When will you be hacked? The Need for Cyber Resilience Skills.
Cyber attackers are always one step ahead of the rest of the world – they have practically unlimited means, lots of sponsorships, the ability to remain undetected during and even after causing a catastrophic disaster, and a well coordinated network of sophisticated hackers and specialists. It’s therefore in the interest of organizations and cloud service providers to constantly strengthen their risk management system and cyber resilience posture, else they soon fall victim to the well-known adage; “When, and not IF, they will be hacked?”
One of the general characteristics of cloud computing is “Resilience”. Resilience, in general, means the ability to recover from an incident / change or adjust easily to it.
Cyber Security vs Cyber Resilience
Cyber security and cyber resilience focus on two different dimensions. Where Cyber security takes a reactive approach, which protects critical assets and valuable information from potential threats, cyber resilience additionally adopts a proactive approach, which prevents and detects threats while also responding and recovering quickly from any such resulting incidents. This minimizes the impact on service disruptions, financial losses, recovery times and possible reputation damage.
A serious limitation in the traditional security methods to combat the sophisticated cyber attacks in general as well as the dramatic rise of these attacks in recent years, has forced many organizations to reconsider their strategy of securing their overall environments. The need of the hour, undoubtedly, is to adopt and strengthen cyber resilience and not cyber security.
Cloud Services and Cyber Resilience
An example of cyber resilience is when cloud service providers implement a Disaster Recovery (DR) plan wherein, a primary site fails over to a secondary site thereby maintaining high availability and business continuity. Having at least two of a kind – two virtual servers or two load balancers instead of one – prevents a single point of failure, another example of implementing cyber resilience.
Cloud service providers particularly need to focus on cyber resilience, as their data centers worldwide host valuable information about multiple customers – the cloud characteristic of multi-tenancy. Proper segregation and isolation of customers’ resources as well as their data is highly important and necessary. Organizations that make use of private / community or a hybrid combination of cloud deployment models also need to properly plan and adopt cyber resilience.
Today, the highest risks posed are by insider threats (people) followed by poor processes, technology architecture, designs and coding practices. Add to this, the rise of social engineering, mobile devices and the Internet of Things (IoT), which only combine to provide more surface areas for attacks and exploitation by cyber criminals. Virtualization, the backbone of cloud computing, is also prone to an emerging set of hypervisor viruses that are specific to the technology now. All in all, as technology advances and the struggle in life tends to become relatively easier, the security aspects become more and more challenging.
An organization or a third party service provider today has to equally strengthen all its entities – assets, ports, networks, storage, identity access, policies, procedures etc. whereas the attacker just needs to scan for one flaw in any of the above to penetrate and disrupt an entire range of services for as long as possible. In addition, the attacker also has the ability to lay dormant within an organization’s system for a while, without being noticed, and then strike at an opportune moment with the ex-filtration of confidential and critical information. Such attacks, commonly known as Advanced Persistent Threats (APTs) and the so-called zero-day attacks cannot be handled by traditional firewalls and other security measures.
Building Cloud Resilience
In view of the above observations and findings, how does one go about adopting the right posture of cyber resilience for cloud services or for an organization in general?
Organizations can start evaluating several frameworks and standards for preparing themselves to attain their own level of cyber resilience. Some of the currently available frameworks and standards include:
- The NIST Cybersecurity Framework
- Implementing NIST Cybersecurity Framework Using COBIT 5
- The ISO/IEC 27032:2012 standard for cybersecurity
- AXELOS Cyber Resilience Best Practices
- CCC Professional Cloud Security Manager
Though the above frameworks and standards offer lots of information and guidance on cyber security / resilience, each organization (including cloud service providers) should further tailor these practices to suit their own risk appetite and risk acceptance criteria.
Lastly, and definitely not least, it is of critical importance to continuously train IT professionals on cyber resilience and security to have a fighting chance against cyber attacks.
Sudhakar Nagasampagi is a 25+ year IT professional, accredited master trainer, international speaker, trainer, course author, blogger, etc. He is an active Project Management Professional (PMP) and holds the ITIL 2011 foundation certification. He currently provides training in the areas of cloud computing and virtualization, in which he maintains numerous certifications. He also provides trainings in IT security and cloud security. He is the lead author and master trainer for the Cloud Credential Council (CCC) Cloud Technology Associate (CTA) course.