Cybersecurity
Why security needs synchronicity
By ANTONY RUSSELL, CTO at Telviva
There’s a lot of talk about cyber security – and for good reason. Barely a week passes without news of yet another high-profile breach, either in South Africa or abroad. Perhaps the biggest risk for organisations is to make a few investments and act as if the security box has been ticked. Rest assured, as soon as you tick that box, there are criminals somewhere in the world who are already working on new ways to untick that box for you.
This is not alarmist, it is a healthy dose of reality. Would you enable an electric fence and burglar bars at your home or business and assume everything is safe? Or would you maintain a security-conscious mindset and ensure that your barriers are kept up to date and that your entry and exit procedures do not present weak spots that are vulnerable to attack? It is no different in the world of cyber security.
The global pandemic accelerated the move to cloud computing. The cloud enables a type of connectedness and scalability that was previously just not possible. While public clouds do take responsibility for security on their servers, that is not the only requirement: businesses are still responsible for their own security and how they connect those servers to the internet.
The difference between on-premise security and cloud-based security is that at its simplest, the cloud is a shared computer. In other words, if your workloads are on-prem, you are running them in your own environment. However, if you are using cloud services, perhaps in Microsoft Azure or AWS, there’s a huge amount of available hardware which is being used by many other organisations.
So your server could be running on the same piece of hardware as a large bank, for example. From this standpoint, there is a trust relationship that needs to be entered into between the vendor and the cloud operator. Put very simply, you as the vendor, need to trust that there is not going to be any of the big bank’s “flavour” in your voice services, and the bank is going to trust that there’s none of your “flavour” in their accounting. While this may seem humorous, it is very serious and forms the foundation of the trust relationship: that your workloads are secure.
The hyperscalers have a lot to worry about in terms of security. They have the responsibility to ensure the security of that environment. This is appealing to many businesses because they no longer need to worry about the physical security that they would have to invest in, were the servers on-prem. To continue the analogy, by using the cloud provider, a business executive knows that as part of the agreement, there are two sets of electrified fences and four security guards at each gate requiring numerous types of identification before any access is granted. The business that is no longer running it’s own physical server does not need to worry about this anymore.
However, other than for physical security the challenge remains the same: you’re going to need a firewall, you’re going to need intrusion protection, you’re gonna need to invest in the best security tools to keep people out of your piece of the public cloud. This is critical.
You are responsible for your own security, in that if you connect a server to the internet, it is not the cloud provider’s responsibility to review how you secure this. They’ve done their part, and now you do yours by deploying the best security tools to protect yourself.
Ask the right questions
It starts by methodically analysing how data in your organisation is accessed. If you have a database with telephone numbers and credit card details, ask which programmes have access to that database server and how that access is enabled. If it is damaged in some way, are you able to restore it? What about illegitimate access? If it is encrypted in some way, like a ransomware attack, do you have an unencrypted version of it somewhere? Is there an immutable copy that cybercriminals cannot access?
Bringing the lens a little closer into your own organisation, how do you vet the people who are working for you, and what processes do you have in place to manage the level of admin access they’re entitled to? Are your processes designed with security in mind?
Conceptually, investing in IT security is not a destination. It is a daily journey. Put another way, bring a little synchronicity to your security process.
Think about your physical home. You wouldn’t simply install burglar bars and take comfort that nobody will go to the effort of bringing a crowbar. You would ensure that security is always on the agenda. The same can be said for a business – it is risky to set up a few barriers and some occasional monitoring or scanning, and then relax. People with nefarious agendas are working around the clock to find ways to exploit the system and to find back doors into an organisation that will give access to critical data.
Cloud providers have a role to play, and your business has a role to play. This starts with deploying security barriers, managing access and investing in sound backup strategies. But it will and should remain an ongoing process.