Analyst Chat

Analyst Chat #145: How Does Using Cloud Services Alter Risk?

The question whether using a cloud service alters risk is not simple to answer. Mike Small sits down with Matthias and explains, that every organization has its own set of circumstances, and the answer needs to take these into account. He explains the important factors to look at, and what organizations should understand when assessing their risks in a cloud and hybrid world.

Cybersecurity Leadership Summit takes place on November 8 – 10 in Berlin and online. Join us there.

Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth, I'm Lead Advisor and Senior Analyst and the Director of the Practice Identity and Access Management here at KuppingerCole Analysts. My guest today is Mike Small. He's a Senior Analyst with KuppingerCole for a long time and he's covering the area of cybersecurity from the UK. Hi, Mike. Good to have you.

Hi, Mathias. Thanks for inviting me.

Great to have you. This episode will be part of October 2022 being the Cybersecurity Awareness Month, and we will cover this month with episodes on cybersecurity, on more tangible recommendations on what cybersecurity in practice looks like. And today we want to talk about what the cloud and using cloud services, what the impact of cloud services are on risk and cybersecurity. And to start with a question to you, Mike, does using a cloud service affect an organization's risk?

Okay. Well, a lot of people ask the question, how does using the cloud alter risk? And I'm afraid the answer I always give is, It depends. For some organizations, using the cloud provides a massive reduction in risk, and for others it may not. And so we have to actually look at this and dissect it into some more detail. So I often say that risk is a four letter word, that different people mean different things when they use that word. And at a business level, there are really three or four important things that organizations are concerned about in terms of cyber risk. At top of most organizations’ mind is compliance and failure of compliance. And when you look at the worldwide growth in regulation around IT services, complying with all of these regulations is becoming an increasing problem. And many organizations feel that their own IT systems are under their own control and so they feel they can be compliant. Clearly, one of the major reasons why people fail to comply with regulations is because of data breaches. And once again, there is a feeling among many organizations that if they have physical control over their data, that that places them better to make sure that it doesn't get lost or stolen. And finally, there is the question of business continuity. And here is where it becomes more complicated, because the growth of ransomware means that wherever your data is, the cyber attackers are going to try and deprive you of access.
However, there are lots of other ways in which you can fail with business continuity. And so let me give you an interesting example to do with business continuity that we came across a small organization, which was a group of professionals who offered very high value professional services. It required them to hold a lot of very sensitive data, but they did not have the wherewithal, they did not have the size to have a data center. And so they were holding all of their data, all of their IT systems were running in an office above a shopping mall. And the stories that came back around this would have made your hair stand on end. That this was a local government owned property. And they would periodically rent the whole area out for pop concerts over the weekend. And so if you wanted to come in on a Saturday night to check on your IT systems, you would find you couldn't get past the bouncers. That they had no control over the sprinkler systems so that if there was a fire or if something happened, the sprinkler systems would in fact destroy all their computers.
Now, so for that small organization, they went through a soul searching exercise which eventually led them to the conclusion that really, from the point of view of their organization and their particular circumstances, they were going to have a much lower level of risk if they were to use a well-secured cloud service, because cloud service providers have good data centers, they have multiple data centers, they have multiple power sources, multiple communications connections, and they have the skills and the knowledge to build that infrastructure very, very securely. Now, on the other hand, if you wanted to have physical control of your data, then that may not be the right solution. And so that kind of leads you on to this question of confidenciality of data. Now, does moving to the cloud mean that your data is more or less well protected? And the interesting thing there is that what has happened really is concerns over legislation and the law, is what has ridden to the top, that in certain parts of the world, the governments demand that your data is processed within their jurisdiction. And so particularly in China and places like that, that's a particular problem. Now, the Schrems II judgment, which came out just over 18 months ago, is something that focused people's minds in Europe on the difference in the laws between those regarding personal data protection within Europe and those within the US. And so the Schrems II judgment recommendations hinge all around whether or not your data is being held and processed in a jurisdiction that has similar controls over governmental access to that data, to those that are in force within Europe. So what you mean by privacy and confidentiality has become dominated by effectively legal considerations and understanding of the legal situation around that. So basically, you ask the holder, the collector of the data, your organization is really responsible for looking after it and making sure that it is held in a way that is compliant and that it is protected against the risks that you might foresee.
And so irrespective of whether it's on your premises in a data center or in the cloud, it's basically down to you. And so if it is sensitive, if it is of concern, then you have to take steps. And that ultimately means things like encryption and keeping control of the keys and making sure that you have adequate and strong access controls. Now, one of the things that seems to have been forgotten, that all the things that we learned when I was lad, which was that most computer systems are very unreliable and certainly most data recording systems are, was that you have to make allowance for the fact that your data may be corrupted or lost through unforeseen circumstances. And this has been made more and more of a problem with ransomware.
Now, the challenge here is how do you ensure not only the resilience of your infrastructure, but the resilience of your data? And even if you are an organization that doesn't really think that data is the main thing in your life, you may find that you need data in order to keep your processes running. And this is what ransomware has focused on. Ransomware recognizes the fact that organizations are really critically dependent upon their data. And so they will pay a lot of money if you can deprive them of access to it. Now, in that respect, it isn't really clear to me that the cloud makes much of a difference one way or the other. Some people will say, Well, because it's in a public cloud, it may be more publicly accessible. But then the means of access that ransomware regularly use is not actually based on vulnerabilities in the public cloud, but rather upon vulnerabilities in the people within the organization, through phishing attacks, through things of that nature.
And so the much forgotten part of all of this is that you really, really ought to have data resilience through backup and recovery. And backup and recovery, which was sort of the pauper, the poor prince of IT, that has fallen out of fashion because of all the wonderful things to do with containers and Kubernetes and so forth, really is making a big comeback. And not only that, but the the interesting thing that the cloud providers now provide is they provide a way of getting hold of an air gap without an echo. They provide things called immutable storage, which are effectively based on the right ones read many times. Once you have written your data, you cannot have it overwritten. And so the cloud actually provides the capabilities for a really, really good secure system for backing your data up.
Now, the next really important area is to do with who can access anything and whether you are using the cloud or on premises. Identity and Access Management is fundamental to security. And we've all known that for for many years. And it suddenly reinvented itself under the heading of the Zero Trust, because one of the things that has happened with the complexity of the infrastructure that we now depend upon is that many resources that we depend upon are, in fact virtual. So your server is no longer something that you can actually pick up and carry away with you. But it's an ephemeral instance that runs on premises or in the cloud and all of the devices and all of the pieces of network that want to access have identities that need to be controlled. Now, one of the problems with the cloud is that because people don't have, or organizations don't have a comprehensive identity governance system that covers all the ways their services are delivered, that the cloud access can fall down a crack. And so the thing that really comes out of this is that you need to have comprehensive access governance that covers all of your IT services, however they are delivered, whether they're on premises, whether they're in the cloud, or whether they are in a data center. And as an interesting sort of subset of that, one of the most critical things is privilege management.
And so, again, one of what happens is that we all knew that you had to control route because route was the master that had to be obeyed. But now cloud services and indeed virtualized services in general have administrators and those administrators become the target of an attack that why try to break your way into an AWS or an Azure or an Office 365 through brute force when you can come your way in to pretend that you are an administrator and give yourself the keys to the kingdom. And so it really is essential if you are using the cloud to manage privilege as strongly as all the other ways and deal with all the things like orphan accounts, workflows to gain privilege and so forth. And one of the interesting things that comes from the dynamic environment through virtualization in the cloud is the notion that the artifacts the cloud depends upon, have privilege. For them to be able to run and manage in the cloud, they have to have privileges and you have to control them. And indeed, the famous Capital One breach was a failure to..., one of the steps in that breach was in fact a failure to manage the privileges that EC2 instance had, so that by a misconfigured firewall someone was able to get in and to then exploit the privileges that an EC2 instance had in order to get and decrypt data from an S3 storage.
Now, at the end of the day, the problem, the benefit of the cloud and the benefit that was put forward by the cloud providers at the very beginning was simplicity. They take off many of the the jobs that you have to do in order to run your IT services and they can do them better than most organizations can do it. However, so, in a sense, if you just did everything in one cloud, then you have reduced complexity. However, most organizations don't just have one cloud. What they have is they have an unholy combination of things, on premises things in datacenters, things in different clouds, and that leads to complexity. And interestingly, I was running a webinar with a risk management organization only yesterday, and one of the polls that we ran was about what was the major concern of people within the use of the modern hybrid cloud and complexity topped the bill. Because if you just had one set of knowledge for one set of servers, then that was hard enough. Now you have on premises, you have virtualized environments, you have things like Nutanix and so forth, software defined infrastructure. Then you have multiple cloud services, some of which are software as a service, some of which are infrastructure as a service, some of which are platforms like cloud databases and everyone's different. And so what is happening is that what was meant to make things more simple has actually made things more complex.
And that is why we in KuppingerCole are promoting the idea that whilst you cannot do away with all of the tools and different things you need to deal with this, what you need is a fabric in within which to orchestrate and control all of these different things in order to bring them into a situation where you can actually see what is happening and ensure that you have a consistent application of policies all the way across this, just like our identity fabric.
So and it also gives you the final thing, which is the problem of transparency, that if we come back to where we started off, which is to do with compliance, that in order to know that you are using your services in a way which is compliant, you really have to have transparency about what controls there are, what data you hold, what things you are doing, and whether or not the controls and the way that you are protecting your systems are in fact operational and indeed effective. And so this complexity adds a level of obscurity that is even worse than it was before. And that is another reason, another very important reason why you need to have this notion of a security fabric to bring all of your cybersecurity together. So I hope that rather long winded answer has perhaps answered your question, Matthias.

Yes, absolutely. And I think it also showed the complexity of the topic itself. So the different dimensions that you mentioned are of importance. And when I talk to our end user organizations as customers, they are often very much not aware of how to achieve this transparency that you've mentioned. It's always this, as you said, a bit of an obscurity. What does it mean that this cloud service provider processes and stores and manages the data on behalf of me, of an organization? But how do I get this this insight into what's going on in there? And again and again, in the end, it's paper, it's contracts, it’s SLAs, it's understanding how they do it. And it's maybe even assessments of trusted third parties that do this on behalf of the contractual partners to make sure that this transparency is available. But not many organizations have already yet fully understood of what that actually means and how to apply these security principles, these governance controls to a cloud platform. And as you said, just because you add several clouds does not mean that on premise and hybrid goes away very soon. So I see this added complexity as well. So no simple answer and yeah, thank you very much for your answer. So we are approaching the Cybersecurity Leadership Summit in Berlin in November. I know that you will be there. Will the cloud and cloud security be an important topic there as well?

Oh, yes, I'm sure that it will be a major topic at this conference, because so many organizations are now using the cloud and the opportunity for people to attend the conference gives them a way not only to listen to presentations, but rather more to hear through panel discussions and so forth, how their peers are solving the same problems that they themselves have within their organization, and also what it is that the vendors have to offer them to bolster their defenses.

Absolutely. I think the name already gives a hint that this is one of the important roles of this event. It's a Leadership Summit. And that means exactly this exchange of information beyond what we can provide as an analyst company, beyond what the individual speakers can provide in their keynotes. It's really about exchange of information, about learning from your peers, interacting with your peers, and maybe returning home with a set of new partners to use as sparring partners for improving your own security infrastructure and your security posture. You will be there. I will be there. And I am looking forward to meeting many more people from our organization, from the speakers, but also from around the world who can benefit and contribute to such an event. And any final words that you would like to add before we close down?

No, I think the main thing is that the best approach I can suggest to you is to either attend the Cybersecurity Leadership Summit in person or to attend it virtually because it is a hybrid event. And in that way, you will be able to benefit from the accumulated knowledge of your peers in the industry. Thank you.

So, save the date 8th to 10th November in Berlin and around the world because it is virtually everywhere in a virtual form. So thank you very much, Mike, for sharing your insights into cloud and what that means to risk. And I'm looking forward to meeting you in November in Berlin. Thanks, Mike.

Thank you.