Table of Contents
Share this entry
Perhaps the biggest challenge for today’s consumer is to find providers with high-quality products that also manage high-quality consumer privacy safeguards in today’s cloud-driven world. That is the new standard for every company that seeks to do business while operating in the cloud. Building and maintaining a highly trust-worthy organization is key to maintaining a highly-satisfied consumer base.
Unfortunately, too many companies let their data security practices lapse and without comprehensive programs they lose the good faith of their customers. This oversight risks losing the company several forms of currency – financial and consumer trust.
Fortunately, every company with strong risk management, compliance, and controls can avoid those consequences, let’s review how.
Why Does Cloud Risk Involve Trust?
The irony is that safely building trust in the cloud security universe requires you to be both trustworthy and to trust no one yourself.
As a leader, you need your workforce, colleagues, and the customer to trust you. They need to know that at the executive level your organization has thought things through and puts your data security at top priority. Meaning, you’ve done your research, and that your decisions protect not only your org, but the customer’s best interest as well. Customers rely on your company’s products, technology and operations to be safe, appropriate and, at a bare minimum, comply with industry and legal standards, if not exceed them. Everyone expects you to behave in a way that enhances their trust in you, from the choices you make to the directives you design.
At the same time – and here’s where it gets challenging – you need to be very careful about who you trust. Delegating authority to unknown or even known entities, can lead to disaster.
As the person in charge of security at your company, you must both display trustworthy attributes while distrusting (almost) everyone and everything around you. We know, it’s a tall order.
Blind Faith = Cloud Risk
The ‘trust conundrum’ arises from the disparity between the old-style cultural notion of trust and the reality of today’s booming e-markets and cloud-dominated industries.
The old style presumes that someone/something is implicitly trustworthy until they prove that they are not. Legacy data security programming is based on this presumption.
The new style presumes that nothing and no one is trustworthy until proven otherwise. Today’s safest data security systems assume that everyone and everything is a threat until demonstrably proven safe.
Trust is the New Cloud Vulnerability
Security-wise, too many enterprises have lunged ill-prepared into the cloud computing universe. While earnestly seeking the benefits and glories of cloud computing, they simply adapted their on-prem security practices to fit their cloud presence without understanding the pool of risks the cloud introduces, including:
Your attack surface has grown
The cloud distributes resources, Identities and data so widely that it has become a very porous environment. This makes it difficult and costly to control traffic and data. Plus, an even more contemporary point, cloud computing facilitates remote workforces. Each Identity, app, and resource within that workforce now all face the threats posed in that new environment. Every home office operating within the cloud is now vulnerable to attacks entering through unprotected emails, insecure devices and computers, and gaps in local and community networks.
Third-Party Risks
Hastily approved new third-party vendors, also pose challenges if their services and systems aren’t adequately protected. Their security posture is now your security posture. Your data sits in their cloud, what are they doing to protect it? Have they implemented a cloud security program or are they using outdated and ineffective security controls?
Cloud-Native Software
Utilizing cloud-native software also exposes your organization to risk. Many organizations adapt their on-prem applications to work within a cloud platform without making them truly cloud-native. Without the full orchestration of cloud-based function, performance, and security, the apps are left vulnerable to cloud-specific threats, such as misconfigurations of Identities, data sprawl, lack of visibility, lack of effective security controls and needless bureaucracy which greatly reduces everything from mean-time-to identification (MTTI) to the resolution.
These previous concerns flow from the largely unknown issues that live ubiquitously within the cloud. There are even more concerns that are often known:
Insider Threats (people)
Insider cybercrime is on the rise as more employees are working with much less, if any, oversight. Research done by Carnegie Mellon’s Computer Emergency Readiness Team (CERT) reveals that insider criminal activity typically takes one of three forms: information theft, sabotage, and outright fraud. In almost every case, the crime occurs when the perpetrator has access to Identities, data and resources that are beyond the scope of their work. Often they had no access limitations, or they manipulated their way to what they wanted: your data. Even worse, sometimes an ex-employee’s access was never revoked.
Insider Threats (machines)
The Internet of Things (IoT) poses an already immense and still growing challenge. IoT devices parse their threats into separate elements:
- Data collection – Each IoT device collects billions of data bits over its useful life. Without adequate protection, that data can be hijacked and exploited by competitors or cybercriminals.
- Device connections – By design, IoT devices work with other systems to provide their service. An unsecured connection between the device and the system allows anyone to access the device and gain entry to the system.
- Device communications – IoT devices also share information across networks. Again, with little or no security overlays, nefarious entities can listen in or enter the device and alter its messaging.
The critical lesson learned from acknowledging cloud-based security risks: trust no one and nothing.
Taming the Trust Conundrum with Sonrai Dig
Sonrai Security designed its platform to address these exact challenges. Its graphing technology represents all data access activity in a single portal and constantly monitors the actions of every device, machine, person, and entity that moves through it.
Because it monitors access to your company’s data and systems, you and your partners don’t need to worry about who or what you can trust; the Dig service manages that analysis for you.
Whether you think you’re protecting your data and actually are using ineffective security practices or are just blind to the risks in your cloud, Dig helps bring you visibility. Taking it even a step further, Dig will identify potential risks and offer you the mechanisms to address it – all at the speed and scale your cloud deserves.
Make sure your data is safe from intrusions, theft, and exploitation, all allowing you to share that assurance with your customers. With that knowledge, they can begin to trust you and your organization – the most valuable asset.
THE ARCHITECT
The Newsletter for Cloud Security Leaders. 1x a month.
Get a Comprehensive Cloud Identity Audit
Request Your AuditSonrai cloud security platform, products and services are covered by U.S. Patent Nos. 10,728,307 and 11,134,085, together with other domestic and international patents pending. All rights reserved.