Theo Sweeny’s Interview with Furqan Hashmi on Cloud Security and Compliance
What is the role of you and your senior team in building secure and compliant cloud solutions?
One of our clients is the National Health Service (NHS) UK and our role is to improve their cyber security posture. Utilising a unique model comprising various factors (including risk-based approach, global cyber threat intelligence, cyber compliance requirements etc.), we conduct in-depth security assessment, identify gaps and develop client specific security strategy and architecture. Prior to the NHS, we also provided cyber consulting and advisory services to the financial services sector.
One of our clients (a large financial services firm) engaged us to perform a security architecture review of their internet facing trading platform. We have successfully reduced their attack-surface by identifying and remediating security design and operational gaps on their internet facing trading platform.
Additionally, we have successfully developed security architecture for many organisations who have adapted cloud first and shift left (secure by design) strategies.
If a business was subjected to a data breach, which in turn became public knowledge, what implications would this have for the business reputation?
Cyber breaches has a significant impact on organisations. Each organisation has a different cyber threat landscape. Due to that, the impact could be much more than financial and reputational damage. Organisations in the public sector can be impacted more because of critical times we are currently facing due to COVID-19. For e.g. With some organisations, confidentiality and integrity breach impact might be significant. Availability and resiliency related breaches will have more impact on the Critical Network Infrastructure providers.
What emerging two trends do you see on the horizon that will change the cloud security and compliance landscape?
When it comes to cloud security and compliance, one of the biggest challenges is skills shortage. There is a mindset that cloud security works the same way as traditional data centre security. I think this is where most of the operational configuration mistakes happen. This introduces additional attack-vectors which increase the chances of exploitation further. One of the examples is Data Exfiltration attacks. Data exfiltration breaches are very common in the cloud environment and the reason is improper operational configuration of tools. So first (trend) is skillset and second is operational configuration.
Do you apply dynamic vulnerability management, applying an automatic shield around known vulnerabilities, thereby reducing the necessity of taking down systems for immediate patching?
I have utilised these solutions so we call it virtual patching. What that means is if there is a zero day exploit, cyber security vendors release a signature that matches the exploit and those virtual patches can then be deployed. If an organisation does not have the appetite to procure these solutions, that could be a real problem. Currently, all endpoint protection leaders and network security companies are providing virtual patching features and it is wise to have this feature enabled in the production environment..
In the cloud the traditional approach to security and compliance has been to build a layered defence model around the solution. Do you think there are better approaches?
I would say, along with the OWASP Top 10, it’s good to utilise the MITRE attack or equivalent framework. The MITRE framework provides in-depth technical elaboration of how attacks happen. MITRE framework tells you of so many methods of exploitation, like your internet facing applications and platforms. If we merge this information together with cyber threat intelligence, we can better address the threat landscape by developing an advanced security product / service.
The current Coronavirus pandemic is impacting the world, forcing more people to work from their homes than would otherwise be the case. Do you see any risks or opportunities arising for businesses as a result of their remote working workforce?
Most of the organisations are not ready for this scale of remote working and definitely their tooling security environment isn’t ready for that and so that’s a threat. This further grows the cyber threat landscape for the businesses. I know the situation is critical and we are not sure how long we are going to be in this situation. My suggestion is to review the effectiveness of existing security controls, get the basics right at least, and try to minimise the attack-surface related to remote working.