Page 45 - the SyI Quarterly 14 Booklet Format
P. 45

Cyber  Updates















 Not every Cloud has a silver lining.          When it comes to risks and responsibilities, using the cloud is the
                                               same as any outsourcing agreement. There’s a joint responsibility
 Here’s why.                                   for the security of data and workloads in the cloud, and this is
                                               shared between the customer and the service provider. However,
                                               the amount of responsibility weighted either way depends on the
                                               type of service agreed. Check out your service level agreement and
 - Alys Gorton                                 conduct a thorough risk assessment. You should ask yourself who is
                                               responsible for what with regard to risk? What controls can you put
                                               in place to reduce the risk on your end? Are the residual risks - risks
                                               that you cannot reduce any further -  something your risk appetite
                                               can stomach? Do not rely on your cloud provider to secure your
                                               data, applications and other assets.
 The cloud - software and services that run on the Internet,
 instead of locally on your computer - is a cornerstone of   Malicious actors are always looking for vulnerabilities to exploit, and
 digitisation. As businesses race to digitise and migrate to the   misconfigurations of any kind - within the cloud or otherwise - are
 cloud for on-demand access to web-based applications, data   a way they can compromise your systems and data. For example,
 storage, processing, and other services, many fail to consider the   leaving some users with excessive privileges to data or services they
 risks of doing so.                            no longer need access to. A leading cause is the failure to change
                                               default settings. Another issue is configuration drift, where changes
 A recent PwC survey found that 90% of senior executives believe   are made on the fly, inconsistently, perhaps by different people, and
 digital transformation - the adoption of digital technology - is   these are not recorded. There are a few ways to address this: firstly,
 increasing their exposure to cyber risk. The report cites it as the   by investing in upskilling existing staff in cloud security or hiring a
 biggest cyber-security challenge they have faced since 2020, and   specialist. It’s also essential to adopt the Principle of Least Privilege;
 they are not wrong!                           assigning the least amount of capabilities possible to machines
                                               and people to accomplish a task, and limit the possible impact of
 In fact, the same survey found that 64% of senior executives   identities and applications to limit risk exposure.
 have not fully mitigated the risks of cloud adoption. A
 worrying statistic with increasing waves of attacks specifically   When it comes to visibility, how can you protect what you can’t see
 targeting cloud infrastructure, such as ESXiArgs ransomware,   or don’t know about? Continuous monitoring is key, allowing you to
 which exploits vulnerabilities within ESXi servers, encrypting   nip problems in the bud. Regular audits and scanning will help you
 configuration files and potentially rendering virtual machines   identify vulnerabilities or threats as early as possible. However, it’s
 unusable.                                     important to note that these should not be a one-time thing. They
                                               show only a snapshot in time. The trick is to get into a continuous
 It’s easy to understand the allure of the cloud, offering   cycle of monitoring and auditing to keep on top of issues when
 businesses the flexibility and adaptability to scale up and scale   they occur. For example, the current ESXiArgs ransomware issue
 down operations with ease and without the need to invest in on-  affecting many organisations worldwide right now is exploiting
 premise infrastructure and in some cases shares responsibilities   unpatched and out-of-service or out-of-date versions of VMware
 and risks with the cloud provider. Whole business operations   ESXi software. These vulnerabilities could have been detected and
 can be run solely within the cloud nowadays. But, there’s a   dealt with if monitoring and remediation processes were in place.
 myriad of considerations to take into account first to safeguard
 against a new world of cyber risk.            The cloud is uncharted waters for many businesses, and the
                                               benefits of cloud migration or adoption are, in many cases, too
 The factors behind these increased threats can largely   good to refuse. But to ensure the best chances of success, consider
 be categorised as follows: limited understanding of the   investing in an experienced cloud specialist to ensure you do so as
 responsibilities and risks taken on by the business and those of   securely as possible, limiting the risk to your business.
 the service provider, misconfigurations of cloud security and a
 lack of visibility of activity within the cloud.





 44                                                        45
   40   41   42   43   44   45   46   47   48   49   50