Back in the day, the theft and loss of backup tapes and laptops were a primary cause of data breaches. That all changed when systems were redesigned and data at rest was encrypted on portable devices.
Not only did we use technology to mitigate a predictable human problem, but we also increased the tolerance of failure. A single lapse, such as leaving a laptop in a car, doesn’t have to compromise an organisation’s data. We need the same level of failure tolerance, with access controls and IT security, in the cloud.
In the cloud, all infrastructure is virtualised and runs as software. Services and servers are not fixed but can shrink, grow, appear, disappear, and transform in the blink of an eye. Cloud services aren’t the same as those anchored on-premises. For example, AWS S3 buckets have characteristics of both file shares and web servers, but they are something else entirely.
Practices differ too. You don’t patch cloud servers – they are replaced with the new software versions. There is also a distinction between the credentials used by an operational instance (like a virtual computer), and those that are accessible by that instance (the services it can call).
Cloud computing requires a distinct way of thinking about IT infrastructure.
A recent study by the Cyentia Institute shows that organisations using four different cloud providers have one-quarter the security exposure rate. Organisations with eight clouds have one-eighth the exposure. Both data points could speak to cloud maturity, operational competence, and the ability to manage complexity. Compare this to the “lift and shift” cloud strategies, which result in over-provisioned deployments and expensive exercises in wastefulness.
So how do you determine your optimal cloud defence strategy?
Before choosing your deployment model, it is important to note that there isn’t one definitive type of cloud out there.
The National Institute of Standards and Technology’s (NIST) definition of cloud computing lists three cloud service models infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS)). It also lists four deployment models: private, community, public, and hybrid.
Here’s a quick summary of how it all works through a security lens:
- Software-as-a-Service (SAAS) cloud is an application service delivered by the cloud. Most of the infrastructure is managed by the provider. Examples include Office 365, Dropbox, Gmail, Adobe Creative Cloud, Google G Suite, DocuSign, and Shopify. Here, you are only responsible for your logins and data. Primary threats include phishing, credential stuffing, and credential theft. These can be controlled via solutions such as multi-factor authentication, application configuration hardening, and data-at-rest encryption (if available).
- Platform-as-a-Service (PaaS) cloud is a platform to build applications into before they are delivered by the cloud. The provider manages the platform infrastructure, but you build and run the applications. Examples include AWS S3 buckets, Azure SQL Database, Force.com, OpenShift, and Heroku. You are only responsible for your logins and data. In addition to SaaS threats (access attacks), there is a need to secure the application itself against web app attacks. In this model, you are likely to have exposed APIs and service interfaces that could leak data if unsecure. Controls include User/Role Rights Management processes, secure API gateways, Web App Security, Web App Firewalls, bot scrapers, and all the referenced SaaS controls.
- Infrastructure-as-a-Service (IaaS) Cloud is a platform to build virtual machines, networks, and other computing infrastructures. The provider manages the infrastructure below the operating system, and you build and run everything from the machine and network up. Examples include AWS EC2, Linode, Rackspace, Microsoft Azure, and Google Compute Engine. You are responsible for the operating systems, networking, servers, as well as everything in the PaaS and SaaS models. In addition to the threats targeting SaaS and PaaS models, the main security concerns are exploited software vulnerabilities in OS and infrastructure, as well as network attacks. This calls for a hardening of virtualised servers, networks, and services infrastructure. You’ll need all the above-mentioned controls, plus strong patching and system hardening, and network security controls.
- On-Premises/Not Cloud is the traditional server in a rack, whether it’s in a room in your building or in a colocation (Colo) facility. You’re responsible for pretty much everything. There’s less worries about physical security, power, and HVAC but there are concerns related to network connectivity and reliability, as well as resource management. In addition to threats to networks, physical location, and hardware, you’ll have to secure everything else mentioned above.
If you have a hybrid cloud deployment, you’ll have to mix and match these threats and defenses. In that case, an additional challenge is to unify your security strategy without having to monitor and configure different controls, in different models and in different environments. Other, specific organisational proficiencies integral to reducing the chances of a cloud breach include:
- Technical skills and strategy
- A strong understanding of cloud technology, including its deployment models, advantages, and disadvantages at the IT executive/management level.
- A deep understanding of the operating modes and limitations of associated controls.
- Comprehensive service portfolio management, including tracking environment, applications, deployed platforms, and ongoing IT projects.
- Risk assessments and threat modelling, including understanding possible breach impacts and failure modes for each key service.
- Access control processes
- Defined access and identity roles for users, services, servers, and networks.
- Defined processes to correct erroneous, obsolete, duplicate, or excessive user and role permissions.
- Methods for setting and changing access control rules across all data storage elements, services, and applications.
- Automated lockdown of access to all APIs, logins, interfaces, and file transfer nodes as they are provisioned.
- Centralized and standardized management of secrets for encryption and authentication.
- Defined and monitored single-path-to-production pipeline.
- Inventory of all cloud service objects, data elements, and control rules.
- Configuration drift detection/change control auditing.
- Detailed logging and anomaly detection.
- Adherence to secure standards
- Guardrails to ensure secure standards are chosen by default, including pre-security certified libraries, frameworks, environments and configurations.
- Audit remediation and hybrid cloud governance tools.
- Automated remediation (or deletion) of non-compliant instances and accounts.
- Automated configuration of new instances that includes secure hardening to latest standard.
Any strategy and priority decisions should come before the technological reasons. Don’t go to the cloud for the sake of it. A desired goal and robust accompanying strategy will show the way and illuminate where deeper training and tooling are needed.
How retailers must respond to life under lockdown
As businesses settle into lockdown, South Africa’s largest second-hand retailer, Cash Crusaders offer other retail businesses – that have also been forced to close, some advice and recommendations on preparing for, and managing through the lockdown. The group that have been operating for over 20 years with over 220 stores nationwide, also offer advice on considerations retail store owners – and other businesses, should make as the country makes their COVID-19 economic recovery.
Follow the rules
Ensure that you follow the rules set out by our President for the lockdown. As bitter as this pill may be to swallow, the longer-term benefits for our country and our businesses far outweigh the frustration and anxiety you may be feeling now. This is not a time to break the rules. #StayAtHome. It is a time to practice human responsibility, not complain about Human Rights being compromised. Countries who initially implemented loosely managed lockdowns, have had to extend to get the pandemic under control, so strict rules from the get-go will prevail in the fight against the virus.
Secure your stores
By now you should’ve secured your valuable goods and should have ensured all your security systems are in good working order. If you haven’t already, make sure your security companies have your correct contact information. Make sure your necessary insurance cover is up to date.
Keep your staff informed
They are and continue to be your most important asset!
By now, you may have needed to investigate UIF benefits to compensate for your employees loss of income. The Minister of Employment and Labour, T.W Nxesi has recently announced measures that the Department will put in place under the current special circumstance relating to the Corona virus (COVID-19) and its impact on UIF contributors.
The Temporary Employee/Employer Relief Scheme (TERS) has been set up under the auspices of the Unemployment Insurance Fund (UIF). Employers apply for the TERS on behalf of its employees.
The TERS has two distinct advantages over UIF
- All employees qualify for up to 3 months of benefits, irrespective of how long they have contributed to the UIF and
- TERS will not pay any employee less than the minimum wage.
You can benefit from the TERS by sending an email to firstname.lastname@example.org. Applicants will then receive an automated response which outlines the steps you will need to take, as well as the details surrounding them – including the requirements to claim benefits. During the lockdown period, the Department of Labour will not accept manual applications (to reduce physical contact and risk of the virus spreading), this is to reduce contact between people to curtail the spread of the pandemic. A hotline number has been created by the UIF (012-337 1997) for Covid–19 TERS Benefit enquiries during the lockdown period.
Be sure to be calm when addressing any concerns with your team – they are anxious and nervous of what the eventuality of this outbreak may be.
Communicate with your bank
Make sure you’ve been in touch with your bank (as they are still operational) and discuss any loan repayment relief or postponement over the lockdown period (the banks have termed this a “payment holiday”). Work with them on a cash flow plan as once the lockdown has lifted, trading businesses will need liquid cash.
Contact your landlord
Ensure you’ve connected with your landlord to discuss and agree on any possible repayment or rent relief/payment holiday they may be able to offer you. Keep the channels of communications open with your landlord and bank – rather over-communicate than not communicate enough.
Keep communication open with your customers
The country may be on shutdown, but the internet isn’t. Communicate with your teams and customers by whatever necessary and relevant communication channels you have available to you – website, social media, PR/Marketing teams, newsletter dissemination etc.
Use this time wisely
Amidst all the chaos this time brings, there is also a silver lining. We all have time at this stage, but how many of us make valuable use of that time? Particularly when it comes to family. Business is demanding most times so with a forced shutdown of business it give you the time to spend with your family, catch up on outdated maintenance around the house and a period of rest. This lockdown period will also afford you uninterrupted strategy time. Take the time to reflect on areas of your business you can improve or evolve. Strategise ways to do things better or differently. Use the resource available via your own business network as well as the countless online content that is available, to work on a plan for the way forward. Consider your financial, loan and other business administration processes you have in place and look at new ways to optimise the channels and areas you’re working with or within. A host of online learning facilities offer short courses – perhaps consider upskilling yourself or members of your team by signing up for one of these too.
“These are some of the steps we’ve taken within our own organisation,” says Sean Stegmann, CEO of Cash Crusaders. “Having been in this business for as long as we have has afforded us the wealth of experience we’re able to share with our franchisees and other retail business owners to help navigate the next few weeks and recovery period,” he says. “Take it one day at a time and know that the decisions we’re being forced to make today will mean a future for us tomorrow, both in business and in health!,” he concludes
Vodacom cuts cost of smallest bundle by 40%
The country’s largest mobile operator has kept to a promise made last month to slash the price of entry-level data packages
Vodacom has cut the data price of its lowest-cost bundle by 40%, reducing the price of a 50MB 30-day bundle from R20 to to R12. This follows from the operator’s promise in March, when it announced a 33% cut in the cost of 1GB bundles, to reduce prices of all smaller bundles by up to 40%.
Vodacom’s various 30-day data bundle prices will be cut across all of its channels, with the new pricing as follows:
|30-day bundle size||New Price||Reduction|
Vodacom confirmed it will provide free data to access essential services through Vodacom’s zero-rated platform ConnectU with immediate effect. The value of these initiatives, it says, is R2.7-billion over the next year.
“Vodacom can play a critical role in supporting society during this challenging time and we’re committed to doing whatever we can to help customers stay connected,” says Jorge Mendes, Chief Officer of Vodacom’s Consumer Business Unit. “Since we started our pricing transformation strategy three years ago, our customers have benefitted from significant reductions in data prices and the cost of voice calls. Over the same period, we invested over R26 billion in infrastructure and new technologies, so our customers enjoy wider 2G, 3G and 4G coverage and vastly increased data speeds.”
The latest data reductions will complement the discounted bundle offers that will also be made available to prepaid customers in more than 2,000 less affluent suburbs and villages around the country. For qualifying communities to access further discounted voice and data deals, they need to click on the scrolling ConnectU banner on the platform via connectu.vodacom.co.za
ConnectU – which is a zero-rated platform – also went live this week. It will provide content aimed at social development and offers a variety of essential services for free. Learners and students enrolled in schools and universities can access relevant information for free, with no data costs. The ConnectU portal includes a search engine linked to open sources such as Wikipedia and Wiktionary as well as free access to job portals; free educational content on the e-School platform; free health and wellness information and free access to Facebook Flex, the low data alternative to Facebook that enables customers to stay socially connected.
Vodacom’s popular Just4You platform has been a significant contributor to the approximately 50% reduction in effective data prices over the past two years. Substantial cuts in out-of-bundle tariffs and the introduction of hourly, daily and weekly bundles with much lower effective prices have also driven increased value and affordability, resulting in R2-billion in savings for customers in 2019.