technology
teams
don’t
lose
focus
on
cyber
security
in
a
cloud
environment
with
fast
moving
cloud-native
development
processes?
-
Do
you
feel
that
the
pressure
to
migrate
to
the
cloud
and
take
advantage
of
the
usability
and
cost
benefits,
is
exposing
you
to
cyber
security
risks?
-
Do
you,
or
are
you
seeking
to
have
security
baked
into
your
cloud
provider
SLAs?
Do
these
take
account
of
changing
security
risks
in
the
event
of
activities
being
dramatically
scaled
up?
-
Are
you
confident
you’ll
be
able
to
contact
the
key
people
at
your
provider
in
the
event
of
a
breach?
Have
their
staff
been
vetted?
-
Have
you
ensured
your
provider
doesn’t
have
your
key
access
passwords?
-
Has
the
criticality
of
your
data
been
fully
ascertained?
George
Dragatsis,
A/NZ
chief
technology
officer
with
Hitachi
Vantara
Australia
says
it’s
essential
that
CISOs,
CIOs
and
others
tech
leaders
contemplate
these
questions
seriously.
“Ultimately,
whatever
you
did
with
respect
to
security
on
premise
won’t
help
you
in
the
cloud”.
He
explains
that
there
are
two
phases
to
getting
security
right
in
today’s
virtual,
SaaS-based
environment.
The
first
is
the
‘front
end’,
with
an
emphasis
on
endpoint
protection,
identifying
external
threat
factors
and
developing
strategies
to
mitigate
against
them.
And
the
second
is
all
about
guaranteeing
100
percent
data
availability,
as
well
as
high
levels
of
resilience,
for
instance
in
the
face
of
a
ransomware
attack,
to
ensure
a
quick
and
effective
recovery.
“Organisations
need
to
ensure
they’re
able
to
get
back
up
and
running
in
the
unfortunate
event
of
an
attack.
And
they
need
to
guarantee
the
‘immutability’
of
corporate
business
data,”
Dragatsis
adds.
But
according
to
Nathan
Knight,
managing
director
of
Hitachi
Vantara
A/NZ,
while
most
tech
leaders
understand
the
importance
of
getting
back
up
and
running
as
soon
as
possible
after
a
breach,
many
businesses
lack
a
clear
picture
of
what’s
actually
occurred
and
the
implications.
“Visibility
into
the
impacts
of
breaches
appears
to
be
poor,
with
Medibank,
for
instance,
still
unable
to
tell
customers
what
data
has
been
lost”.
The
Medibank
breach
of
November
2022,
has
been
described
as
arguably
the
biggest
in
Australian
corporate
history,
with
more
than
200
gigabytes
of
sensitive
health
data
from
almost
4
million
Australians
being
ransomed
under
threat
of
publication
on
the
Dark
Web.
It’s
now
widely
accepted
that
the
breach
followed
a
simple
theft
of
key
credentials
from
an
unwitting
staff
member;
a
situation
that
is
becoming
more
common
because
of
companies’
increased
reliance
on
the
cloud.
And
while
every
cyber
breach
seems
to
trigger
vigorous
finger
pointing,
especially
from
the
media,
Knight
stresses
that
cyber
security
is
far
from
a
perfect
science,
with
the
cloud
making
it
even
less
so.
“Maybe
we
all
need
to
accept
that
you
can’t
keep
everyone
out,
and
that
it’s
critical
to
focus
on
getting
back
up
and
running
as
quickly
as
possible”.
Darren
Reid,
director
of
VMWare’s
security
business
explains
that
the
nature
of
cloud
computing
demands
an
approach
to
security
that
is
“intrinsic”.
“Security
must
be
built-in,
rather
than
bolted-on”.
He
adds
that
as
we’ve
modernised
apps
and
moved
to
the
cloud
at
speed,
many
organisations
seem
to
have
lost
sight
of
the
“controls
that
we
used
to
have”.
“We’re
accessing
data
via
unsecured
networks
and
all
of
that
structure
we
used
to
have
around
us
is
basically
gone”.
When
trying
to
secure
networks
today,
it’s
critical
therefore
to
know
the
first
point
of
entry.
Figuring
this
out
requires
micro-segmentation
and
the
correlation
of
end-point
data.
“You
can
limit
to
laptops,
or
segment
networks.
That’s
ok,”
Reid
says.
“But
if
an
attacker
is
inside
your
apps,
data
is
being
exfiltrated
and
you’re
about
to
be
ransomed”.
Increasingly,
tech
and
business
leaders
are
being
urged
to
work
more
closely
together
on
cyber
security
these
days,
with
the
move
to
the
cloud
playing
no
small
part
in
ramming
home
the
message
that
everyone
has
their
part
to
play.
“Security
is
not
just
a
problem
for
security
people
anymore,”
stresses
Reid.
“It’s
team
sport
for
everyone
in
the
company.”
Meanwhile,
as
several
of
our
delegates
noted,
not
only
are
cyber
attackers
becoming
more
sophisticated
and
organised,
we’re
now
entering
a
new
phase
whereby
they’re
operating
more
like
entrepreneurs,
taking
more
serious
note
of
things
like
ROI,
profit
and
loss,
arguable
strengthening
their
resolve
to
‘get
results’.
However,
Reid
notes
that
despite
the
heightened
risks,
this
there
is
a
definite
lack
of
skills
more
broadly
across
organisations,
meaning
CISOs,
CIOs
and
other
tech
professionals
with
responsibility
for
cyber
are
“getting
slammed”.
Moving
forward,
all
attendees
agreed
that
it’s
imperative
cyber
security
is
elevated
in
all
discussions
across
organisations,
starting
with
ensuring
that
everyone
understands
what
a
phishing
email
is.
Business
teams
needs
to
be
up
to
speed
and
vigilant.
And
when
problems
are
reported,
there
needs
to
be
a
proper
understanding
of
the
context.
Further
reiterating
the
importance
of
ensuring
rapid
recovery,
Reid
adds
that
nothing
should
be
taken
for
granted
when
it
comes
to
backups
either.
“While
people
might
say,
oh
we’ve
got
a
backup,
the
question
needs
to
be
asked,
“are
those
backups
‘immutable’”?.