Cloud security still a headache
Darrell Long, VP of Product Marketing at One Identity said that businesses are leaping before they look in the cloud 'gold rush'. "Large organisations are making rapid moves to the cloud without ensuring their data is secured in transit, and once it’s there. In 2020, there will be multiple organisations who deal with data privacy breaches and regulatory fines, as these steps are not being adequately addressed from the beginning of the move," Long predicted.
"Even with the Shared Responsibility Model and news about vulnerabilities with cloud security, we foresee many organisations failing to conduct due diligence and being burned by leaving their data insecure in the cloud. The result will be them finding out too late that proper identity governance and privileged access management practices could have been applied to data in its on-prem state and continued through the transition into the cloud."
In the Shared Responsibility Model, the cloud service provider is not responsible for customers' cloud configurations and data stored in the cloud. These are the responsibility of the customer.
Alvin Rodrigues, Senior Director and Security Strategist, Forcepoint Asia Pacific calls it being 'cloud dumb'. “Organisations will become 'cloud smart' but remain 'cloud dumb'. With greater adoption of public cloud systems, organisations will become 'cloud smart' in their digital transformation efforts in 2020. However, when it comes to securing these cloud systems, organisations will remain 'cloud dumb' as they face challenges in cloud security,” he said.
Palo Alto Networks says that users have a part to play in securing their clouds. The Palo Alto Networks Cloud Survey 2019 found that 70% of large organisations in the Asia Pacific region have misplaced confidence in cloud security, believing security by cloud providers alone is sufficient.
“There is a complicated mix of attitudes and degrees of cloud adoption across the region. But while the forecast for the cloud adoption in 2020 shows clear skies ahead, large organisations in APAC have many security tools – this creates a fragmented security posture, adding further complexity to managing security in the cloud,” said Sean Duca, VP and Regional Chief Security Officer, Asia Pacific & Japan, Palo Alto Networks.
“Cloud service vendors are responsible for protecting the infrastructure, while the onus is on organisations to protect their data by monitoring access, managing configurations, and analysing risky user behaviours,” Rodrigues elaborated.
“Organisations need to understand that securing data on the cloud is a shared responsibility with their cloud service providers. When it comes to cloud adoption, organisations need to properly understand risk, take security into consideration, and build security in from the ground floor upwards.”
 |
| Source: Rackspace. Bhargava. |
“Despite its benefits, multicloud also opens more doors to security risks. Besides providing a wider potential attack surface for hackers, multicloud can also cause organisations to be more vulnerable to insider threats.
“For instance, the increased complexity of the IT environment due to multicloud adoption might lead to poor configuration management. Having more business users using the cloud also poses a challenge as not everyone fully understands cloud security risks and know how to mitigate them,” said Bhargava.
Bhargava pointed to a report by Symantec which found that some users may exhibit risky behaviours in the cloud such as oversharing cloud files or not storing sensitive data properly in the cloud – all of which may lead to data loss.
“To minimise cloud risks, organisations will need to have a multilayered security strategy that can provide detection, response and remediation when their IT environment is in jeopardy. Their chief information security officers (CISOs) will also need to work across more departments in 2020 to ensure that security is not overlooked when innovative solutions and new business processes are introduced,” he advised.
David Allott, Head of Orange Cyber Defense, Asia Pacific at Orange Business Services, said multicloud security is the one of three things that businesses must consider when becoming cyber-resilient. “In constantly-evolving regulatory environments, multicloud services and requirements continue to grow (often mandated) and securing this cloud sprawl becomes a new challenge.
“Many enterprises are not aware of the complexities that multicloud brings, through a heightened lack of control and visibility over their dispersed cloud estate and resources. They only become aware of the complexity of their cloud environment when an incident happens,” he said.
AI security to the rescue
Allott's second pillar for cyber-resilience has to do with artificial intelligence (AI) and machine learning (ML). “The human and machine partnership is taking definite form and shape. This partnership will be critical as in time, cybersecurity may become fully automated. ML is invaluable in supporting human expertise by replacing routine tasks and AI has the ability to provide advanced detection qualification and analysis alongside remediation. The challenge with automated remediation is to ensure it’s smart enough to make decisions that will curb attacks and not amplify them,” he said.
Darktrace says that AI will be the frontline solution for cybersecurity woes. “With power plants, energy grids, and smart cities fast becoming the next theatre of cyberwarfare, the switch to cyber AI security cannot come soon enough. Capable of analysing massive data sets across all types of infrastructure, AI cuts through the noise to identify never-before-seen threats threatening our cities. And what’s more – it can autonomously contain the threat before it does any damage. As the entire world comes online, humans alone cannot win in a fight against evolving adversaries. Arming up with cyber AI has to be our first line of defence,” stressed Sanjay Aurora, MD of Darktrace in Asia Pacific & Japan.
 |
| Source: VMware Carbon Black. Kellermann. |
Long of One Identity, said that things are looking up for securing AI and analytics. "AI and analytics will change the way identity governance and administration (IGA) is implemented for companies and will provide a major step in the right and more secure direction of continued governance of access to a (company) and the data it holds,” he said.
"The reason AI and analytics were not properly secured and governed in the past was due to the fact that many organisations were not aware of how to integrate AI and analytics into their security and governance programme. However, in 2020, companies are now at a point that they are more comfortable with AI and fully understand the high value it brings into the security programme and now they need to step up and secure and govern it in an effective way."
IoT – a disaster in progress
 |
| Source: Synopsys. Cipot. |
“And this will continue to be a concern as long as there isn’t a standard in which device manufacturers must satisfy before making these devices available to consumers. Smart devices are becoming an increasingly integral part of our lives around the world. In addition to standards, the evolution of these devices will depend greatly on user demand.”
"Attacks on IoT devices will have a domino effect and leaders will be challenged to think of unified cyber-physical security in a hybrid threat landscape. Cybersecurity will begin to be built into advanced technologies by design to keep pace with the speed of IoT convergence and the vulnerabilities that come with it," Josh Lemos, VP of Research and Intelligence, BlackBerry Cylance said.
“We will see more public exploits on IoT devices that will cause regulators to strengthen their position on IoT security. More global governments will introduce IoT security regulation. We will see industries come together in an effort to create standards for securing IoT devices in their industry. These efforts will be an attempt to avoid regulation,” agreed Mike Nelson, VP of IoT Security at DigiCert.
Nelson explained, “What can prevent security regulations in an industry is having members from the industry collaborate to develop standards they all agree to follow. Those standards developed by industry groups can improve the security posture of the industry in a way that regulating security is no longer necessary.”
Allott says the convergence of information technology (IT) and operational technology (OT) is the third thing that businesses must consider when becoming cyber-resilient.
“The OT security products and services market which addresses legacy industrial systems is transitioning to more connected platforms and systems with the convergence of IT and OT, enabled by the Industrial Internet of Things (IIoT). While this trend is bringing greater efficiencies and automation, it is also introducing new risks and challenges. Connected OT devices expose potential vulnerabilities within business digital ecosystems, threatening the security of data and impacting business-critical operations,” he explained.
Duca said security is often still an afterthought in product development and noted that the practice is a ticking time bomb for the IoT. “Some connected devices continue to be shipped out with no viable means of receiving software updates and security patches, leading to common vulnerabilities that can be exploited easily. This issue will be further exacerbated by the growing number of potential threats to IoT security, such as distributed denial of service (DDoS) attacks, in 2020,” he said.
“In 2020, we will see the evolution of IoT security play out in two key spheres: personal and industrial IoT. From connected doorbell cameras to wireless speaker systems, we will see a growth in attack modes coming in via unsecured apps or weak login credentials. This threat is further complicated by the emergence of accessible deepfake technology, which can pose a threat for voice- or biometric-controlled connected devices.” Deepfaking refers to technology that impersonates people.
Deepfakes to cause difficulties
Rodrigues predicts that the deepfaking will become more dominant in cybercrime. “Deepfakes are getting more popular as various machine-learning algorithms are able to produce indistinguishable hyperrealistic photos and videos of people. In 2020, we can expect to see an increase in ransomware by cybercriminals threatening to leak photos and videos of individuals in compromising situations utilising deepfake technology,” he said.
“At the organisational level, deepfakes will also be used to impersonate high-level targets at organisations to scam employees by transferring funds into fraudulent accounts. In 2020, we will see deepfakes-as-a-service move to the fore as it becomes widely adopted for entertainment such as the viral FaceApp, and we can also expect to see an increase in its use for malicious intent online.
“Scammers will continue to be successful as they adjust their social engineering techniques. Organisations need to be aware of such growing sophisticated phishing attempts and bolster their security through web security and email security solutions.”
 |
| Source: LogRhythm. Wong. |
State-sponsored cyberattacks
 |
| Source: CyberArk. Lazarovitz. |
“We’ve considered the impact of stalling major transportation systems – like buses and trains – in major metropolitan areas that could keep citizens from safely getting to the polls. A sequencing of these attacks that impact core infrastructure – halting transportation, shutting down the electrical grid or launching an attack on voter registration databases – can have a domino effect and impact the ability for the voting system to operate consistently with trust and reliability,” warned Lazarovitz.
"Cyber espionage has been going on since the introduction of the internet, with Russia, China, Iran and North Korea seen as major players. In 2020, we will see a new set of countries using the same tactics, techniques, and procedures (TTPs) as these superpowers against rivals both inside and outside national borders.
"Mobile cyber espionage will also become a more common threat vector as mobile users are significant attack vector for organisations that allow employees to use personal devices on company networks. We will see threat actors perform cross-platform campaigns that leverage both mobile and traditional desktop malware," Lemos of BlackBerry Cylance said.
Lemos revealed research about nation-state-based mobile cyber espionage activity across the four countries he listed, as well as in Vietnam. He said more attacks are likely coming in the future.
"This will create more complexity for governments and enterprises as they try to attribute these attacks, with more actors and more endpoints in play at larger scale," he said.
The neverending challenge of data privacy compliance
“Data privacy concerns are about a lack of awareness on what data is being collected, as well as a lack of visibility on how its being used. It’s important for enterprises and individuals to note that establishing local data centres does not necessarily result in data being more secure, as we are more connected now than ever before. To manage this effectively, companies will need to regularly evaluate the information they collect and control its access,” notes Duca.
“We expect additional data privacy legislation to emerge in the region. Both Indonesia and India have been working on personal data protection bills for the last few years, although the timing for if and when these become final is unclear.”
Long said businesses could be caught out by the need to comply with data privacy legislation. "In 2020, we will see companies across all industries struggle with the integration of proactive data privacy practices and policies. GDPR and other regulations in the works will punish those organisations that are negligent around data handling," said Long.
"As companies notify customers following breaches, if it is found that proper data protection practices, such as identity governance and administration and privileged access management are not being implemented, we will see harsher punishments. We’ll see a rush from companies backtracking and working to implement the right security tools and practices after a breach."
Praveen Kumar, GM for Asia Pacific at ASG Technologies, said that the nationalisation of data privacy would impact organisations in 2020. “What tends to happen is data is being collected by a lot of private companies in every individual country, and sometimes distributed globally, depending on the type of company that exists. So if you were to take an entity that is running in the US, but has branches everywhere, it's collecting local data and sending it back to that entity there and they're all private companies that are collecting the data,” Kumar said.
“So when we say nationalisation of data privacy, what we're saying is, the government of that particular country or entity should start enforcing regulatory restrictions on what data can be sent outside (and) how much data can be used by the entities locally in that particular environment.”
Kumar said GDPR, a European act for data privacy, is a very good example of how the government has taken control of privacy regulations on data that is being collected by private entities anywhere in the world, irrespective of where there is.
Dean Coclin, Senior Director, Business Development at DigiCert, emphasised that country-wide initiatives for data privacy are preferable to initiatives at the state, province or municipality level. “Ideally, a global privacy initiative with subsequent regulation would be the most efficient but the likelihood of that happening is extremely low,” he said.
Zulfikar Ramzan, CTO, RSA suggests turning traditional models upside down by pushing the responsibility for data security and privacy onto users. Ramzan thinks it could happen in 2020, calling the concept 'BYOD', standing for 'bring your own data'.
"Although data can be a tremendous asset, it quickly turns into a liability. Organisations will consider 'bring your own data' policies. It will leverage user-owned decentralised storage, reducing the liability in the event of a breach. For organisations that do not directly monetise data, this new reality shifts the responsibility of data security to consumers," he said.
The uncertain protection of biometric data
Biometrics data used for authentication is a particularly sensitive type of data, said Adam Kujawa, Director of Malwarebytes Labs. “We see a bigger push by technology companies to develop alternative methods of authentication. This is not uncommon and will likely lead to a great dependence on biometric methods of authentication, such as using fingerprints, retinas, or walk-gaits.
“A lot of this technology is already in use for the development of surveillance and tracking operations conducted by India and China on their own citizens. In the US, we hand over our DNA in testing kits and generally don’t concern ourselves with the security of our biometric information. This is something I am worried about and have even mentioned to a few people that we may already be up a creek, because of how much of our biometric data we’ve handed over to companies who have little to no requirement at keeping that data secure or out of the hands of third parties,” he said.
It would be really bad news if biometric data were lost, but that is precisely what LogRhythm predicts will happen in 2020. Said Wong from LogRhythm, “Before we see adequate regulation and security to protect biometric data, there are going to be some unlucky people whose biometric information is stolen and used for repeat fraud. If your credit card details are stolen, you can easily change your account number. But what if your face gets stolen?
"Once that information is compromised, there’s no swapping it out. Before the industry catches up and understands how to properly protect it, we’re going to see the consequences of the increased adoption of biometrics.”
 |
| Source: HackerOne. Zander. |
Zander's parting advice for the one investment that businesses should make in 2020 is to go for backup and recovery. "If you don't have a backup and recovery process documented and tested, do that. Ransomware is still devastating banks and hospitals and governments because they never invested in security and IT, and they didn't invest in backups either," he said.
Explore:
The overview of security in 2020, where the more things change, the more they stay the same
No comments:
Post a Comment