ALISON BROOKER (AB): Hybrid cloud infrastructure is becoming synonymous with enterprise IT. According to Flexera’s 2021 State of the Cloud Report, 80% of organizations have a hybrid cloud strategy. But how many of those environments are properly secure?
I'm your guest host, Alison Brooker and this is IT Availability Now, the show that tells stories of business resilience from the people who keep the digital world available.
Hybrid cloud solutions offer businesses the most customization but they're also the most difficult to manage. On today's episode, we're talking to Leon Godwin, Principal Cloud Evangelist at Sungard AS, about why a hybrid cloud infrastructure is hard to protect and how businesses can build security into their hybrid cloud strategy.
Leon, welcome to the show.
LEON GODWIN (LG): Hi, Alison. Excited to be here.
(AB): So let's dive right in. What makes hybrid cloud so difficult to secure?
(LG): Hybrid by its very nature means more than one thing. So, it's like herding sheep. You can have resources in various public clouds - Azure, AWS, private clouds on premise and colocation environments - all of which equates to having a challenge in getting a holistic view of security across multiple environments, and that can create challenges around ensuring your security posture is effective.
(AB): So what are some of the common mistakes businesses make when trying to secure their hybrid infrastructure?
(LG): Users and attackers are sort of the main thing. Users often make mistakes and so user education is a critical factor. Users can be exploited through social engineering and other means, phishing attacks and the like, and attackers are getting much more creative in how they can exploit.
If we just look at the news, we've had the Log4j, which is a Java framework that's in everything. It's in websites, it's in Minecraft the game, it's on the Mars Rover. And all hackers have to do is just drop in a URL, a sort of pre-formatted piece of text into a chat window, and they can gain remote control over an environment. And so, people think that their security and their perimeter is secure. But actually, there are many ways for either the criminal to creatively bypass that security or have user’s mistakes do that for them. So, the biggest mistake is people believing their perimeter is secure. You shouldn't think of security about stopping them from getting in. You should also think about it as what will you do once they get in? Because they're probably going to.
(AB): In what ways are these businesses most vulnerable and where are the biggest threats coming from?
(LG): If we look at the most recent study, cyber attacks have grown by 28% over the last year with ransomware probably being one of the most aggressive vectors for attacking organizations. But there are other things that are just disruptive that are annoying, like distributed denial-of-service attacks. And the other thing is using your externally facing services to attack you. If we look at June of the pandemic, lots of organizations externalized a lot of their services to support a remote workforce. And miscreants have decided to use that as an opportunity to attack because a lot of these things were deployed in a very rapid tactical fashion, but didn't necessarily have the robust security, so ransomware is one of the main attacks. The crypto mining and using that as a direct revenue generating stream on organization’s systems, which is very disruptive to their systems as it consumes all their resources, and distributed denial-of-service attacks are probably the biggest attack vectors.
So, when you have all these different attack vectors, one of the ways that organizations need to pivot is to think about the speed of innovation that is available to them in the cloud. So for example, on premise environments tend to go through a fixed procurement cycle; maybe they'll update their security devices and appliances every three or five years. Whereas within a few mouse clicks, you can deploy more modern security solutions from the cloud and it provides an opportunity to expand your and improve your security posture more rapidly.
(AB): That's great. How so? Can you dig into that a little bit more?
(LG): Sure. So, the marketplaces in the public cloud offer a huge range of tooling and capabilities. And more than that, as new threats emerge, having technologies that can improve a company's security posture, and even evaluate them, are much more readily available and quicker to deploy.
I'll give you an example. One of the products that we offer is around manage, detect and respond. It provides a perimeter, but if that perimeter does get breached, it provides a sort of forensic examination to inform you when it was you were breached, and therefore give you insights into when your clean data was available, so that you can then deliver a recovery practice to ensure that you've recovered a clean data set.
(AB): That makes a lot of sense. So, you started to dive into some of this, but how do organizations really build that security into their hybrid cloud strategy?
(LG): As I mentioned, just expanding on that manage detect, if you think of it as sort of four logical groupings. You've got the perimeter security, your intrusion prevention systems, your firewall systems, your network access controls and elements like that. Then you have your internal systems that are looking to detect threats, so the intrusion detection systems, the detecting unusual behavioral patterns, and your security information and event management systems that are logging all the data to be analyzed, to be able to detect what's going on. And then, if and when that cyber breach has happened, you need to be able to rapidly respond and rapidly recover to minimize disruption to your business.
So, try to stop them getting in but once they get in understand how they got in, what they did, where your last clean data is, and having a recovery paradigm that will allow you to recover rapidly to a point in time, whether that be disaster recovery or backup or some other method.
And then the fourth bucket is effectively having your effective controls in place around governance. You need to be able to have a partner ecosystem that is ready and willing and able to deliver rapidly. You need to have a communication strategy, so when the command and control elements kick in, should your chief executive be communicating with the press or with other parts of the organization, what are the individual roles and responsibilities in terms of developing, maintaining and assuring that you have effective protection, identification and recovery strategies?
(AB): This is really great, Leon. I'd love to dive into each of these four buckets just a bit more, starting with the managing and protecting. I know you just gave us a pretty good overview, but I'd love to dive in a bit more starting with that managing and protecting.
(LG): Managing and protecting effectively is like your castle walls that you're trying to keep people out. That might include things like antivirus and anti-malware. This could be things like web reputation systems or intrusion prevention systems, firewalls, and you can validate those through things like penetration testing.
So anecdotally, I take part in sort of war games with like-minded colleagues and we go through exercises of trying to exploit each other's networks to detect vulnerabilities and to see how quickly we can either circumnavigate someone else's security or indeed, if you're in defensive mode, detect when someone else is trying to get in. And so that's like the chap who sits on top of the castle walls is trying to detect whether or not there are any invaders trying to breach those parameters.
(AB): That's great. Can you dig into the identifying and detecting a bit more?
(LG): Sure. So, it's about oversight. You want to be able to see everything that's going on and you want to be able to make informed decisions about what's going on. So, if you've got a lot of systems, network devices, server devices, desktop devices, Software as a Service elements, and you can call all those log files of all the activities that are going on, and have something intelligent, analyze those log files, that gives you a view of anything that's unusual that's going on.
Also, network equipment that can do things like, in fact, I was working with a customer who actually went through this just last week. They detected some strange pinging activity that was going on on their firewalls. And it turns out that their network had been breached and the pings were coming internally. It was a hacker that was trying to scan their network. But just in the action of them scanning, they detected the scanning activity going on and were able to rapidly respond. They came very, very close to a full blown cyber incident that would have been massively disruptive, but because they had the detection methods in place, they were able to lock down those systems, lock out that hacker and it didn't cause as much business disruption as it otherwise might have done.
(AB): That’s great. You mentioned there's a good chance that bad actors will ultimately break into your environment. So I assume that makes the ability to respond and recover just that much more critical, right?
(LG): Absolutely and this is a key point. Some people think that just having their perimeter secured is sufficient and having a backup is sufficient. But it's so much greater than that. And this, the cyber threats and the emerging threats, are changing that recovery paradigm. So having the ability to try to stop most of the attacks and when they do get in, having the ability to detect when they come in, how they got in so you can go and close that door. And indeed once they got in, if they've been infiltrating, say trying to load malware onto your system, being able to go back to your last known good state is absolutely critical.
So having the ability to recover and say it was two weeks ago that they came in, this is my last known date before they came in, I can recover to that point that these other systems maybe they have been compromised, but I can do a forensic examination and clean up that data and recover all those transactions that may have happened in the last two weeks. Having that capability to make informed command and control decisions about at what point you're recovering to, at what point are you looking to rescue data that may have been in a compromised state.
And part of that is having a recovery strategy that would include high availability, it would include disaster recovery, it would include backup and it would include a sort of managed recovery program. All those are critical elements in ensuring that customers have the ability to respond to threats. And unfortunately, people see this as being quite a big problem, and quite a big challenge. And it's not insignificant, but it's absolutely critical. These threats are only rising. It's not a case of if you get breached, it's a case of when.
(AB): Yeah, makes perfect sense. So the last element of cyber resilience - governing and assuring - can you talk about that a bit more?
(LG): Absolutely. There's lots of advice available online. Most government departments, most government agencies offer advice on how you can go and secure your estate. You may also be operating in a compliance framework. Maybe you're processing credit card information or you handle personal identifiable information that means you are subject to a particular international standard on compliance. And there is lots of guidance there.
Understanding what you want to achieve, what your obligations are in terms of security and compliance, and then building out a business continuity plan will help you inform what systems need what recovery and which systems would do intolerable harm to your business if they were down for a short period of time or a long period of time. Then having the strategy in place to have to engage with third parties. If your data has been compromised, and you need to do some kind of forensic audit or you need to do some kind of data cleansing, what have you got in terms of your supplier ecosystem that can help you with that in a timely fashion?
And then the other element, which is really, really critical, is skills and training. This isn't a one shot activity. A lot of these hacks happen because users will respond to a text message or an email that isn't from whom they're hoping it's from and it provides a backdoor for these bad actors. Reinforcing that training constantly with your users. It's not just a one time training because these threats are constantly evolving and emerging.
There's a recent activity going on where there are bots who are replying to comments on YouTube, saying that they've won such and such a product, and all they need to do is pay for the shipping. And then they’re contacting people via WhatsApp. They are getting more and more sophisticated in how they're looking to exploit users that haven’t necessarily got the education to know that this is suspicious.
(AB): Yeah, that makes a lot of sense. And I think too, businesses have a number of competing priorities, right? So what are some of the steps companies can take to make sure cyber resilience is kind of a top down business priority?
(LG): So, security is everybody's responsibility, but it starts at the board. The board needs to understand what would the impact be if their business was compromised? What would the impact be in terms of revenue, in terms of their customer and in terms of their reputation? Having understood what those impacts are, building in that strategy around the continuity, the compliance, the forensics, the skills, etc., building those in so you have a holistic security posture.
When you're adopting cloud, specifically, all of those components feed into your cloud strategy. Cloud strategy, you know, I hear it every day, “I have a cloud first strategy” but it’s too often it’s a straight line as opposed to a set of documents that actually articulate what that specific security posture is. And having that kind of holistic approach to cyber resilience will then inform all the people, process and technology that you need to enable and deliver upon that vision.
(AB): That’s great, Leon.
Most organizations apply a hybrid cloud strategy because it offers the best of both worlds: a customizable cloud solution that's agile, scalable and economical with on premises infrastructure that can house more sensitive workloads. However, it's also more difficult to manage, so businesses need to make sure they're taking the right steps to protect it.
Cybersecurity is important, but it's not enough. You must also be prepared to respond and recover from cyber attacks and data breaches. Through holistic cyber resilience, you can be certain you're building proper security into your hybrid cloud strategy.
Leon, thanks so much for joining us today.
(LG): You're welcome, anytime.
(AB): Leon Godwin is Principal Cloud Evangelist at Sungard AS.
Please subscribe to the show on your podcast platform of choice to get new episodes as soon as they’re available.
IT Availability Now is a production of Sungard Availability Services.
I’m your guest host, Alison Brooker, and until next time, stay available.