Introducing May's Cloud Security Champion
Congratulations to Sarah Collins, Solution Architect at Fujitsu for being selected as techUK's Cloud Security Champion for the month of May. Sarah is also a Fujitsu Distinguished Engineer.
The purpose of techUK’s Cloud Security Champion campaign is to celebrate the work of UK cloud security specialists in helping build a culture of trust and confidence in cloud computing and showcase how they are supporting organisations to adopt, deploy and use cloud services securely. This is also an opportunity to learn from those working in cloud security about the current threat landscape and examples of the strides being made in enhancing security.
A new techUK 'Cloud Security Champion’ will be chosen every month, so if you would like to nominate a friend or colleague to be the next Champion please drop us a line.
What are your current responsibilities and what does a typical day involve at Fujitsu?
I work in pre-sales as a solution architect for cloud and digital, looking at ways to help our customers in Defence and National Security adopt and thrive in the world of cloud at higher security classifications. A typical day in pre-sales is varied, it includes responding to customer requests, evolving cloud strategies, keeping up to date on current innovations and threats pertaining to cloud and how they can be exploited or mitigated for our customers.
What do you most enjoy about your work?
The ever changing nature of the landscape. No two days are the same and the technologies are evolving so rapidly that the rate of change has never been so challenging to keep pace with.
Why is cloud important to UK’s economic growth and what does the future hold for adoption and maturity of cloud in the UK?
Cloud enables business to focus on what they do best – their business, and allows cloud providers do what they do best. This results in businesses being more effective at achieving what they set out to do for their customers and shareholders. Innovators can now easily access IT through cloud, all they need is a credit card and an access device and they’re off, so new ideas can create new markets at speed.
Case studies show that the flexibility, computing power and security of the cloud not only allows companies to react to the unexpected - a global pandemic, - it also makes entirely new types of business possible. For example, online education businesses like Firefly can ramp up their resources during exam season, or a fantasy sports platform like FanDuel can meet the rush of a game day. It allows a visual effects company like Milk to access enough raw computing power to simulate an ocean, or supports AI specialists Faculty in solving the problems of clients ranging from the BBC to the NHS. Computer Weekly reports that the UK economy could grow by £232bn over the next 2 decades due to investments in digital tech. They perceive major trends in flexible working, digital delivery of services and richer data from AI and analytics will drive the growth and all of which will rely on cloud to provide the flexibility to scale and adapt. So whilst most of the changes have been driven in part by COVID and lockdowns, its cloud that enables them.
In an environment which has highlighted the need to work remotely and differently to the ways we have worked before, the ability to consume and expand into cloud has proven essential to keeping the economy going. The future will see greater cloud adoption with consumption based computing being the natural course of technology adoption. This is always tempered by those organisations that are unable to fully embrace public cloud because of the nature of their data and their security posture. For these organisations, an on-premises cloud service will provide them with an experience with the look and feel of the public cloud but in a location that satisfies their security requirements. It is possible for these organisations with data at higher classifications to consume services from community cloud providers, where the service is offered from a location with an appropriate level of security and each organisation has their own tenant in that cloud. This approach does require the organisations to share the same security posture. The increase in uptake of edge/distributed/satellite cloud services means that services at remote locations need to be considered with the same stringency as other cloud services.
In the future it is possible that data at some of the higher HMG classifications will be hosted on public cloud. We have seen the technologies available to public cloud services become more secure over the lifetime of cloud and it is therefore not unreasonable to predict that this will lead to workloads with data classified at above OFFICIAL being hosted in the public cloud. The technology to do so is coming.
Would you agree that the conversation about cloud security has shifted and cloud users increasingly recognise the security benefits of cloud services?
Yes, the impact of security on users has become more real in recent years. The prevalence of social media has raised the profile of security threat impact through users being directly impacted by cyber attacks such as the Twitter attack. Even though some of these attacks don’t impact the security of cloud services themselves, they highlight the vulnerability of internet based services to the average user.
Small and medium sized businesses do not usually have the skill or budgets to employ SQEP Infrastructure, Network and Security Consultants or to implement a defence in depth approach using the latest next generation security products. Also, the cloud hyperscalers provide a global service, allowing them to tap into vulnerability and threat data as it happens in each time zone, the highly skilled security operations staff use the latest technology to identify these threats and determine an appropriate response. These are services that few organisations have the resources available to achieve effectively.
What are the key security concerns affecting greater cloud adoption and how can these issues be addressed?
Responsibility – who takes care of what for each of the different cloud services? Who is accountable when things go wrong? Protective Monitoring relies on the sum of all parts. However, the shared responsibility model coupled with multi-tenancy means that not all the logs can be made available. To investigate a breach without access to the end-to-end information may mean pertinent information is not available.
Identity – how do we authenticate and protect user’s identity in the cloud? One of the greatest threats to cloud security is the human element. Using passwords to authenticate is becoming increasingly unreliable and MFA has yet to be widely adopted. Many of the recent cyber attacks have been found to originate from social engineering/insider threat so mechanisms to protect users from handing over of credentials to hackers is essential.
Access control and data security – does the cloud provider have access to client data and how do they independently assure that they don’t? The use of cloud means that hardware is shared with other tenants, which limits the invasiveness of a penetration test because the risk of impacting the other tenants outweighs the benefit. You are therefore reliant on trusting the cloud provider to have implemented the security controls they claim.
Legal Compliance – the UK has strict Data Protection legislation, which impacts the use and adoption of USA and other overseas cloud provisions.
More SQEP Cyber Security Professionals - currently the lack of resources enables SMEs to acquire higher salary rates. Simple supply and demand shows with more SMEs, the salary rates will reduce making Cyber Security Professionals more accessible to the wider marketplace.
What steps should organisations take to adapt their cloud security posture to the rapidly changing online environment?
Key to a cloud security posture is the understanding of the business requirement, the security risks and the mitigation required to address these risk to within the business’s risk appetite. It is not sensible to hold risk where the technology does not provide for the business requirement.
Organisations must consider the value of their data and weigh up the confidentiality, availability and integrity aspects of the data, when assigning controls / mitigation
Organisations need to engage with the cyber community, start by reading the NSCS Cloud Security Principles and standards including ISO27001 and 27002, then gain some experience either by becoming a specialist, hiring the services of one or partnering with organisations that fit well with their business needs. The NIST and Cloud Security Alliance guides are readily available however, these are quite involved and may need a cyber expert to interpret and help implement. To bolster knowledge there are both, paid for and free, training courses training, plus a plethora of material from experts via YouTube channels and tech events.
The benefit of cloud is that new services can be stood up rapidly which means that being able to consume and/or deploy new cloud security services has never been easier. However, no organisation should rest easy knowing that they deployed the latest thing 2 years ago so all must be well, they need a strategy to ensure that they can be on the front foot of the threats relevant to their business and the technology underpinning it.
How can the cloud market equip organisations with the understanding, skills and knowledge to make the right cloud decisions for now and for the future?
Currently there is too much information and it is not always the right information. The information is very much marketing/sales orientated and includes a lot of jargon. Organisations need cloud providers to use simple language and their significant understanding of cloud to highlight the risks and benefits and guide them to procuring a cloud that provides the required protection. The cloud market can help dispel the myths and highlight the facts using their breadth of presence in digital media bolstered by their expertise. By using digital media to explain in simple terms the impact of threats and what tools can help, this will enable business to gain insight. This can be backed up by using the NCSC Cloud Security Principles and other cloud standards. The next step is to identify how businesses can engage with cloud cyber professionals and try to break down the idea that security is niche, difficult and expensive.
The hyperscalers have their own security products available as a service, a marketplace full of third party products and have best practise papers on how to implement a secure cloud environment. This can provide the introduction into keeping cloud safe, which can then be enhanced with webinars on how these tools and designs can be used to fight threats that have been recently brought to media attention. It is important to make security relatable to the business. No one wants to think that they are being hacked or have suffered data loss but it is essential for business to understand that there are two types of business when it comes to security, those that think it will not happen to them and those that know they are under attack and want to do something about it.
Building trust and confidence in the security of cloud computing services remains fundamental to the continued use of cloud services by organisations. What would you suggest is the one thing all companies should do to improve their cloud security?
Understand their threat landscape and be cognisant of its dynamic nature. They also need to recognise the skills and budget they have available and determine whether it is enough. Supply chain is also key – do they understand the RACI of the Cloud provider and themselves. What sub-contractors does the cloud provider employ and what is their level of cyber maturity. The recent Solar Winds breach (Securing Supply Chains – what can be learnt from SolarWinds? - Fujitsu UK & Ireland Blog) and the widely reported Target breach demonstrate that we are only as strong as the weakest link in the chain.
This will enable organisations to mandate a clear policy for Cloud Adoption, enabling users to know how to consume cloud and the steps they need to take to keep themselves and the organisation safe. This will need to include points of contact for people to go to where they can seek advice and guidance.
How can the cloud and cyber industry encourage someone considering a career focussed on these technologies?
By promoting recognised and obtainable qualifications within the industry and outlining career paths through recognised industry best practice such as SFIA and NCSC Cyber Certified Professionals. Company directors/boards/senior leaders recognising and investing in cyber security resources and technology.
Social media is widely influencing. Industry should make use of these digital channels to share information and insights into what working in cyber and cloud means and what it involves. It’s important not to describe the role in stark terms such as writing white papers but bring it to life by referring to it as solving problems, cracking codes, beating the bad guy, doing stuff no one has done before. Again, this is to widen the reach of the industry to those that are curious about cyber but not sure what they bring to it.
Increase awareness of cyber security and cloud across organisations, academia and schools. Teachers often have little or no industry experience, having trained straight from school. IT/computing curriculums in UK schools often lack passion and real world examples that could spark the interest of a child. Organisations should work with schools and colleges to provide SMEs to computer lessons, who can provide the students with stories that spark interest. More universities working with businesses to provide students on project based assignments to deliver value to business and not just in providing a typical technology solution designed by Computer Science students (as I did in my time at university) but including, for example, psychology students considering the human factor aspects of the latest security tooling.