Recently IT Brief had the opportunity to talk to Petra Smith, virtual security consultant at Aura Information Security, about cloud security and how to best approach it.
To start off with can you tell me a bit more about yourself and your experience at Aura?
Aura is an information security consultancy with offices in Wellington, Auckland, Sydney and Melbourne. Our team consists of more than 30 consultants that offer a wide range of services – from penetration testing, physical security, virtual security officer, and staff and developer training.
As a Virtual Security Officer, I work with businesses to help them understand their security risks so they can be more proactive in protecting what’s important to them.
The uptake of the cloud has skyrocketed over the past few years, what are some of the biggest benefits of moving to the cloud?
Modern businesses need their IT environment to be flexible, powerful and reliable – and that’s where the cloud excels.
With a traditional on-premises setup, you’re limited by what your hardware and software can do. It takes a lot of time and effort to maintain that equipment and upgrade it as the business’s needs evolve. The cloud takes away a lot of those tedious maintenance tasks, which frees your IT team up for things that add value to the business.
The cloud also gives you access to the resources that you need so you only pay for what you use and can easily scale up when you need more storage, bandwidth or functionality.
However, moving the cloud is not without risk, what are some of the biggest threats businesses should be aware of?
The risks in the cloud aren’t really different from the ones you have in an on-premises environment. The cloud by its nature means that your IT systems are connected to the internet, where you don't have the luxury of things being protected by being hidden away so that people can't find them.
But on the other hand, that’s no longer how we do business. Customers expect to be able to get to your website and do business 24 hours a day and employees expect to be able to check their emails or work from anywhere at any time.
Popular cloud services like Office365 and G Suite are an appealing target for phishing campaigns – they can keep trying the same technique over and over until it works. You can’t afford to treat cybersecurity as “just an IT problem” in the cloud. Everyone in the business needs to know how to choose strong passwords, use multi-factor authentication and spot common scams.
What are some of the biggest misconceptions in your opinion surrounding cloud security?
A lot of businesses who are new to the cloud expect it to be just like a data centre. In a traditional environment, security is about control. You can control who has access to your equipment, you control what it’s made of and how it’s configured, you control who’s allowed to do what. In the cloud it’s different.
In a cloud environment, security responsibilities are shared. You’re responsible for deciding what protection your data needs, and who should be able to access it. The cloud provider is responsible for keeping their facility and the physical equipment secure, and depending on the service they might take care of patching the software and keeping your data backed up, or leave that up to you.
Don’t just assume that your provider will take care of everything for you. Do your research and find out what they do to keep your data secure, and what parts you still need to look after yourself.
What are some cloud security best practices in your opinion?
I think the single best thing that any business can do is start off with a plan.
Whether you're going to start with just one small project, like your public facing website, or if you're going to move your whole file storage, email and your business systems to the cloud, start with a plan for what you're going to put in there, what systems that's going to interact with, who's going to need to use it, and how they're going to use it. Then take that information to work out what level of protection you're going to need, and shop around for the right provider.
Security isn’t something you can just set and forget, so make sure you’ve got a clear idea of who will be responsible not just for setting things up correctly, but also for carrying out the day-to-day responsibilities like patching and monitoring your environment.
On top of that education is vital as well. When you're moving from a tightly controlled environment to the flexibility and freedom of the cloud, it's key that everyone in the business understands security risks and has the knowledge and skills to work safely.
Threats are on the rise, and security is something that can be complex and challenging to manage yourself. Sometimes, it’s best to call in the experts to help keep you on track. They bring an outsider perspective and are often better placed to provide insight and guidance when it comes to where, and how much, your business needs to improve its cyber posture.