SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
EXCLUSIVE: Microsoft CTO talks securing data in the cloud era
Wed, 4th Jul 2018
FYI, this story is more than a year old

Australia and New Zealand are two countries with some of the fastest cloud adoption rates in the world.

However, constant headlines about data breaches still leave many questioning the security of cloud platforms.

SecurityBrief spoke to Microsoft New Zealand chief technology officer Russell Craig about the security paradigm needed in the cloud era and how cloud platforms can be more secure than traditional methods of storing data.

Research shows that data breaches are going undetected for as long as 90 days - what can organisations do to reduce this number?

Figures for how long attacks go undetected range from 90 days through to over 260.

It is not possible to arrive at a single, accurate, global figure.

However, even at the lower end, these figures should be considered both very worrying and unacceptable.

In order to reduce these figures, organisations can do the following:

  • Adopt an “assume breach” security posture.  If organisations assume that they are not secure, this should then lead to greater proactive efforts to identify whether they have indeed been compromised by a cyber attacker, and also change the nature of the security model they are following, and the investments they are making.
  • Adopt a “protect, detect, respond” methodology to drive their overall security efforts.
  • Invest more in “pre-breach” activities and capabilities.  These can range from increased staff training through to software patching, and improved data and device security using things such as advanced information protection capabilities and multi-factor authentication.
Why are traditional security models not as secure as they are believed to be?

The traditional approach to security is often described as “build higher walls and dig deeper moats.

However, it is doubtful that this was ever as effective as people thought it to be, as evidenced by the fact that so many organisations are still wedded to this approach at a time when successful cyber-attacks are on the rise.

Worryingly, a very high percentage of attacks are based on use of compromised user credentials and/or user installed malware, which the traditional approach does little to mitigate.

With cloud applications generating more and more endpoints, how should organisations approach security differently?

The answer again starts with adopting an “Assume breach” mentality.

Organisational security boundaries are becoming increasingly permeable as organisations use more cloud services, and also as they integrate their information systems into a wider variety of supply and value chains, allow their staff to be more mobile, and use new technologies such as IoT as part of their business model.

Microsoft's view is that organisations should treat identity management and protection as one of the core elements of a “modern” approach to security, and focus on protecting their identities, data, devices and applications wherever they may be.

Another way of framing this is that organisations should adopt a “zero trust” approach to security.

Where does the hyperscale cloud fit into this new approach to cybersecurity?

There are two caveats – choosing the right provider, and using these cloud platforms in a secure manner (following a shared responsibility model).

If these are met, then in general, hyperscale cloud provides benefits from five major things that can lead to increased security for customers:

  • Economies of scale and scope: taking the example of Azure, we invest over US$1billion per annum directly into security, and are in a position to employ the best security engineers and researchers in the world to help us develop Azure as a “secure platform”.
  • Access to AI and ML-enabled security capabilities, based upon trillions of data points about cyber threats that we have available to us.
  • Powerful business incentives to keep our customers' data secure, which are related to the fact that the basis of our current and future business success is the extent to which customers trust us.  If we cannot secure customer data, our business would be quickly eroded.
  • Microsoft's hybrid architecture means that our security capabilities stretch all the way from traditional on-premise environments through to our cloud services.
  • Through the Microsoft Digital Crimes Unit, we conduct offensive defence. Our efforts to detect and disrupt organised cyber criminals -  especially via our botnet takedown activities – give us data and insight into the evolving nature of cyber risk that is a valuable input to our overall security programme and capabilities.
How can organisations ensure that employees are both participating and applying their security training? 

This is a perennial challenge.

Staff may begrudge training, but they will feel even worse if they have to bear the consequences of being successfully attacked which, in the extreme, could mean loss of their jobs.

International experience suggests that the best way to deliver training is in the flow of people's daily work, rather than as a separate exercise.

For example, all organisations should consider implementing internal e-mail phishing exercises (which we do regularly at Microsoft).

Another thing organisations should consider is implementing better productivity tools that both allow staff to do their jobs better and simultaneously improve overall security.