The renewed focus on digitalisation & hybrid working means cloud is the new normal. We consider what that means for your cyber security approach.
The renewed focus on digitalisation and the hybrid working arrangements that have emerged from the pandemic period have accelerated most organisations’ journey towards cloud computing in one way or another.
Cloud is increasingly the de facto choice for applications and data these days. According to research by Gigamon, 43 percent of organisations are now making use of multiple public cloud and multiple private cloud instances. Some 89 percent are embracing a multi-cloud strategy.
Of course, this brings its own complexity and security challenges.
Proofpoint’s The Human Factor 2023 report found that 94 percent of cloud tenants were targeted every month.
What’s more, worryingly, there is a gap between malicious cyber activity and business leaders’ perception of it. Gigamon has also found that half of the business IT leaders it surveyed were “confident” or “completely confident” they are sufficiently secure across their hybrid cloud infrastructure from on-premises to cloud. Yet of those, 90 percent admitted to having experienced a breach in the last 18 months.
The company says this is proof of a “significant disparity between how secure organisations believe their hybrid cloud infrastructure to be, and how protected their data truly is.”
Of course, it is never “one size fits all” when it comes to cyber security. Different clouds will require different security approaches.
The risks and approaches will vary greatly between:
However, some of the controls will be the same. The UK’s National Cyber Security Centre (NCSC) points out that single-sign-on solutions (such as Microsoft Entra ID), multi-factor authentication, secure administration and the use of trustworthy devices (ensured through policies in your device management tools) will be essential principles of all your cloud security.
Earlier this year, it issued new cloud security guidance to encourage organisations to ensure they take a robust approach to cloud configuration – for both SaaS applications and cloud platforms. It has separated out its advice for each cloud model:
The NCSC cloud security guidance is built around 14 principles.
These are:
The NCSC provides much greater detail into all these principles on its website. You should familiarise yourself with the detail so that you are confident discussing them with your cloud service provider.
However, while this advice is a fantastic starting point for shaping your organisation’s cyber security approach to software-as-a-service apps and platform-as-a-service and infrastructure-as-a-service cloud services, it does overlook one important cloud-based threat. Whether you class social networks as shadow IT or not, it is likely some of your users are accessing them via your organisational devices or, at least, the devices they are also using to access your cloud apps and services.
Gigamon has found that only 60 percent of global enterprises have banned the use of WhatsApp due to cyber-security concerns, although this figure does rise for other social networks. The survey found 100 percent of business IT leaders expressed concerns about TikTok and the Metaverse – although not all had blocked them.
Newer cloud services are even lower on the radar. The Gigamon survey found that only 24 percent of global enterprises have banned or are looking at banning Chat GPT. This is, perhaps, one overlooked area that should be considered within your overall cloud security strategy.
If you would like more information about any of the concerns, approaches or cyber-security principles discussed in this article, please reach out to our team.
Call us: 0808 164 4142
Message us: https://www.grantmcgregor.co.uk/contact-us
Further reading
You can find more ideas and advice about cyber security elsewhere on the Grant McGregor blog:
• New changes to Cyber Essentials for 2023
• Is your business data at risk? Don’t take chances with old tech!
• What is a watering hole attack? And how can you protect against it?
• AI’s new role in cyber security
• Is your organisation doing enough on supply chain security?
• What can we learn from the Capita data breaches?
• Do your backups include this important information?
• Tips for successfully implementing a zero-trust approach to cyber security