SAN DIEGO – Hacktivist-type attacks like those involving Sony Pictures Entertainment and Ashley Madison have gotten very personal and are coming at a time when cloud technology is transforming corporate networks, Brad Gow, senior vice president of Endurance Insurance, said during the 2016 RIMS Conference & Exhibition in San Diego.
“This increased attention to cyber exposure in the executive suite is really coming at a time when cloud technology is challenging the whole notion of what a corporate network is,” Gow, moderator for the session, Migrating to the Cloud: Threats and Opportunities for Risk Management, said Monday.
Citing results from a Cisco survey of chief information officers, released earlier this year, he noted that when asked how many cloud services they believe their corporate network was touching, the average was 91. “In actuality, the average corporate network touches 1,220 clouds,” Gow told attendees.
“If your organization is big enough to have a risk management function,” he suggested, “your corporate networks are already touching many clouds.” And a corporate network that “is touching hundreds and hundreds of different clouds increases the attack factor exponentially. It is truly a material concern.”
Some functions done in the cloud – like e-commerce and payments – are generally done with IT’s support and co-ordination. This may not be the case for social media like LinkedIn or Twitter, or free sites like Dropbox or Gmail, he said.
In fact, social media and fitbit services may be being used on corporate laptops without IT organization, perhaps even without its knowledge, and is known as shadow IT.
Chris Novak, co-founder and director of the Verizon Investigative Response Unit, told session attendees there are private, public and hybrid clouds. “The biggest difference between the private and the public, as the name may suggest, is the public cloud generally is shared. So your systems, your data, whatever it is that you’re putting in the cloud, it’s going to be on the same infrastructure, systems, using the same applications as other people,” Novak explained.
“On the private cloud side of things, essentially it’s dedicated to a specific individual organization,” he said, while the hybrid cloud is a mixture of the two.
“The scariest concern is the shadow IT,” Novak suggested.
Staff – perhaps working on a project and unable to wait for IT – can easily buy cloud computing and cloud storage, he pointed out. “In the meantime, nobody from IT knows that we now have a hundred servers located on the other side of the country with all sorts of sensitive data that we uploaded to it,” Novak said. “So all of a sudden, you have lots of significant concerns around governance risk compliance around that type of data that might live on the system,” he noted.
“What’s really driven the recent demand in the market is not the financially motivated theft of a credit card for exploitation later,” Gow told attendees.
The Sony Pictures and Ashley Madison attacks “are deeply personal, are made to make the target company look bad,” he suggested. In such cases, “perpetrators break into a network, establish a beachhead and do all they possibly can to take the company down,” including deleting databases and their back-ups, and taking online operations offline, he said.
Noting that global boards are under increased scrutiny to control cyber exposures to their whole organization, such attacks have spurred an “increase in market take-up as well as a huge increase in limits purchased,” Gow reported.
Cloud use is “going to continue to grow,” he said. The investment for cloud technology “is anticipated to be six times higher than the average IT spend in the next five years,” he told attendees.
Cloud use, though, “is something that IT and risk management need to sort out, if only to get the rules of the road together for employees to understand and manage their own provisioning of cloud and the shadow IT,” Gow argued.
“We haven’t really seen a lot of big cloud-based breaches,” Novak said. “Most of what we’ve seen on the cloud side has really been the same breaches we’ve seen of systems anywhere else in our own organizations and across the globe.”
A big piece of that may be that when provisioned in a formal way, “you have some kind of due diligence process that everybody uses to determine whether or not that provider meets their requirements,” he suggested.
Another factor may be “the cost savings that a lot of organizations benefit from allows them to implement additional security components or features in that cloud environment,” Novak added.
“From a risk management perspective, cloud use is neither good nor bad; it’s kind of agnostic,” Gow suggested to attendees. “A good quality, professional cloud can provide a much more secure robust environment than most companies can manage to do themselves. But if your company or your employees are putting corporate data in a bargain-basement cloud,” he cautioned, “they are opening up your organization to considerable problems.”
More coverage of RIMS 2016 Annual Conference & Exhibition in San Diego