The Recipe for a Secure Cloud environment Thoughts on Cloud Transformations - Part 2 of 3 by Evan Kirstel @evankirstel

Hackers are more committed and willing to be patient far longer than you can ever imagine. This was from a presentation I gave in 2000. Now nearly two decades later there are probably 10,000 times the number of private, state-run and security agency hackers exploiting their skills for good or evil. Certainly not all of them are black hat, there is also a great rise in the number of white hat and grey hat hackers. Each one of them either protecting, attacking and involved in nearly every aspect of the IT industry. From a business perspective, there are too many prominent public corporate hack attacks to mention. More importantly are the thousands of daily attacks that are quietly covered up and go unreported. The cloud is also not something that is protected behind some super firewall that is unbreachable. It is just another place where hackers can work because anything connected to anything means that somewhere "in the middle" along the highway just like in cowboy days, the packet "stage coach" can get intercepted. As one certified professional in IT security said, "we are just kidding ourselves that this is a fade that will go away because of moving applications to the cloud." By my own research, hackers have only really attacked the "low hanging fruit" with many more serious high-level attacks to come. In other words, the easy TCP port attacks along with DDOS -distributed denial of service-, email aka ransomware, malware and other attack schemes are known and there is modest to good protection. However, when you think about SIP communications, SCADA, IoT, wearables, medical implants, specific proprietary device communications and other OS schemes that haven't been seriously attacked yet, you can see that multiple layers of protection for cloud security remain needed. Then, look not just at devices but at concepts to attack like HIPAA, SOX, GDPR and others which can be convoluted exposing specific types of data to hackers, there is serious opportunity for many other kinds of on-premise or cloud attacks. It's not that you will be attacked, you already are being attacked, you just don't know it and maybe your IT security staff and others are already at work trying to stop them.

The question is when hackers succeed and the odds are, they will: do you have a crisis strategy plan already in place to respond to it? Because of the way you respond to the attack is critical in the new social media-driven news world, you may have already lost the trust of your customers. Working with one client, we worked on building a strategy process plan ahead of the crisis, so everyone knew what do to when it did. Like a fire evacuation plan, except for a hack attack response plan. Plan for more internal "friendly-fire" attacks as 80% of computer crime is done by disgruntled or dishonest employees. If you assume that there is never-ever any real security, you begin to put your business in a security ready posture especially as you move to the cloud. From that vantage you can analyze systems based on their security first and then evaluate for the key business issues facing you. You wouldn't build or work in a building without fire, security, and other key protection systems then why would you build your business without these issues addressed in cloud services. This is not saying cloud is not of great benefit or necessity to your business, but it should not be the only means to the end or it could mean, the end of your business. In other words, there is not one kind of security that will provide absolute protection from internal or external cloud attacks. I am not convinced by any of the companies in their cybersecurity approach, this does not mean you cannot apply what you already do and plan to do in the future to protect yourself using cloud providers. The cloud is just another approach to IT and your business. You apply key skills and efforts in any form of IT, you just need to use these skills and probably new approaches to cloud cybersecurity. This may sound vague and indeed it is because no one really knows about the wide range of attacks that have occurred or will occur in cloud solutions. Recently I wrote about security standards that we are increasingly faced with a new array of issues such as fake news, identity theft and impersonation, terrorism (physical attacks), cyberterrorism (internet attacks) and social issues which challenge the company even more. By implementing a standards or standardized approach to both premise and cloud security issues known today and unknown issues tomorrow, we can build the means to work together to respond to attacks efficiently and effectively. This approach can incorporate a growing list of other standards and other factors. From this vantage, you can see how each individual activity can be measured and standardized which can lead to better outcomes and results for all involved from end-to-end. That is, be ready and forewarned and ask the critical security questions before you move your business technology to the cloud.  

In Part 3, key cloud recommendations for you to implement in 2020. I would also like to thank Telefonica Business Solutions for the opportunity to share a few thoughts with you.