Page 44 - the SyI Quarterly 14 Booklet Format
P. 44
Cyber Updates
Not every Cloud has a silver lining. When it comes to risks and responsibilities, using the cloud is the
same as any outsourcing agreement. There’s a joint responsibility
Here’s why. for the security of data and workloads in the cloud, and this is
shared between the customer and the service provider. However,
the amount of responsibility weighted either way depends on the
type of service agreed. Check out your service level agreement and
- Alys Gorton conduct a thorough risk assessment. You should ask yourself who is
responsible for what with regard to risk? What controls can you put
in place to reduce the risk on your end? Are the residual risks - risks
that you cannot reduce any further - something your risk appetite
can stomach? Do not rely on your cloud provider to secure your
data, applications and other assets.
The cloud - software and services that run on the Internet,
instead of locally on your computer - is a cornerstone of Malicious actors are always looking for vulnerabilities to exploit, and
digitisation. As businesses race to digitise and migrate to the misconfigurations of any kind - within the cloud or otherwise - are
cloud for on-demand access to web-based applications, data a way they can compromise your systems and data. For example,
storage, processing, and other services, many fail to consider the leaving some users with excessive privileges to data or services they
risks of doing so. no longer need access to. A leading cause is the failure to change
default settings. Another issue is configuration drift, where changes
A recent PwC survey found that 90% of senior executives believe are made on the fly, inconsistently, perhaps by different people, and
digital transformation - the adoption of digital technology - is these are not recorded. There are a few ways to address this: firstly,
increasing their exposure to cyber risk. The report cites it as the by investing in upskilling existing staff in cloud security or hiring a
biggest cyber-security challenge they have faced since 2020, and specialist. It’s also essential to adopt the Principle of Least Privilege;
they are not wrong! assigning the least amount of capabilities possible to machines
and people to accomplish a task, and limit the possible impact of
In fact, the same survey found that 64% of senior executives identities and applications to limit risk exposure.
have not fully mitigated the risks of cloud adoption. A
worrying statistic with increasing waves of attacks specifically When it comes to visibility, how can you protect what you can’t see
targeting cloud infrastructure, such as ESXiArgs ransomware, or don’t know about? Continuous monitoring is key, allowing you to
which exploits vulnerabilities within ESXi servers, encrypting nip problems in the bud. Regular audits and scanning will help you
configuration files and potentially rendering virtual machines identify vulnerabilities or threats as early as possible. However, it’s
unusable. important to note that these should not be a one-time thing. They
show only a snapshot in time. The trick is to get into a continuous
It’s easy to understand the allure of the cloud, offering cycle of monitoring and auditing to keep on top of issues when
businesses the flexibility and adaptability to scale up and scale they occur. For example, the current ESXiArgs ransomware issue
down operations with ease and without the need to invest in on- affecting many organisations worldwide right now is exploiting
premise infrastructure and in some cases shares responsibilities unpatched and out-of-service or out-of-date versions of VMware
and risks with the cloud provider. Whole business operations ESXi software. These vulnerabilities could have been detected and
can be run solely within the cloud nowadays. But, there’s a dealt with if monitoring and remediation processes were in place.
myriad of considerations to take into account first to safeguard
against a new world of cyber risk. The cloud is uncharted waters for many businesses, and the
benefits of cloud migration or adoption are, in many cases, too
The factors behind these increased threats can largely good to refuse. But to ensure the best chances of success, consider
be categorised as follows: limited understanding of the investing in an experienced cloud specialist to ensure you do so as
responsibilities and risks taken on by the business and those of securely as possible, limiting the risk to your business.
the service provider, misconfigurations of cloud security and a
lack of visibility of activity within the cloud.
44 45
