Australia and New Zealand are two countries with some of the fastest cloud adoption rates in the world.
However, constant headlines about data breaches still leave many questioning the security of cloud platforms.
SecurityBrief spoke to Microsoft New Zealand chief technology officer Russell Craig about the security paradigm needed in the cloud era and how cloud platforms can be more secure than traditional methods of storing data.
Figures for how long attacks go undetected range from 90 days through to over 260.
It is not possible to arrive at a single, accurate, global figure.
However, even at the lower end, these figures should be considered both very worrying and unacceptable.
In order to reduce these figures, organisations can do the following:
The traditional approach to security is often described as “build higher walls and dig deeper moats.
However, it is doubtful that this was ever as effective as people thought it to be, as evidenced by the fact that so many organisations are still wedded to this approach at a time when successful cyber-attacks are on the rise.
Worryingly, a very high percentage of attacks are based on use of compromised user credentials and/or user installed malware, which the traditional approach does little to mitigate.
The answer again starts with adopting an “Assume breach” mentality.
Organisational security boundaries are becoming increasingly permeable as organisations use more cloud services, and also as they integrate their information systems into a wider variety of supply and value chains, allow their staff to be more mobile, and use new technologies such as IoT as part of their business model.
Microsoft’s view is that organisations should treat identity management and protection as one of the core elements of a “modern” approach to security, and focus on protecting their identities, data, devices and applications wherever they may be.
Another way of framing this is that organisations should adopt a “zero trust” approach to security.
There are two caveats – choosing the right provider, and using these cloud platforms in a secure manner (following a shared responsibility model).
If these are met, then in general, hyperscale cloud provides benefits from five major things that can lead to increased security for customers:
This is a perennial challenge.
Staff may begrudge training, but they will feel even worse if they have to bear the consequences of being successfully attacked which, in the extreme, could mean loss of their jobs.
International experience suggests that the best way to deliver training is in the flow of people’s daily work, rather than as a separate exercise.
For example, all organisations should consider implementing internal e-mail phishing exercises (which we do regularly at Microsoft).
Another thing organisations should consider is implementing better productivity tools that both allow staff to do their jobs better and simultaneously improve overall security.