December is traditionally a time when IT pros try to make sense of the past 12 months to help better prepare their organisation for the year ahead. But when it comes to 2017, where do we start? From the global WannaCry and NotPetya ransomware campaigns to revelations of mega-breaches at Yahoo (3bn), Equifax (146m) and Uber (57m), IT security professionals have hardly had time to draw breath.
Well, here’s the bad news: as we head into 2018, all signs point to cloud systems coming under even heavier fire. This is increasingly where the frontline will be drawn in our never-ending battle against the black hats.
The cloud attracts criminals
Cyber-criminals are agile and determined, but in one respect they’re pretty predictable: where there’s money to be made and users to compromise, they’ll surely follow. Barracuda Networks research from earlier this year revealed that over a third (35%) of the average EMEA organisation’s infrastructure is currently in the public cloud. This is predicted to rise to half in two years’ time and then to more than three-fifths (62%) in five years. But as more and more firms put business-critical apps in these environments, the risks grow of sensitive corporate data and regulated customer PII being compromised, or of systems being taken out by ransomware.
In fact, 60% of firms in the region told Barracuda Networks they’d already been hit by a cyber-attack, and over a quarter (26%) said they think it will happen in the future.
The threats are amplified by new cloud-driven application architectures such as serverless and containers. Over half (56%) of organisations now operate with a cloud-first mentality when it comes to deploying new apps and managing workloads, according to Veritas. But in the race to develop these agile software components and fuel the digital transformation revolution, organisations may be forgetting to secure them. A recent Enterprise Strategy Group study found that 31% of firms are unable to maintain security as their cloud and container environments grow.
The best way to counter these threats is by building security into the application lifecycle as “far left” as possible, via web application firewalls (WAFs) and other tools which offer API support to DevSecOps teams.
Big GDPR fines in store
However, there are some cloud security challenges which are not easily remedied as we head into 2018. SANS Institute director of emerging security trends, John Pescatore, claimed recently in his predictions for the year ahead that cloud IT teams are “understaffed and underskilled”, exposing organisations at precisely the time when they’re pushing more and more critical data into these environments. He added:
“While the top tier of these services is designed and managed with security in mind, the promise of cost reduction means enterprises are not investing in the skills and tools required by IT operations to safely manage the cloud.”
This is already abundantly clear from the number of organisations in 2017 that have suffered embarrassing public data leaks because of simple misconfigured cloud databases. Big names such as Time Warner (4m customers), Verizon (6m), WWE (3m), Accenture and even the US Department of Defense have all been found wanting in this area. In many cases, the affected organisations blamed third-party contractors for the privacy leaks. It’s an excuse which will not move European regulators of the GDPR after 25 May 2018.
In fact, we’re more than likely to see some big name fines next year as organisations struggle to come to terms with the implications of the EU’s sweeping new privacy laws. US firms are particularly at risk as many may not be aware that they have to comply if they hold or process data belonging to European citizens. Both processor and controller are liable under the new regime, meaning cloud providers must also be ready for the May compliance deadline.
Get the basics right
If the past 12 months have taught us anything, it should be the importance of following best practice, tried-and-tested security advice. By some estimates, there were 15,000 vulnerabilities disclosed in 2016 alone, and the number could be even higher this year. Failing to patch cost the NHS dear after it was hit by WannaCry, leading to an estimated 19,000 canceled operations and appointments. Equifax will also be ruing its inability to locate and patch a known flaw, which led directly to a massive breach at the firm.
A comprehensive patch management program is essential if organisations are to stay safe in 2018. Virtual patching, enabled by WAFs, is also a good way to keep systems secure if they can’t be immediately patched — for example, if they’re running legacy systems or patches have yet to be tested.
Finally, security best practice now demands that organisations move away from static passwords towards multi-factor authentication to protect both customers and internal accounts. If Uber had done so, its Amazon repository containing the personal details of 57 million users may not have been compromised. The discovery of a searchable database of 1.4 billion breached credentials this week — complete with examples of trends in how people set, change and reuse passwords — should be a wake-up call to organisations everywhere that passwords are no longer fit-for-purpose.
The coming 12 months need not be a cybersecurity disaster as long as firms follow best practices and appreciate the greater scrutiny their cloud environments may come under from hackers. Ultimately, securing the cloud is a shared responsibility: so make sure you do your bit in 2018.
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work.