As someone who has worked for their entire career in the Managed Network Services space, if I had to pick out, over the past five years, two of the most impactful shifts in managing technology, it would be a shift from traditional, in-house servers to solutions where 3rd parties build “clouds” to provide similar business functions as well as the increased pressure on organizations to have comprehensive cyber-security strategies as threats become more significant. While some might want to call these things “trends,” I don’t think either is going to come out of focus or take a 180 degree turn anytime soon.
For most organizations, moving to the cloud makes a lot of sense, and usually, it is just a question of what specifically moves to the cloud. In 2019, we find that especially in the small/medium sized business space, most technology functions, like file sharing, email and even most applications like CRM and ERPs, can be put in the cloud. Usually (not always), this results in benefits such as reduced cost of ownership, improved uptime and often flexibility in terms of making changes in the future as your organization brings on new employees or as core applications change. But of course, before making a shift to the cloud, you should discuss the full implications of this change with an IT professional so all of the factors can be weighed before making a decision that represents a fundamental change to how you work. Chances are your plan to move to the cloud will have a few wrinkles that are unique.
Meanwhile, organizations don’t have to ask these days if they will be the target of a cyber-attack. It is a certainty. Cyber-criminals know we are reliant on our technology just to function in our daily lives. They also know that we keep precious data that we need online and that this data can be exploited either for fraud or ransom. What complicates matters even further is that as we have this trend where services move to the cloud, the work on the data is no longer just happening on someone’s PC and that the data is being constantly transmitted back and forth either to a cloud host or a 3rd party who is entitled to that data. Everything is interconnected, so the targets are becoming more numerous. For bad guys, this is simply a numbers game. Who can I exploit? Where is the weak link in the chain of data management? Imagine a pond that is so filled with fish that you can don’t even need a fishing rod. All you have to do is wait for a fish to jump into your net. That’s kind of the landscape we are looking at right now.
So I’d like for the rest of this blog to focus on what we do about these implications. I think it is helpful to shift your mindset to how you might think if you were working remotely. Fortunately, we’ve already begun thinking about some of these implications as businesses continue to create more teleworking solutions for their staff even if their core systems are located in-house. In many ways, connecting to a cloud services provider is similar.
Now, when working in the cloud, your office is basically a remote site. So the first thing to consider is how your actual devices connect to your cloud provider. Are we confident that the route your data travels from your device to your cloud is reasonably secure? At a minimum, in particular for sensitive and private information, we need to make sure that we are using VPNs and other mechanisms to encrypt traffic from one point to another. We don’t want people who are not authorized to view data to be able to spy on unencrypted data transmissions happening on the public Internet.
Next, think about what devices are actually connecting to your data. One of the big benefits, as we mentioned before, is that often cloud solutions provide device agnosticism, so end users can use their personal smartphones, home PCs not owned by the organization, their work devices and even “kiosk” devices like the PC that is located in the lobby of the hotel they are staying at for their vacation. This flexibility is obviously convenient, but it comes with security concerns.
My advice is to do the following:
- Create an internal policy defining the rules for staff. What devices are we going to allow to connect to our cloud, and what devices aren’t? What rights are the users giving up should they decide to use their personal device to touch organization data? We need to have some control that puts boundaries around this because it can’t be a free for all when it comes to device connectivity.
- For devices that are personal or mobile, implement technical security standards for those devices. Security is not optional for staff who choose to use their own devices to connect. If the “inconveniences” of things like password/authentication management, forced encryption, forced Antivirus scanning, regular vulnerability scanning and forced configuration standards are a problem for the user, well, then they can’t use their device. Specific technical standards should be discussed with a professional, but we must implement some tools.
- Users should know how to report and respond to incidents both with the IT management resource and other managers within the organization. If something is to happen, which could happen even with proper planning, our users need to know how to respond no matter what device they are using and where they are using it.
- Keep an inventory of devices that are authorized, and make sure staff is aware that changes to what personal devices they use is their responsibility to communicate accordingly. If we have an incident, knowing this information may be important for remediation or post-incident planning.
Perhaps this is obvious, but moving to the cloud doesn’t change many of the considerations we would have in a more traditional environment. It is important for your home offices to have hardware firewalls to control the flow of traffic in and out. Vulnerability testing should be done on local devices probably on an annual basis (depending on any compliance standards you may need to meet). Obviously, we need to have good Antivirus/malware software and regular patch management to make sure that vulnerabilities in things like Microsoft Windows are patched and resolved before they can be exploited. Yes, the cloud provider has responsibility for protecting the technical security of their environment, but if your devices are exploited, the cloud provider may not be able to protect your data.
The last item I want to talk about is phishing and security awareness training. It might be the most important part and the best return on investment for security. Cyber-criminals know that tricking a user into clicking the wrong attachment or sharing information with someone who is not entitled to it because fraud is an effective way of making money as a cyber-criminal. The user itself may be the biggest vulnerability that can be exploited. In my opinion, every organization must be doing this in 2019, because if staff lacks awareness, there are not enough technical security solutions out there to reduce your risk to an acceptable level.
There are certainly many more solutions and considerations as well as much more detailed discussions that need to happen when considering security management as you move to the cloud, but I hope this blog gives you a sense of where your mindset needs to be as these changes occur so you can start to come up with a cohesive strategy. Please feel free to reach out if you would like to learn more.
About the Author: Ben Schmerler is a Director of Strategic Operations at DP Solutions, an award-winning managed service provider (MSP) headquartered in Columbia, MD. Ben works with his clients to develop consistent strategies not only for technical security, but also policy/compliance management, system design, integration planning, and other business level technology concerns. You can follow DP Solutions updates on LinkedIn or their website: www.dpsolutions.com.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.